Quarterly 26 · plan to explain and interpret the C-by-C data? Assess the company’s readiness for the new revenue . recognition standard. The FASB and IASB have finalized the deferral

Quarterly 26

Audit Committee InstituteCelebrating 10 years

On the 2016 Audit Committee Agenda

Global Pulse Survey – Calibrating risk and strategy

Data and analytics – Hindsight to insight to foresight

BEPS, transparency and country-by-country tax reporting

Risk oversight – Global Boardroom Insights

Financial reporting news

Other news and insights

Audit Committee Institute Sponsored by KPMG

2

About the Audit Committee Institute

The Audit Committee Institute (ACI) champions good corporate governance to help drive long-term corporate value and enhance investor confidence. Focusing on the audit committee and supporting the director community more broadly, ACI engages with directors and business leaders to help articulate their challenges and promote continuous improvement. Sponsored by KPMG, ACI delivers actionable thought leadership – on risk and strategy, technology, compliance, financial reporting and audit quality – all through a board lens.


3

For more information visit our website:

www.auditcommitteeinstitute.be

Contact us:

Olivier MacqTel.: + 32 2 708 36 86

Wim VandecruysTel.: + 32 11 28 66 31

Audit Committee Institute Bourgetlaan – Avenue du Bourget 40

B-1130 Brussel – Bruxelles

E-mail: [email protected]

Contents

On the 2016 Audit Committee Agenda 6

Global Pulse Survey – Calibrating risk and strategy 8

Data and analytics – Hindsight to insight to foresight 16

BEPS, transparency and country-by-country tax reporting 20

Risk oversight – Global Boardroom Insights 22

Financial reporting news 30

Other news and insights 31

Audit Committee Institute in Belgium

@ACI_BE


4

Welcome to the twenty-sixth edition of the Audit Committee Institute Quarterly, a publication designed to help keep directors and audit committee members abreast of regulatory matters, risk, financial reporting, audit quality and other changes in the corporate governance arena.

Welcome


5

In the first edition of the new year our Audit Committee Institute Quarterly sets off with flagging ACI’s priority items for audit committees in carrying out their 2016 agendas.

This is followed by the results of our Global Pulse Survey, featuring a board’s-eye view on risk and strategy. Our survey showed that indeed corporate boards are deepening their involvement in company strategy and refining their oversight of the critical risks facing the company.

Next, we zoom in on how data and analytics are changing audits. The core goals remain, but audit tools, execution and results are being transformed and expanded by new capabilities in data and analytics. This is the way audits will be conducted in the future and it is critical that audit committees and auditors begin working together now so audit committees understand where the process is heading. And not only audit will take the full advantage of data and analytics – the use of data and analytics is rapidly gaining traction in various parts of today’s business as well.

The third article in our newsletter is a piece on the intensified focus of regulators on tax transparency. The obligation to report country-by-country tax information to all jurisdictions is on the immediate horizon. The impact on multinational companies will be profound, with significant implications for tax compliance and reporting functions, transfer pricing policies and oversight, tax audits and controversies and reputational risk.

Lastly, we bring you a selection of insights from our interviews of leading directors from around the world in our Global Boardroom Insights series – about their views on (re)calibrating risk oversight to stay effective in the current high risk and volatile business environment.

We finish this edition with a selection of timely financial reporting and other news from the corporate governance arena.

We hope this publication serves its intended purpose of briefing you on the important developments affecting your role.

If you require further information, please contact us at [email protected] with any comments or suggestions of topics you would like to see receive attention.

Our ACI website (www.audit-committee-institute.be) also provides additional information, including previous editions of the Audit Committee Institute Quarterly, our Audit Committee Toolkit and other useful ACI publications, surveys and other content.

We trust you continue to enjoy the benefits of ACI membership.

Olivier Macq Chairman ACI Belgium Wim Vandecruys Director ACI Belgium


6

On the 2016 audit committee agenda

Focus to maintain control of the audit committee’s agenda This number-one priority from last year holds true for 2016 – overseeing the major risks on the audit committee’s agenda in addition to its core responsibilities (financial reporting and auditor oversights) remains a challenge. Even in the absence of any new agenda items, the risks that many audit committees have had on their plates for some time – cyber and IT, supply chain and other operational risks, legal and regulatory compliance – have become more complex, as have the audit committee’s core responsibilities. Keeping the committee’s agenda focused – and its eye on the ball – will require an agenda that’s manageable (what risk oversight responsibilities are realistic?); a sharp focus on what’s most important (starting with financial reporting and audit quality); allocating time for robust discussion while taking care of “must do” compliance activities; maximizing the value of internal audit (as the committee’s “eyes and ears”); and ensuring the committee has the right composition and leadership.

Monitor and scrutinize critical accounting estimatesFair values, impairments, and judgments of key assumptions underlying critical accounting estimates, together with loss contingencies and pension funding shortfalls should continue to be a major area of focus for the audit committee. Recognize that the company’s greatest financial reporting risks are often in those areas where there is a range of possible outcomes where management has to make difficult judgments and estimates. Regulators globally continue to express concern about adverse inspection findings pertaining to critical accounting estimates. The message: Quality financial reporting requires a disciplined, robust, and unbiased process to develop accounting judgments and estimates. To that end, the committee must understand management’s framework, help ensure that management

has appropriate controls in place, and ask for the external auditor’s views.

Stay apprised of global external audit reform initiatives udit reform initiativesRegulators in Belgium and around the world are undertaking initiatives focused on enhancing auditor independence, objectivity, and professional skepticism – from changes to the auditor’s reporting model, to auditor tenure and rotation, and restrictions on non-audit services. New ISA requirements expanding the auditor’s report – to include discussion of key audit risks and the related audit response, – will impact many companies as of 2016 year-ends. And EU audit reform – with potential significant extraterrestrial impact on auditor selection and non-audit service providers – will also take effect in Belgium in 2016. The committee should proactively consider and discuss the implications of these initiatives, and take the lead on ensuring audit quality.

Reinforce audit quality and set clear expectations for the external auditorAudit quality is enhanced by a fully engaged audit committee. Set the tone and clear expectations for the external auditor, and monitor auditor performance through frequent, quality communications and a robust performance assessment. Have the audit committee, management, and the external auditor identified audit quality indicators that will enhance understanding of the audit and how to maintain or improve audit quality? Remember that audit quality is a team effort, requiring the commitment and engagement of everyone in the process – the auditor, audit committee, and management.

Consider how the company’s disclosures can better tell the company’s story – and the audit committee’sThink about going beyond what’s required to provide a fuller picture not only of the company’s recent performance, but also where it’s headed and the key risks it faces. In addition to traditional financial metrics, can

Prioritizing a heavy audit committee agenda is never easy, and 2016 will be particularly challenging given the level of global volatility and uncertainty – e.g., the geopolitical environment, commodity prices, interest rates, currency fluctuations, slowing growth in emerging markets – as well as technology advances disrupting established industries and business models. Drawing on insights from interactions with audit committees and business leaders over the past year, ten items have been flagged for audit committees to keep in mind as they consider and carry out their 2016 agendas:


7

the company provide greater insight into the drivers of long-term growth, such as customer satisfaction, talent, or innovation? Disclosure initiatives undertaken by ESMA and others globally are the beginning of a new generation of leaner and cleaner financial disclosures. Also, consider ways to enhance the audit committee’s disclosures to provide greater insight into how the audit committee carries out its oversight responsibilities.

Maintain a sharp focus on finance leadership and bench strengthQuality financial reporting starts with the CFO and finance organization. Given the critical role the CFO plays in maintaining financial reporting quality, it is essential that the company has succession plans in place not only for the CFO, but for other key finance executives – the controller, chief accountant, chief audit executive, and treasurer (and perhaps the chief compliance and chief risk officers). How does the audit committee assess the finance organization’s talent pipeline? Do they have the training and resources they need to succeed? How are they incented to stay focused on the company’s long-term performance?

Spend more time outside the boardroom Recognize that effectiveness inside the boardroom increasingly hinges on spending time outside of the boardroom – visiting company facilities, interacting with employees and customers, and hearing outside perspectives – to understand the tone, culture, and rhythm of the organization.

