Audit committees have a critical role to play for companies in a business environment that has been severely disrupted by the coronavirus pandemic.
In addition to their fiduciary responsibilities for overseeing the external auditor and financial statements, audit committees can contribute valuable oversight duties in areas such as risk management, cybersecurity, and operations and culture.
A recently published AICPA COVID-19 checklist for audit committees provides topics for audit committee members to consider as they perform their oversight duties during this challenging time. The author of the checklist, Lori Sexton, CPA, CGMA, an AICPA senior technical manager, provides thoughts related to seven key areas for audit committees during this time:
The audit committee’s oversight role: “Oversight doesn’t mean just sitting in a boardroom once or twice a year and going over your risks. Audit committees should be actively involved in making sure these items are addressed in an ongoing fashion. They can’t say the strategies need to be changed to something specific. But they certainly can go to the board of the directors, the CFO, to ask, ‘What is being done to address this, and how can we support you?’”
Risk management and scenario planning: “I like to assure people that, OK, we can’t go backward, but we certainly can go forward. No one was prepared for this worldwide pandemic. There were a few prognosticators who foresaw this or claim that they did, but honestly not to the level that it occurred.
“But now you must be prepared, and that not only includes the mysterious part of figuring out what to do, but also has to include some mitigation. Also keep in mind in the U.S. that audit committees have a fiduciary responsibility, and this is an encompassing piece of their responsibility: to know how to prepare. That’s not necessarily a response to a stimulus plan or to a health care event but to any event or condition that significantly impacts the business.”
Operations: “From an operational standpoint, you want to ask management how they are changing their risk assessment process. For example, if you’re in manufacturing, is there anything you can produce immediately or short term to keep cash flows coming? How are you getting your supplies? Are you considering changing your product or changing your supplier? How are you handling all the loan covenants?
“So it’s an oversight, as it’s always been, ensuring that these things are happening and ensuring that the auditors are asking these questions as well, because the audit committee is responsible for oversight of the external auditors and making sure they are up to speed in the current, volatile, and ever-changing climate, as well as addressing relevant events. That’s why on every board you should have someone, especially if you’re in a public company, with financial experience and accountability such as a CPA. They would know what types of questions to ask.”
Legislation and regulation: “You want to review meeting notes from discussing any revisions in loan covenants, the applications for the Paycheck Protection Program, or any other legislation that is going to be coming through. You just want to be aware of what’s going on and make sure that legal counsel is involved where necessary.
“People are so caught up in the day-to-day operations that they can’t even look up and say, ‘Oh my gosh, I should have applied for that because that money would have helped me get through another month. It’s not enough, but it could have gotten me through to June when I can reopen partially.’ The audit committee can help with that.
“The way work is now conducted as the country reopens is, in part, based on federal, state, and local guidelines and mandates. The audit committee at a minimum should be aware of the entity’s plans and provide the oversight to ensure that no fiscal backlash will occur during this reopening process. Employee, customer, constituent, and other stakeholder health is a paramount consideration. Whether reconfiguring an office, a retail store, or a warehouse to provide assurance with existing health and safety regulations and provide peace of mind for all involved, this is a unique consideration for most audit committees.”
Financial reporting and disclosures: “This is a challenging area to keep up with because there are numerous effective date delays, and the interpretations of some of the accounting and auditing standards are uncertain. For example, how are you accounting for the revisions in your loan covenants? Are they temporary? Are they permanent? There are just so many things we don’t know.
“Again, the audit committee must provide necessary oversight to the external auditors to provide assurance that they are up to date on all the happenings, and it’s really hard to stay up to date when changes are occurring daily. Again, this is where the CPA and other financial professionals on the committee can provide valuable input.
“For example, from a lease accounting standpoint, if your factory is shut down and you’re leasing equipment, this is where it may become interesting. Perhaps one leasing company you’re working with has said they are going to give you a discount because they know equipment is not being used. Or if you’re definitely closed down, maybe they’re going to add that time on to the end of the lease so you’re not paying down time.
“They may be extending the lease from 30 to 60 days or from 30 to 180 days. How do you account for this in your monthly, your quarterly, your 10-K and 10-Q filings? You’re just not sure what’s going to be in the disclosures because you don’t know what’s going to happen. This is just one example of the uniqueness of what we’re dealing with now. The standards and guidance always have been subject to interpretation, but now this just makes us aware of the caveats that can occur beyond what is normal. We can interpret it this way or we can do it the other way, and you can justify it, but it’s hard to justify when the things are moving every day, week, and month.”
Technology and cybersecurity: “Many entities are dealing with a major focus on technology due to workers conducting business remotely, as well as supply chain vendors. The audit committee finds itself making immediate and necessary changes as well. Traditionally, executive-board-type committees have always met face to face. And now all of a sudden they are realizing that they must meet virtually as well.
“If they are a public company, they have to make sure that the SOX [Sarbanes-Oxley] controls are being reviewed. That’s one thing during this time that personally I feel should be one of the first things that’s reviewed. Even if you didn’t have any dependency on technology before the pandemic occurred, you do to some extent now. And if you’re not a public company, the controls over IT need to be addressed, and the audit committee provides oversight to spotlight the need.
“Consider individuals who are continuing business solely via phone with vendors. To conduct business during this pandemic and going forward, the use of technology has increased substantially. For those entities with an audit committee, this additional oversight can steer a return to business more efficiently and effectively.”
Fraud risks: “Fraud considerations and fraud prevention are definitely going to escalate in interest. Audit committees should be prepared to address this more specifically than they have in the past. Some of them have relied emphatically on whistleblower controls in the past, but they also may want to be more proactive and seek feedback to make sure there are controls to prevent fraud as much as possible. This information always has been communicated up to them, but as part of their responsibility, a greater emphasis or attention may be placed to ensure that safeguards are in place and that they definitively address fraud from the top down.”
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.