Assess the company’s readiness for new country-by-country tax reporting The obligation to report country-by-country tax information to all jurisdictions is on the immediate horizon – with significant implications for tax compliance and reporting functions, transfer pricing policies, tax audits and controversies, and reputational risk for multinational companies. Under the OECD’s Base Erosion and Profit Shifting (BEPS) project, multinationals with more than

750 million euros in revenue will be required to provide, in a single country-by-country (C-by-C) report, detailed information about every jurisdiction in which they operate. The first C-by-C reports will relate to fiscal years beginning on or after January 1, 2016, with the report due one year later. Audit committees of multinationals will want to assess their company’s readiness. What systems and process changes will be required to comply with the requirements? Have we assessed our transfer pricing strategies and identified those that are likely to be challenged? Do we have an effective communications plan to explain and interpret the C-by-C data?

Assess the company’s readiness for the new revenue recognition standardThe FASB and IASB have finalized the deferral of the effective date of the new revenue standard by one year – until January 1, 2018 for calendar-year end companies. The new standard, which will change the way many companies recognize revenue from customer contracts, will have a significant impact across the company – from systems, data, and accounting processes, to controls and business contracting processes. Companies should use the additional transition time to finalize implementation plans, identify areas that require close attention, and implement the necessary changes to processes, systems, and controls.

Be prepared for data and analytical procedures Audits are changing significantly. The core goals remain, but audit tools, execution and results are being transformed and expanded by new capabilities in data and analytics. This is more than a trend. This is the way audits will be conducted by virtually all the major accounting firms, and it is critical that audit committees and auditors begin working together now so audit committees understand where the process is heading, what the broad benefits are and how to work effectively with management to enable a smooth and effective shift within their organizations.


8

One seasoned director recently observed, “If you aren’t constantly assessing strategy and risk, and adjusting as you go, there’s no way you’re keeping pace as a business or a board.” i Many of the directors and business leaders responding to our recent global survey agree.

Our survey finds that boards are indeed deepening their involvement in strategy and refining their understanding and oversight of the critical risks facing the company – the competitive landscape and risk environment demand it, investors expect it, and bringing real value to the boardroom dialogue requires it.

To better understand how boards are helping the company calibrate strategy and risk – where they’re deepening their engagement, and where the biggest challenges and

concerns are – we surveyed more than 1.000 directors and senior executives around the world.

Our research suggests that while many boards are clearly stepping up their game – considering strategic alternatives and monitoring execution, improving risk-related information, reassessing risk oversight responsibilities, and more – significant challenges remain, including linking strategy and risk, and addressing growing cyber security risks.


If you aren’t constantly assessing strategy and risk, and adjusting as you go, there’s no way you’re keeping pace as a business or a board.

“ “

i KPMG’s 2015 Audit Committee Issues Conference


9


Five Takeaways

Boards continue to deepen their involvement in strategy – including execution. Some 80 percent of survey respondents said the board has deepened its involvement over the past two to three years – in the formulation of strategy and consideration of strategic alternatives, monitoring execution, devoting more time to technology issues (including cyber security), and recalibrating strategy as needed.

Effectively linking strategy and risk continues to elude many boards. Only half of survey respondents are satisfied that strategy and risk are effectively linked in boardroom discussions. Risk-related decisions, many said, would be most improved by more closely linking strategy and risk, as well as having a more-clearly defined risk appetite, better assessment of risk culture, and giving greater consideration to the “upside of risk taking” (versus risk avoidance).

Better risk information and access to expertise are (still) top of mind. Many boards have recently taken steps – or at least discussed ways – to strengthen their oversight of risk, mainly by improving risk-related information flowing to the board, but also by hearing more independent views and refreshing the board/recruiting expertise, coordinating (and reallocating) risk oversight responsibilities among the board’s committees, and/or changing the board’s committee structure.

Cyber security may require deeper expertise, more attention from the full board, and potentially a new committee. Greater use of third-party expertise and deeper technology expertise on the board would most improve the board’s oversight of cyber security, survey respondents said. Many also said cyber security needs to have more time on the full board’s agenda, and nearly a quarter said formation of a new committee to address technology/cyber risks would be beneficial.

Oversight of key strategic and operational risks could be more-effectively communicated and coordinated among the board and its committees. Nearly half of survey respondents cite room to improve the communication and coordination among the full board and its committees on oversight of the company’s key strategic and operational risks – e.g., strategy, CEO succession, talent, regulatory compliance, cyber security and emerging technologies, and supply chain issues.

Participating Countries

= 20 or more responses


10

It comes as little surprise that boards are deepening their involvement in strategy – considering strategic alternatives, monitoring execution, recalibrating strategy, and devoting more time to technology issues.

As one director noted recently, “It’s a different ballgame today. We’re spending much more time not only on strategy but on execution as well. Shareholders expect the board to be fully engaged and able to articulate why the company is doing what it’s doing.” ii

Indeed, the board’s traditional involvement in strategy – typically an annual “review and concur” role – is evolving quickly. As emphasized in a recent report on the board’s role in strategy development, “The board’s involvement

needs to be rethought in our fast-paced and increasingly complex marketplace… given the real and substantial risk that a company will fail to adjust strategy as necessary for survival in a timely manner…” iii

From identifying the metrics that will be early indicators of a strategy’s success or failure, to expecting change and understanding how it may affect the company’s current strategic course and undermine the strategy’s fundamental assumptions, boards are playing an increasingly active (and proactive) role in helping to assess and calibrate strategy. iv

Interestingly, for Belgium, relatively more survey respondents point to technology and cyber issues as an area where the board’s involvement has increased over the past years as compared to the global ranks.

In what areas (if any) has the board’s involvement in strategy increased over the past 2 – 3 years?

GLOBAL BELGIUM

53% Formulation of strategy alternatives/ consideration of strategic alternatives 47%

47% Monitoring execution 37%

35% Recalibrating strategy 44%

33% Devoting more time to technology issues, including cyber risk 44%

24% Testing the ongoing validity of assumptions 14%

11% No significant increase – board has been deeply engaged for years 12%

11% No significant increase—but deeper engagement is needed 7%

ii KPMG’s Issues Conference, Id.iii NACD Blue Ribbon Commission on Strategy Development, 2014 iv NACD, Id.iv NACD, Id.

11Audit Committee Institute Sponsored by KPMG

As most board members and business leaders today will agree, strategy and risk go hand-in-hand; without risk, there’s no reward.

But effectively linking risk and strategy continues to be a challenge: Only half of survey respondents are clearly satisfied that risk and strategy are effectively linked in boardroom discussions.

Describing strategy and risk as “two sides of the same coin,” one director notes that “Any discussion on strategy can be turned into a risk discussion, and vice versa.”v

Another commented that “There’s risk in the direction that the company chooses to take; there’s risk in the implementation of the strategy; there’s risk in the unknowns and the outside factors that you can’t control. Risk has to be part of that strategic discussion.”vi

For those still wrestling with effectively linking strategy and risk in the boardroom – and, indeed, across the enterprise – one risk professional said he poses a basic, but challenging, question to the board: “Is the company’s risk lens equal to the growth lens? In other words, are you putting enough rigor around the risk side of your strategy – i.e., are you stress-testing your growth assumptions? Are you doing some scenario planning and aligning your growth ambition with your risk appetite? If you don’t spend enough time quantifying your risk appetite, you don’t really know if you’re taking the right amount of risk in relation to your strategy.”vii

Generally, “closer linkage of strategy and risk” was most often cited by survey respondents as a key to improving the company’s risk-related decision making (see Question 3).

How satisfied are you that risk and strategy are effectively linked in boardroom discussions?

GLOBAL BELGIUM

44% Satisfied 51%

31% Somewhat satisfied 30%

14% Not satisfied 12%

10% More than satisfied 5%

2% Unclear 2%

v Lindsay Maxsted, Global Boardroom Insights, Sept. 2015vi Maggie Wilderotter, Global Boardroom Insights, Sept. 2015vii Mike Nolan, Global Boardroom Insights, Sept. 2015


12

Making better risk-related decisions, according to most survey respondents, hinges largely on a “closer linkage of strategy and risk.”

A more clearly-defined risk appetite, promoting the right risk culture, and taking a harder look at the “upside” of risk-taking are also front and center.

“As a board, you are observing how decisions are being made and evaluating the thought processes,” noted a director (and former chief risk officer). “The goal is to continually refine that decision-making process so that the company is intelligently taking profitable risks – consistent with the strategy and based on a good understand of the risks and rewards.”viii

Another director emphasized that the board’s role is to “make sure the culture is healthy and that there’s diligence around the risks that could have significant downside for the company. And it’s not about the

board saying ‘Don’t take the risk.’ It’s about the board saying ‘Have you thought through all of the issues associated with the risk posed by that decision?’”ix

Does everyone agree on what the company’s top five risks are, and how much risk the company is willing to accept based on various factors underlying the strategy – e.g., foreseeable risks, shareholder expectations, available capital, strategic alternatives, and management skills?

“In my opinion,” noted one director, “the courage in strategic thinking and a clearly-defined and communicated risk appetite determines the competitive value of a company.”x

In Belgium, directors and senior executives queried contrast with the global results --- with a more clearly defined risk appetite being perceived as the number one improvement in risk-related decision making.

What would most improve the company’s risk-related decision making?

GLOBAL BELGIUM

41% A more clearly-defined risk appetite 47%

53% Closer linkage of strategy and risk 37%

35% More effective promotion and assessment of company’s risk culture 26%

33% Greater consideration of the “upside” of risk-taking (versus risk-avoidance) 30%

20% A more prominent role for chief risk officer (or equivalent) 12%

viii Michael Hoffman, KPMG Quarterly Webcast, “Managing Risk for Strategic Value and Competitive Advantage” ix Wilderotter, Id.x Artur Gabor, Global Boardroom Insights, Sept. 2015


13

Despite the increased focus on cyber security as a critical business priority, one in three survey respondents said the full board should be devoting more attention to cyber risk; and the adequacy of cyber expertise – via third-parties and/or on the board – continues to be a concern.

“Good boards are spending a lot of time thinking about cyber and trying to understand it,” notes one director, “ just as they do with every other aspect of what goes on in the organization – whether management has sufficiently robust processes and controls in place. In this sense, there is a very important role for external advice and benchmarking.”xi Boards are also taking a harder look at their own expertise. “You don’t want to go searching for a new board member every time you have a new risk, but given the huge business implications of cyber security, I do think it’s important to have a least one board member who is versed in information technology.”xii

A few key questions should be front and center today: Is cyber risk given regular and adequate time on the board’s agenda? Is cyber risk integrated into the company’s risk management process and business culture? What are the company’s biggest vulnerabilities and its most critical data sets? Has the company conducted penetration tests and external assessments of its cyber defenses – and what were the results? Does the company use a cyber security scorecard and is there a cyber-incident response plan in place? Are the board’s/committees’ oversight responsibilities clear?

Globally nearly a quarter of survey respondents said formation of a new committee (to address cyber and technology risks) would improve the board’s oversight whereas none of the Belgian respondents seem to see benefits in a separate cyber risk committee. Instead, relatively more Belgian survey respondents wish to see technology expertise in the board deepened as compared to the global results.

What would most improve the board’s oversight of cyber security?

GLOBAL BELGIUM

51% Greater use of third-party expertise 58%

40% Deeper technology expertise on the board 56%

30% Full board devoting more agenda time to cyber risk 19%

23% Formation of a new committee (to address cyber and technology risks) 0%

11% Narrower role for the audit committee 26%

7% None of the above 5%

viii Michael Hoffman, KPMG Quarterly Webcast, “Managing Risk for Strategic Value and Competitive Advantage” ix Wilderotter, Id.x Artur Gabor, Global Boardroom Insights, Sept. 2015 xi Maxsted, Id.

xii Nolan, Id..


14

Only about half of survey respondents said they are satisfied with the communication and coordination of board/committee oversight of key strategic and operational risks.

Indeed, the potential for fragmented oversight – with critical risks falling through the cracks – continues to pose challenges, particularly given the scope and complexity of risks facing companies today.

Directors we interviewed gave mixed reviews to the quality of committee reports to the full board, with some describing them as more perfunctory than substantive, and others noting that reports are “increasingly robust.”

Other approaches that boards are using to better coordinate their risk oversight activities include mapping

the committees’ oversight responsibilities, establish communication among standing-committee chairs, and overlapping committee memberships or informal cross-attendance. More than one director we interviewed noted that the audit committee’s deep dive with management on cyber security issues is attended by other board members on a voluntary basis.

Risk committees continue to be part of the discussion on improving board oversight of risk; yet, outside of financial services (where a risk committee may be required in certain cases), directors caution that use of a risk committee may create a false sense of confidence – that “the risk committee has everything covered” – and should be weighed carefully.

How satisfied are you with the communication and coordination between the board and its standing committees regarding oversight activities around the company’s key strategic and operational risks?

GLOBAL BELGIUM

44% Satisfied 51%

31% Somewhat satisfied 28%

11% More than satisfied 9%

11% Not satisfied 9%

3% Unclear 2%


15

To keep pace with the changing risk environment, survey respondents said their boards are focusing, first and foremost, on the quality of risk information they’re receiving.

Indeed, directors continue to express concern that the quality – including the quantity – of information they receive may hinder their oversight. What risk information does the board require – and in what format? Boards are also seeking a wider variety of sources to help minimize “asymmetric information risk” – the over-reliance on a single source of information (e.g., from management) – including analysts, investors, and outside experts.

Changing the board’s committee structure and reallocating risk oversight responsibilities to better balance committee workloads are also being considered (and implemented) by some boards. “To help alleviate some

of the audit committee’s workload, I think you’re seeing more boards looking at how risk oversight responsibilities are allocated, or they’re setting up specific committees – for example, an IT committee, to look at the IT side of what an audit committee would have looked at in the past.”xiii

In the months ahead, we anticipate seeing more boards taking a step back to assess their risk oversight approach as they deepen their involvement in strategy – and focus on more-effectively linking the two.

Consistent with their specific desire to devote more time in the boardroom to technology and cyber issues, Belgian respondents more frequently discuss refreshing the board and/or recruiting directors with specific expertise as compared to their global peers.

What steps has the board discussed or undertaken recently in light of the increasing complexity of the business and risk environment?

GLOBAL BELGIUM

61% Improving risk-related information flowing to the board 56%

35% Better coordination of risk oversight activities among the board and its committees 16%

25% Hearing more third-party/independent views on the company’s risks 30%

20% Refreshing the board / recruiting directors with specific expertise 35%

19% Changes to the board’s committee structure / creating new committee(s) 23%

18% Reallocation of risk oversight responsibilities (to better balance committee workloads) 21%

xiii Wilderotter, Id.


16

Audits are changing significantly. The core goals remain, but audit

tools, execution and results are being transformed and expanded by new

capabilities in data and analytics (D&A). This is more than a trend. This is the way audits will be conducted by virtually all the major accounting firms, and it is critical that audit committees

and auditors begin working together now so audit committees understand

where the process is heading, what the broad benefits are and how to

work effectively with management to enable a smooth and effective shift

within their organizations.

What can a data-driven audit do?Many organizations are keenly aware that they must make better use of the masses of data available to them. This is as true for the financial statement audit as it is in other organizational areas. While transformative change must always overcome a certain amount of inertia, companies are recognizing the advantages offered by an analytics-based audit, from providing auditors with a more comprehensive understanding of the company’s business, to providing the audit committee, the company and its shareholders with more granular and detailed information on which to base key decisions.

For example, auditors typically base their work on a relatively small data set, extrapolating conclusions across the full financial data. D&A tools will be able to incorporate the totality of an organization’s financial information, analysing millions of transactions to identify irregularities and key risk focus areas for auditors. The auditor still makes judgements and decisions about where to focus their efforts, but they will have a much broader set of data from which to select from.

Analytics audits will also be able to take external as well as internal data into account. They will be able to analyse and predict how weather, economic, industry and other factors might affect performance, providing enhanced perspective on risk management priorities.

Audits will also become ‘smarter’. Over time, the audit database will expand, building on itself to recognise repeating patterns, enhance understanding of the company’s financial character and risk profile. This makes

Data and analytics – Hindsight to insight to foresight

“This level of analysis means auditors can more easily identify trends and anomalies for further investigation. It allows them to give organizations greater insights into their past performance which in turn enables them to take stock of their processes and activities and adjust them to improve performance.”


17

it easier to identify both audit and business issues, and improve audit insight and quality year over year. Since these processes will occur at almost all companies, there will also be greater ability to benchmark an individual company’s performance against broad, complete industry or geographical data sets, again giving auditors a far more valuable body of information that may be shared with key stakeholders.

Providing unique business insightsAs well as benchmarking, auditors can look in depth at the data, discovering complex patterns, making sense of them, and identifying anomalies. Such information can be used to generate meaningful useable insights that give organizations invaluable information on which they can act to gain real advantage.

Challenges and benefitsAudit firms are going through an unprecedented period of development as they get to grips with data-driven audits and this itself creates a risk in a world that is already complex and moving fast.

Audit committees and the companies they serve have natural concerns around issues such as independence, data security and transparency, and dialogue will be necessary between audit committees, auditors, regulators and management to address these concerns and assess the degree to which the potential benefits outweigh the risks. In order for auditors to effectively leverage their D&A capabilities, companies will need to be prepared to share information on a broader scale and in more detail than in the past.

The good news is that auditors have always been focused on confidentiality and the preservation of secure data, with numerous safeguards already in place and required by regulation. Ultimately, there is no real downside to the D&A audit. Auditors will simply get a much better view into the information they already use to arrive at their opinions. This can’t help but enhance audit quality and increase the value of an audit to all stakeholders.

An organization was concerned that standard approval processes in purchasing and material management were being circumvented, resulting in production delays and costing the company time and money.

D&A capabilities pinpointed the cause of the slowdown as the inconsistent use of Enterprise Resource Planning (ERP) approval processes vital to production efficiency, resulting in the frequent use of manual interventions.

• The recording of deliveries outside the ERP process had a direct impact on inventory and production management.

• The high volume of manual price adjustments revealed an underlying issue with the accuracy of inventory costing.

D&A allowed insights to be provided into the organization’s process that were not clearly seen before, allowing management to assess opportunities to drive efficiency and better leverage their investment in their ERP systems, which enabled them to address specific challenge areas and ultimately to streamline production.

A fast moving

IT landscape

Blurring the line between

auditand advisor

Skill set of current auditors

Possiblerisk of non compliance with auditstandards

Data security

Client expectations

Varied stakeholder expectations

Cost of IT to the auditor

The opportunity

is exponential

Maturity of client IT

environment

The results of D&Atesting?

Risk of black box

centralization


18

A new level of audit qualityThe audit will be very different, very soon, in ways that deliver substantial advantages to investors, audit committees and the companies they serve. The most important thing is to remember that audit committees, investors, regulators, and companies are mutually involved and invested in this process; and all parties need to work together to enable the data-driven audit to realise the broadest range of benefits for all of audit’s stakeholders.

This is an evolving process for everyone involved, so it is important for audit committees to stay on top of developments and satisfy themselves that the right questions are being asked and answered.

Key questions for audit committees to ask their auditor include:

• Where is your organization on the analytics audit timeline?

• How do you expect to use D&A in the audit?

• What safeguards do you have in place to protect our data and preserve confidentiality?

• How will existing substantive procedures evolve through this automated approach?

• Where do you see your capabilities in three to five years?

The talent challenge for audit firms – hiring people with appropriate skillsets and training existing staff in data analytics – is matched by the challenge for organizations to ensure their finance and internal audit functions are similarly skilled. Q26

Value

Quality • Deeper understanding of processes.

• Identification of possible control gaps.

• Analysis of 100% population to identify outliers/exceptions.

• Quantify value/volume of outliers/control failures.

• Determine the root cause of exceptions.

• Increased focus on key judgements.

• Tailor approach to fraud risks.

Efficiency • Use D&A at every stage of the audit life cycle and report more regularly to audit committee.

• Less disruptive impact on the business as the audit is focussed on risk rather than random samples.

• Audit effort can be spread more evenly across the year meaning any issues can be fixed earlier.

• Potential efficiencies through centralization of procedures across a group or through centralization of work

Insight • Quantify manual intervention in financial processes.

• Assess extent of application of policies.

• Measure consistency of controls/tolerances/KPIs.

• Process improvements identified:

− More automated controls/less manual controls.− Flex control tolerances to reduce manual intervention.

• More meaningful benchmarking.

• Advanced visualisation – interactive dashboards and transactional-level


19

Until now, the agreed way to audit has been to sample, make

deductions... building bigger pictures through smaller glimpses...

Market by market, business by business.

The accounts are formed from distinct information flows or

‘streams’. They flow into the General

Ledger, and are brought together to create the financial statements.

But this is changing.Technology allows all your data to be

examined... making audit far more valuable.

Also there are manual entries made to the General Ledger.

Which by definition are not subject to system controls.

This population can now be identified in its entirety.

Think of each ‘item’ within those streams as a molecule.

As it flows through the system it passes through controls; it is

tagged and ticked, showing that it conforms to each relevant control. Molecules with all tags might be

called the ‘happy flow’.

The ‘happy flow’ is the norm, but there will be populations that deviate.

For example, where controls haven’t been switched on, invoices input directly into the system or where

parameters have been set differently. These merit further analysis to confirm

rock solid reporting and to identify commercial

opportunity.

Audit traditionally dips a bucket in, takes a sample, and analyzes it.

This is extrapolated to form a view on the whole.

But it’s not the entire stream. Imagine the picture that might be

seen if auditors could look at everything?

All the items that don’t entirely conform will be seen. What’s their history?

There may be perfectly good explanations for some of the deviations.

And some others may uncover real opportunities to improve.

For the first time the whole picture will be visible.

Technology can put a giant filter in the streams that flow through the

General Ledger. This will identify, and capture the molecules that deviate from the

happy flow. That should be interesting.

What do audit committees need to know?


20

The obligation to report country-by-country (C by C) tax information to all jurisdictions is on the immediate horizon. The impact on multinationals will be profound, with significant implications for tax compliance and reporting functions, transfer pricing policies and oversight, tax audits and controversies, and reputational risk.

In July 2013, the Organization for Economic Co-Operation and Development (OECD) in partnership with the Group of 20 (G20) major world economies released a 15-point action plan focused on addressing the perceived profit-shifting behaviors of multinational enterprises that contribute to the erosion of countries’ tax bases. This initiative, the Base Erosion and Profit Shifting (BEPS) project, is on schedule to produce final recommendations on all 15 items by this year’s end. Many countries are poised to adopt the OECD recommendations immediately. Increased transparency and reporting of tax structures and transfer pricing practices of multinationals is a central theme of the recommendations.

In particular, under Action 13, released in February, multinationals will be required to provide a single C by C report detailing information about their operations in every jurisdiction in which they operate. The information required will include related and unrelated party revenue,

profit and loss before tax, income taxes paid, capital, employees, and assets for each jurisdiction. Multinationals will also need to file a “Master File” providing additional information about their global transfer pricing, tax rulings, value chains, and operating structures.

Implementation guidelines The implementation guidelines issued by the OECD provide that the new reporting rules should apply to all multinationals with more than 750 million euros (approximately $840 million) in revenue. The first reports would relate to fiscal years beginning on or after January 1, 2016, with the written report due one year later. (The first C by C report for multinationals with fiscal years ending December 31, 2016, would be due by December 31, 2017.) In general, the head company of a multinational group would be expected to prepare the C by C report for the entire group and file it with its residence jurisdiction. The residence jurisdiction would then automatically


21

BEPS, transparency, and country-by-country tax reporting

share the report with other countries. Several countries already have signaled their intent to adopt the OECD recommendations and implementation guidelines, including the United Kingdom, Spain, and the United States, where the Treasury Department has indicated its plans to require a C by C report that is consistent with the OECD’s recommendations. Because it is a single report, as long as one country requires the report, a multinational will have to gather the same information for all countries in which it operates.

The proposed reporting requirements may pose significant costs and compliance burdens – including new technologies and systems to gather and report the data in the required format. In addition, multinationals will need to understand and evaluate the possibility of increased audit scrutiny or controversy, particularly regarding transfer pricing practices.

It will be crucial that tax considerations are integrated effectively into multinationals’ overall business strategies and operational decisions. How can audit committees of multinationals assess their company’s readiness for the C by C reporting?

Here are a few possible areas of focus:

What systems and process changes will be required to comply with the new documentation requirements? Is the required data readily available in our systems or will it require systems changes?

Have we reassessed our transfer pricing strategies and identified those that are likely to be challenged? Is it clear what transfer pricing methodology each business unit uses? Do we need to modify any transfer pricing arrangements?

Do we have an effective communications plan to explain the C by C data and defend our transfer pricing strategies? For example, some tax authorities may tend to focus on the “tangibles,” such as numbers of employees in specific locations and may find it difficult to assess the comparative value and profit generated by small numbers of highly senior or expert staff.

How will the C by C data be used, and who will have access to it? The implementation guidelines contain a list of recommended conditions for a country obtaining and using the C by C report, including both confidentiality and appropriate use protections. But these are merely “recommended.” Q26


22 Audit Committee Institute Sponsored by KPMG

22

Risk oversight – Global Boardroom InsightsU.S. investor Warren Buffet has said quite simply that “risk comes from not knowing what you are doing.” Of course, underlying that observation – as any board member or business leader well knows – are all the challenges, complexities, and uncertainties of running a business.

For many boards and audit committees today, helping to ensure that the company is headed in the right direction and taking appropriate risks – that the company “knows what it’s doing” – is requiring deeper engagement as the business and risk environment becomes more complex and faster paced. In this edition of Global Boardroom Insights, seasoned directors and risk professionals from around the world share their thoughts on how boards are strengthening their oversight of risk – particularly in the context of strategy. Risk and strategy, they agreed, are two sides of the same coin.

Is the board getting the information – and the context – it needs to understand the company’s key risks and add real insight and perspective? Does the company have an enterprise-wide view of its critical risks – and does it include a healthy diversity of perspectives? Are the board’s risk oversight activities appropriately allocated and well-coordinated among its committees? Does the board have access to the expertise it needs – either from third parties or on the board – to assess specific areas of risk, such as cyber security? Are risk and strategy effectively linked in boardroom discussions?

KEY INTERVIEW INSIGHTSGood risk management is an ongoing business discussion – dynamic and enterprise-wide. The “old idea of risk management being undertaken by a specialist function that enters your world occasionally and then moves on to someone else’s world is ineffective and outdated.” Managing and overseeing risk should be a dynamic process, starting with front-line management. Is the board getting a consolidated, enterprise-wide view of the company’s risks from various C-level perspectives – and outside sources – that helps connect the dots? Make sure the full board and individual directors are staying apprised of the issues that different committees are dealing with – through robust committee reports, joint committee meetings, and voluntary cross-attendance.

Risk and strategy go hand in hand. While boards are clearly spending more time debating risk, “make sure it’s being done in the context of making good decisions, not making no decisions.” Understand the risks around key growth assumptions, and how much risk the company is willing to take. Unless you know what your risk appetite is, there’s no way to gauge whether you’re taking too much risk or not enough.”

Getting the risk culture right starts at the top, but succeeds (or fails) in the middle. The right tone at the top is a must; but a good risk culture – marked by “an openness and transparency… where employees are comfortable providing feedback in an open and honest discussion and different views are heard” – hinges on the

middle. Is it clear that line management respond to issues that arise? Spending time outside of the boardroom – visiting facilities, talking to employees – is essential to effectively gauge (and reinforce) the culture.

Recognize that cyber security is a critical business risk, requiring the full board’s attention. Because cyber risk cuts across so many aspects of the business – from data privacy and third-party vendors to new product development – make sure all the key players (CIO, CRO, CCO, and chief audit executive, for starters) are in sync, and that cyber has sufficient time on the full board’s agenda. Tap outside expertise for an independent view of the company’s vulnerabilities and defenses, and consider whether the board would benefit from having a member who is versed in information technology.

Step back and assess whether risk oversight roles and responsibilities are clear and still make sense. Challenging management on how the company is responding to a dynamic risk environment that could impact the strategy, operations, and compliance – e.g. cyber security and geopolitical risk – requires more and more time and focus. “Give a lot of thought to what gets discussed where” – particularly when it comes to the agenda-heavy audit committee. Make sure that risk oversight roles and responsibilities are clear – particularly on issues (like cyber security) that may involve more than one committee.


2323Audit Committee Institute Sponsored by KPMG

Maggie Wilderotter – Frontier/Xerox/Proctor & Gamble (U.S.)

“The right culture has an openness and transparency in terms of how the leadership works with each other and the wider organization – where employees are comfortable providing feedback in an open and honest discussion, where there are checks and balances and different views are heard.”

Maggie Wilderotter was named executive chairwoman of Frontier Communications in April 2015, where she served as CEO since January 2006. She also serves on the boards of Xerox, Procter & Gamble, Juno Therapeutics, and other organizations. Mrs. Wilderotter is a member of the Board of Advisors of BoardroomIQ, Women Corporate Directors, and The Committee of 200. In 2011, she was named to the Directorship 100, and frequently appears in the FORTUNE magazine ranking of the ‘50 Most Powerful Women in Business.’

Artur Gabor – PKN Orlen (Poland)

“Some level of risk is inherent, and attempts to have it completely eliminated are not only futile but also wrong from a business point of view.”

Artur Gabor is chairman of the audit committee of PKN ORLEN S.A., the largest capital group in Poland and Central East Europe. Following his graduation from University College London and Warsaw University, he held executive positions with Credit Lyonnais Investment Banking Group, GE Capital, and IBM Business Consulting Services. He serves on the boards of Orbis S.A. (Accor Group), Masterlease Poland, Idea Bank, and Sfinks S.A.

Lindsay Maxsted – BHP Billiton (Australia)

“The ‘old’ idea of risk management being undertaken by a specialist function that enters your world occasionally and then moves on to someone else’s world is ineffective and outdated.”

Lindsay has been a director of BHP Billiton Plc since March 2011 and is the chairman of the risk and audit committee. He is also currently chairman of Westpac Banking Corporation and of Transurban Group. Lindsay is a corporate recovery specialist who has managed a number of Australia’s largest corporate insolvency and restructuring engagements and, until recently, continued to undertake consultancy work in the restructuring advisory field.

Dame DeAnne Julius – Roche (Switzerland)

“In discussions with the CRO, I do not want to have too much formalism – quantification is important, but my experience is that understanding the qualitative aspects is even more fundamental.”

Dame DeAnne Julius currently is the chair of University College London and a non-executive director of Roche and Jones Lang LaSalle. At Roche, she is the chair of the audit committee. In her executive career she served as chief economist of British Airways and Shell and economic advisor of the World Bank’s Energy Department. Dame DeAnne Julius has previously served on the boards of BP, Deloitte UK, Serco, Lloyds Bank and the Bank of England.

Marie Gemma Dequae – FERMA/Belfius (Belgium)

“Good risk management and governance can be compared to the brakes of a car. The better the brakes, the faster the car can drive. ”

Marie Gemma Dequae is the former president of the Federation of European Risk Management Associations (FERMA). She currently serves on the audit committee of Belfius Bank and Belfius Insurance, and the group Vinçotte. Marie Gemma was group risk manager of Bekaert Group, a global provider of advanced solutions based on metal transformation and coatings, until 2009.

Mike Nolan – KPMG’s Global Leader Risk Consulting

“Good oversight of risk requires a robust management process for consolidating and articulating the company’s risks in a consistent way. Without an integrated view of risk at the management level, I think the board gets put in a really difficult spot.”

Mike Nolan is global leader of KPMG’s Risk Consulting practice. He has more than 30 years of experience providing audit and advisory services – including internal audit, enterprise risk management, Sarbanes-Oxley, and regulatory compliance – in the energy, consumer, and industrial sectors.


24

LINDSAY MAXSTED:In terms of where primary responsibility lies in a governance sense, it depends on your sector. For an industrial or mining company I think it is generally appropriate for oversight of risk and audit to be dealt with by a single committee. However, given my financial services background I wouldn’t contemplate a bank combining risk and audit oversight responsibilities into one committee.

The important thing is that the board and board committees have absolute clarity as to their respective roles and responsibilities; and that, if risk and audit are combined, the risk element is allocated sufficient time at risk and audit committee meetings. The danger is that ‘risk’ becomes an afterthought – particularly given the heavy ‘audit’ workload around the financial year-end and half year. The other important overlay here is the allocation of time by the full board, as opposed to its committees, to risk – particularly emerging operational risks. Cyber security threats and the emergence of disrupters in the financial services sector are two very real examples of risks with such a possible broad impact on businesses, that the discussion ought to be, and generally is, held at the board level.

In relation to the specific issue of time allocation in combined audit and risk committees, at the start of any particular year you have to have a fairly good understanding of the agenda items for each meeting. If you are meeting quarterly, then use the ‘off-quarters’ for the heavily risk-oriented discussions, leaving the

meetings around the half year and full year end to focus more on financial reporting and audit issues. It would be odd, if not impossible, for the ‘year-end’ meeting to be heavily focused on the risk oversight agenda when attention should be on significant accounting issues and the financial statements.

On the more broad issue of whether the audit and risk committee is focusing on the right suite of risks, it is really a matter of understanding the business and hence being aware of material risks. Increasingly, that understanding includes an awareness of trends in the sector such that emerging material risks are dealt with as early as possible.

MAGGIE WILDEROTTER:I would say yes. All of the public boards I’m involved with look at risk as a dynamic category, not as a static category – because risk is situational to what a company is going through at any particular period of time. And while the audit committee tends to have what I would call the deep dive responsibility on risk, the board has the overall responsibility for overseeing the company’s risk mitigation strategies. To help alleviate some of the audit committee’s workload, I think you’re seeing more boards looking at how risk oversight responsibilities are allocated, or they’re setting up specific committees – for example, an IT committee, to look at the IT side of what an audit committee would have looked at in the past.

MIKE NOLAN:I do think boards need to step back more frequently and evaluate business risks and how they approach risk oversight. Being able to challenge management on how the company is responding to signals of change that could impact the strategy, the business model, and operations in general requires more and more time and focus; so allocating and balancing risk oversight responsibilities appropriately is critical. Take 3-D printing as an example. It has huge implications for the supply chain, servicing, product quality, and working capital. What are the implications for the company’s strategy and growth assumptions? Do we understand the risks involved? Risks like these may need to be allocated to one or more committees, ideally with the talent and know-how to challenge management – and then ultimately it goes back up to the full board. But boards need to step back periodically and ask whether the allocation of risk oversight responsibilities is still appropriate.

Given the heavy workloads many boards and audit committees have today, is it time to take a step back and reassess risk oversight responsibilities?


25

DAME DEANNE JULIUS:Indeed, various risk dimensions are changing constantly because of globalization, technology and other external factors. For large companies like Roche with global operations and presence, this means that we live in the midst of continuous transformation in our business environment. In the pharma sector, developments in the regulatory framework are also crucial. This requires us to act, adapt and react rapidly. The Roche risk management policy focusses on managing material risks – whether they be strategic, operational or financial risks. This is vital in obtaining our business objectives. Our operating principle at Roche is that risks are managed locally – where they arise and where appropriate expertise is present to manage them. Line managers are responsible for ensuring that internal controls are effective and that appropriate action is taken to respond to the risks they face. However also – at least once a year – a ‘top-down’ risk identification and assessment process takes place for managing material risks at the business unit level and at group level. Based on this, an annual inventory of major group-wide risks is compiled, reviewed and discussed in the executive committee and the audit committee. Risk management plans are integral to our overall business plans and are linked to performance assessments.

MARIE GEMMA DEQUAE:Yes. Risks are emerging and evolving constantly. In order for boards to stay successful in their oversight, the need to have a risk committee or other forum for a robust discussion is increasing. And you also actually see separate risk committees appearing more regularly – also outside the financial sector. Where a risk committee sits in the organization depends on size, sector and the risk portfolio – on board level as a separate advisory committee, on executive level or on operational level for very specific risks – e.g., supply chain risk or cyber risk.

In general, I believe two things are critical to stay effective in risk oversight. Firstly, a robust three lines of defense framework, where the role of each line of defense is clear. Effective communication and coordination among these three lines is essential to get the right information to the board at the right time. The second (advisory) and third (audit) lines of defense have to have the authority to communicate independently from the first (operational) line to the board and its

committees. Too often the information flowing to the board is only coming from the top executives.

Secondly, risk, reward, and strategy should be viewed as a dynamic process so that the company’s portfolio of risks and opportunities are regularly reviewed and action can be taken by the board on a timely basis (‘emergency risk governance’). For example, cyber risk is evolving so quickly, it’s unrealistic to manage it effectively by reassessing your risk portfolio only once a year.

ARTUR GABOR:The financial crisis and the accounting scandals of the past decade made us aware of the importance of proper risk management. Together with the current volatile business environment, risk oversight is the key challenge for audit committees today. Dealing with this challenge requires going beyond regular oversight of the entity’s activities.

The audit committee’s role changes from simply ‘reviewing and approving’ a strategy to more actively participating in its creation

and modification. In this respect, we realized that the risk appetite framework should be consistent with the adopted business model, and also with short- and long-term strategy and financial plans. In this respect, the audit committee works closely with the enterprise risk management department. We perform self-assessments of the risks faced and the related internal controls. The resulting risk map illustrates our current risk profile, factors in the results of our testing of internal controls and links all key risks to business processes and risk owners.

Certain elements are fundamental to effective risk oversight by boards in the current business environment. Firstly, the board’s competence – individually and collectively – must enable them to fully appreciate the risk management challenges of the company – directors need to understand the business and environment and its different dimensions, and the information presented. Secondly, effective oversight requires full agreement between the board and management on the major risks and how they should be addressed. Finally, being effective in risk oversight as a board requires diversity of perspectives and multi-optional thinking skills.


26

LINDSAY MAXSTED:You have to have robust reporting processes between the committees and the board, but also you have to give a lot of thought to what gets discussed where.

Even though certain risk categories might fall within the remit of a particular committee, you might identify certain issues that are so material and integral to the business that they warrant a full board discussion. That might be achieved by an issue being reviewed and debated by the audit (and risk) committee in the first instance but then the matter proceeding as a formal paper for the whole board to debate – rather than simply as a reporting back by the committee chair. Conversely the issue might be so large and imposing that you conclude that the proper forum is not the audit (and risk) committee but the board itself. Another important point is to ensure that risks are always identified and assessed when any major decisions are taken by the board. So, risk makes its way into the board discussion in many ways.

The quality of risk information in the boardroom is getting better – driven by a regulatory push, a compliance push, a safety push, or otherwise. I think boards, board committees and senior executives are all much more conscious about the importance of properly managing risk. Overall, there is generally a much greater understanding of principal risks and in particular emerging risks. It is important to place emerging risks on the agenda ahead of a negative event. That is still one of the greatest challenges for all of us.

There is a clear benefit for the board or committees to be exposed to third-party or dissenting views. Risk and audit committees can, in part, obtain that independent view through the second and third lines of defense –

whether that be through discussions with the CRO, the internal auditor or indeed the external auditor. Discussions with (say) a large accounting firm or an investment bank – not necessarily the firms retained by the company – to better understand what the market is thinking about a certain issue beyond the party line can be extremely important for directors. In my opinion, being aware of – but not necessarily beholden to – market opinion by obtaining inputs from outside the organization, goes to the heart of being a good board member.

MAGGIE WILDEROTTER:Cyber security is a good example. As I mentioned, the audit committee does the deep dive on cyber, but on all the boards I sit on, we give all members of the board the option to participate or sit in on that discussion. We also bring in outside experts to talk about cyber, so the entire board can hear that as well. It helps everyone stay up to speed.

Solid committee reports to the board are also important. They’re more detailed than they have been in the past – particularly the audit committee’s report-out on risk – and they can provide context and opportunity for a quality discussion at the full board level on specific risks.

On all the boards I sit on, we set aside time each year to do a deep dive on enterprise risk management at the board level, and several times a year at the audit committee level.

ARTUR GABOR:We make sure that all board members have access to all the information discussed by the standing committees. Moreover, each board member is free to participate in the standing committee meetings as an observer. Also, we have introduced joint audit and strategy committee meetings which immensely help to oversee key strategic and operational risks. It is the attitude and integrity of the supervisory board that ensures adequate distribution of responsibilities and decision-making rights as well as evaluation of the decision-making process related to risk management.

High-quality risk-related information is fundamental. We managed to achieve the highest standards in Poland. We can always ask for additional and specific information – not only from the top management, but also from second or even third tier managers – independently. In addition, our board and committee meetings at subsidiary level – our company has several downstream, upstream and retail assets – substantially enhance our practical knowledge of operational risk management.

How do you help ensure effective communication and coordination among the board and its standing committees regarding oversight activities around the company’s key risks?


27

DAME DEANNE JULIUS:The audit committee reviews the process of risk management, internal control systems, risk plans and risk assessments that have been coordinated by the internal audit team and approved by the executive committee. Roche has another board committee – the corporate governance and sustainability committee – which is responsible for overseeing social, environmental and ethical risks, which we refer to as ‘business sustainability risks’. A key activity is the annual discussion by the full board of the group risk report. In this discussion, every member can share his or her view of the strategic risks based on their individual expertise and experience which encompasses many geographies and industries. This year the audit committee also had a joint session with the corporate governance and sustainability committee to ensure that the full range of risks was being covered.

MARIE GEMMA DEQUAE:Good communication between the board, its committees, and executive risk management is never easy due to the heterogeneity in the way risk managers often report. Also, board members don’t always express clearly what kind of information they want to see on risk. And because open and constructive dialogue between the risk manager, the senior executives, and the board and its committees is so important – but often doesn’t happen – the role of the chair of the board in leading the discussion is very important.

In my view, a good risk conversation at the board level has three dimensions: top-down – the board’s and C-level’s concerns about risk management have to be properly communicated downwards and fed into lower level risk assessments; bottom-up – lower-level risk insights have to be reported up to be considered in the top-level risk assessments; and enterprise-wide – in an interconnected way. It is crucial that all layers in the organization can inform the board if things are going wrong without hesitation or fear of recourse.

Another prevailing challenge is that risk managers often use complex technical language that is often not the language of the board members. Risk managers are generally very strong technically, but they don’t always have the right set of soft skills to be fully effective in reporting up to the board or one of its committees. There’s a real need for risk managers to step up and become strategic boardroom advisors.

For their part, board directors need to be genuinely interested in the business and eager to challenge and probe management. In this context, I am in favor of the concept of a ‘contrarian director’ – a director tasked solely with questioning and probing to help ensure all views are taken into account and truly informed conclusions are reached.

MIKE NOLAN:Having a good lead director and strong governance practices for the board in terms of process and effective communication go a long way. You need the mechanisms to make sure that the right level of information is being rolled up to the board, and that the board has confidence in the committee process. But even before that, I think good oversight of risk requires a robust management process for consolidating and articulating the company’s risks in a consistent way. Without an integrated view of risk at the management level, I think the board gets put in a really difficult spot. The audit committee may have a direct line to the chief compliance officer and the chief audit executive, and then the CRO and CIO and some other folks may be coming in with their views on other discrete risks. And if they’re not aligned, the board is left connecting the dots, and that can be a real challenge. It’s getting better, but most companies have a long way to go.


28

LINDSAY MAXSTED:It’s primarily about leadership and setting the right example. Having the right vision for the company and its underlying values. This starts with the behavior of the board collectively and the individual board members themselves. Selecting the right CEO is fundamental – the board has to ask itself how the CEO goes about his or her business (values); how the CEO thinks about risk, how does he/she lead and in turn appoint the right type of executive to the organization. You need to have an open and transparent view of the business and encourage, through your own actions, a culture where issues get surfaced early. You want people to come forward and not be condemned because there’s a problem. Of course, it’s relatively easy to come up with a list of preferred underlying behaviors, but much harder for a board to assure itself that the right things are actually happening.

There are a few things that can be done. Board and risk committee members should make sure they go out into the business to observe things first hand. Of course, staff might be on their ‘best behavior’, but there is value to be had in simply showing employees that the board is interested and is asking the right questions. People surveys can be instructive too – but again you have to ask the right questions. Also, depending on how concerned one is, there is a place for independent risk culture reviews where a third party can question employees about their experiences; understand whether they feel comfortable about raising issues, and so on.

I think ‘safety’ is a good barometer for risk culture. While a good ‘safety’ culture – early reporting of incidents; responding promptly with remedial action, and so on – doesn’t necessarily mean there is a good culture overall, it can be used as an example, or a catalyst, to

help embed similar behaviors in different areas. My final barometer is how an organization deals with complaints. Are they embraced as an opportunity to right a wrong and improve processes or are they dealt with in some other way?

MAGGIE WILDEROTTER:When you run companies, you’re taking risk every single day. Every decision you make has risk associated with it. What you want is a culture within the company of taking calculated risk and taking risk where you try to identify up front, as best you can, the outcomes of taking those risks. You look at the best and worst case scenarios and try to anticipate what could go wrong and what could go right.

As a board member, I try to make sure the culture is healthy and that there’s diligence around the risks that could have significant downside for the company. And it’s not about the board saying “Don’t take the risk.” It’s about the board saying “Have you thought through all of the issues associated with the risk posed by that decision?” You also want to make sure the culture itself brings in voices that serve as a check and balance within the senior leadership. If somebody says “stage left” and everybody just turns left without asking why, you probably don’t have a healthy risk culture.

The right culture has an openness and transparency in terms of how the leadership works with each other and the wider organization – where employees are comfortable providing feedback in an open and honest discussion, where there are checks and balances and different views are heard.

ARTUR GABOR:Since the strongest example comes from the top, it is crucial for management to promote activities which are ethical and which promote proper attitudes in the organization. As an audit committee chair, I expect management to be fully committed to supporting a proper tone at the top. What I see in my organization, is increased involvement in the creation and promotion of a culture based on high ethical standards – a culture whose purpose is to support the management process, including management of the corporate risks. Each of the business areas is directly responsible for monitoring and reducing the risks to acceptable levels. The responsibility of every employee is communicated and emphasized and their awareness is further strengthened by well-thought-out information campaigns. The company emphasizes the importance of its code of ethics that each employee is obliged to be familiar with and to adhere to. We also have an ethics spokesman, to whom employees can address any related issues.

A strong risk culture is fundamental for effective risk management. What are some of the determining factors that can ‘make or break’ a strong risk culture?


29

DAME DEANNE JULIUS:At Roche, our culture is shaped by the strong scientific underpinning of what we do. This scientific rigor is also key for risk awareness. In addition, our tradition as a Swiss company with strong family links fosters a long-term view in which long-term success is highly valued. This is also an element for a balanced risk culture. Taking risky short-cuts in the pursuit of short-term gains is just not on the agenda.

MARIE GEMMA DEQUAE:Boards and audit committees have to set the right tone at the top – not only defining and approving the risk strategy, but also communicating a ‘risk vision’ and fostering a culture where everybody has ownership and responsibility for doing the best for the organization.

Management has to spread the risk culture message by working on a number of aspects. An effective risk reporting should be in place allowing timely escalation of risk events. A good risk culture is one in which it is acceptable that bad things are brought to the higher levels proactively and timely without fear of being condemned. Reporting is one element, but getting the right information in that reporting is even more important. You really have to promote a culture of openness to bring all information to the table – the very good and the very bad.

Management has to make sure proper systems of communication are in place to continually reinforce awareness around risk culture at all levels in the organization. It is important to learn from each other’s best practices. During my time as risk manager, when I noted a specific good practice in a department, I promoted this actively and organized roundtables

around it to share the practice with all functions and departments.

Finally, management has to work to make sure learning and development programs are in place – not only internally but also from outside experts – and that performance management and incentives properly take into account factors in risk culture.

MIKE NOLAN:Tone at the top should be a given. What’s really important is tone in the middle. Issues often develop on the front lines of the business, at the middle manager level. If something’s brought to their attention, how are they dealing with it? How they respond is critical – and a lot of that comes down to good ethics and compliance training, and setting clear expectations. Metrics and processes are important – and in fact the U.S. Federal Sentencing Guidelines require measurement as to the effectiveness of your compliance program – but in my experience the best organizations are consistently talking about the culture. There’s a very clear expectation and ongoing communication. Because most incentives are still performance-based, the alignment of risk culture and risk appetite – defining and communicating that clearly – is critical.

To understand and monitor all of this, the board needs to be fully engaged, beyond the boardroom – visiting locations, speaking to middle management, understanding the expectations of regulators, and so forth. Whistleblower hotline reports, employee surveys, and ethics and compliance training are important, but really understanding the company’s risk culture requires a combination of quantitative and qualitative measures and monitoring.

Financial reporting news


30

Leases – 2019 effective date for new standard

A 2019 effective date was agreed for the new leases standard at the IASB’s final public meeting on the project. IFRS 16 Leases will be effective for accounting periods beginning on or after 1 January 2019. Early adoption will be permitted, provided the company has adopted IFRS 15 Revenue from Contracts with Customers.

Innovation in corporate reporting

New proposals issued by the Federation of European Accountants (FEE) seek to support the evolution of corporate reporting, so that it can better keep pace with economic change and address stakeholder needs. The paper – titled The future of corporate reporting – comes amid a global debate about the need for innovation and the impact of technology on corporate reporting.

Income taxes – Accounting for uncertain tax positions

Tax is a sensitive topic, attracting a lot of attention and triggering much debate about tax transparency both within and beyond the boardroom. Interpreting grey areas in tax law can be complex. New proposals issued by the IFRS Interpretations Committee seek to bring clarity to the accounting for income tax treatments that have yet to be accepted by tax authorities. Comments are due to the Interpretations Committee by 19 January 2016.

Enhancing auditor reporting – Providing insight and transparency

For some time, investors have demanded more than a binary pass/fail opinion from the auditor’s report. The new international auditor reporting requirements – effective for December 2016 year ends for those following International Standards on Auditing – give auditors the opportunity to share more insight with investors. The main change is that

auditors will be required to describe in the audit reports of listed companies the key areas they focused on in the audit and what audit work they performed in those areas. The KPMG publication Enhancing auditor reporting discusses how investors, audit committee members and company management may be affected by the new requirements, and lists some steps they may consider taking in preparation for the change.

CBN/CNC Opinion on Leasing

The CBN/CNC has recently issued a position on the accounting treatment of leasing arrangements. It replaces all previous positions. The position only relates to leasing arrangements in respect of tangible fixed assets.

The criterion to determine the classification of a leasing arrangement is whether, at inception of the lease, the present value of the minimum lease payments amounts to the full capital invested by the lessor in the leased asset. The invested capital is the acquisition cost or the market value, depending on the circumstances. The invested capital also includes directly attributable costs.

The components of the minimum lease payments will differ depending on whether the leased asset is movable or immovable property. In case of a finance lease,

• the lessee will not account for the purchase option, if any, as an asset, but will present the purchase option as an off-balance sheet item, until the lessee exercises the purchase option;

• the lessor will recognise a “normal” profit in profit or loss at inception of the contract and will recognise the purchase option, if any, as an “other tangible fixed asset“ if , at inception of the contract, it is reasonably certain that the purchase option will be exercised.

In case of an operating lease, lease incentives and uneven payment profiles will have to be recognised in profit or loss on a straight-line basis, both by the lessee and the lessor.

Read more of any of the publications above and more on IFRS:- KPMG Belgium IFRS Institute: www.kpmg.com/be/en/topics/ifrs-institute- KPMG Global IFRS Institute: www.kpmg-institutes.com/institutes/ifrs-institute

Other news and insights


31

KPMG’s Anti-bribery and corruption survey 2015

Globalization has entered a new phase, posing greater challenges for anti-bribery and corruption (ABC) compliance than before.

Two trends are driving these changes. First, a growing number of governments are tightening ABC regulations or introducing new ones. Second, as companies globalize their operations, they rely more heavily on third parties than before to do business in far-flung parts of the world, often in areas where there is high risk of corruption.

A new KPMG report analyses some of the key risks companies face when dealing with bribery and corruption. The survey of companies around the world shows that companies are attempting to rise to the challenge but that a great deal more needs to be done to create a sturdy ABC compliance structure.

The main findings include the following:

• As companies continue to globalize, management of third parties poses the greatest challenge in executing ABC programs.

• Despite the difficulty of monitoring their business dealings with third parties, more than one third of the respondents do not formally identify high-risk third parties. More than half of those respondents with right-to-audit clauses over third parties have not exercised the right.

• Respondents complain they lack the resources to manage ABC risk.

• A top-down risk assessment would help companies set priorities, but executives admit that an ABC risk assessment is one of their companies’ top challenges.

Read the full survey report on www.kpmg.com.

Corporate governance compliance and monitoring across the EU

A recent ecoDa report contains an overview of the mechanisms in place to monitor the level and quality of compliance with governance codes in general and with the “comply or explain” concept in particular. It covers all Member States of the EU and Norway.

The report is useful to secure a level playing field across the EU with regards to the scope of national codes and the governance approach adopted across the various Member States. It seeks to encourage high quality explanations when there are departures from code provisions; to promote more focus on decision making on governance matters and to foster a more harmonized approach to monitoring the

implementation of corporate governance codes across the EU.

The full report can be accessed and downloaded from the reports section of the ecoDa website at www.ecoDa.org.

Shifting tides: Global economic scenarios for 2015–25

Day-to-day developments in the world economy have become increasingly complex and global in their implications.

McKinsey sees three interlinked factors that have the potential to shift the global economy from one long-term outcome to another: aggregate demand, structural challenges, and diverging growth patterns.

First, in the near term, the major economies continue struggling to achieve self-sustaining growth in aggregate demand. This continues despite years of monetary and fiscal stimulus, as well as the recent drop in oil prices. Second, the world’s major economies face long-term structural challenges, including rising debt loads, aging populations, and inadequate or aging infrastructure. Success or failure in resolving these structural challenges will determine the speed of long-term growth in these economies. Third, the world’s major economies have increasingly diverged in the last few years. In the past, global integration has driven convergence. The prospects for further integration have become less certain. The global financial shock was followed by years of weak growth and concerns over rising inequality. The path to renewed and stronger growth remains elusive, according to McKinsey.

Read the full article on the McKinsey website at www.mckinsey.com

Internal Governance

The publication GUBERNA Governance Insights: Internal Governance summarizes the research and exchange of experiences of the Internal Governance Center of GUBERNA.

Since there are currently no “codes of best practice” for internal governance, the authors had to rely on governance literature, governance experts and their own research to develop a number of basic principles of internal governance within corporations. These ideas have been further complemented by concrete governance practices, based on testimonials of CEOs and directors of subsidiaries and parent companies. This combination has made it possible to develop a number of best practices and opportunities, and to point out the main challenges and red flags for internal governance.

The publication is divided in three parts: intra-company governance, intra-group governance and subsidiary governance. The publication clarifies the basics, proposes a series of general principles as well as some specific internal governance guidelines.

The full publication can be accessed and downloaded from the GUBERNA website at www.guberna.be

About ACI

The Audit Committee Institute (ACI) champions good corporate governance to help drive long-term corporate value and enhance investor confidence. Focussing on the audit committee and supporting the director community more broadly, ACI engages with directors and business leaders to help articulate their challenges and promote continuous improvement. Sponsored by KPMG, ACI delivers actionable thought leadership – on risk and strategy, technology, compliance, financial reporting and audit quality – all through a board lens.

ACI Professionals

Olivier Macq, Chairman ACI BelgiumKPMG Bedrijfsrevisoren – Réviseurs d’Entreprises, Partner

Wim Vandecruys, Director ACI BelgiumKPMG Bedrijfsrevisoren – Réviseurs d’Entreprises, Senior Manager

Contributing editors

Dennis T. Whalen, ChairmanGlobal Audit Committee Institute Steering Group

Timothy Copnell, ChairmanAudit Committee Institute in the U.K.

Manal Corwin, Principal leaderInternational Tax KPMG LLP

Contact us

Audit Committee InstituteBourgetlaan – Avenue du Bourget 40B-1130 Brussel – Bruxelles

www.auditcommitteeinstitute.beE-mail: [email protected]

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received, or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. While every effort has been taken to verify the accuracy of this information, neither the Audit Committee Institute, its sponsors, professionals nor contributing editors can accept any responsability or liability for reliance by any person on this quartely newsletter or any of the information, opinions or conclusions set out in this quartely newsletter.

© 2016 KPMG Support Services ESV/GIE is a Belgian firm providing services to local member firms of KPMG International, a Swiss cooperative. Responsible editor: Olivier Macq, Avenue du Bourget – Bourgetlaan 40, B-1130 Brussels. All rights reserved. January 2016 . Printed in Belgium.

Audit Committee Institute in Belgium

@ACI_BE

Documents

Quarterly 26 · plan to explain and interpret the C-by-C data? Assess the company’s readiness for the new revenue . recognition standard. The FASB and IASB have finalized the deferral