Given the dynamic environment, the audit committee should take a close look at the company’s risk profile at least annually. Ideally, this review should be supported by an updated risk assessment by management. As the committee evaluates disclosure issues, an understanding of the key risks can provide valuable insights.
Some risks are considered from a disclosure perspective — for example, cybersecurity and privacy and identity incidents, litigation developments, changes in the market and other key risks, possible contingent liabilities that are not susceptible to reasonable estimation, and significant unusual transactions or events. The committee also should review the risk factor disclosures summarizing the most significant risks that apply to the company to ascertain whether the top risks are adequately presented, particularly the risks unique to the industry sector(s) and geographic region(s) in which the company operates as well as risks that are unique to the company itself.
There is value in understanding how the company’s view of risk aligns with or differs from the view of other firms in the industry. The audit committees cannot oversee the reliability of financial reports in a vacuum.
In the financial reporting process, management often exercises significant judgment regarding various subjective estimates and valuations that are sensitive to changes in external as well as internal risk factors. For example, when evaluating the adequacy of the allowance for doubtful accounts, management should consider such internal factors as changes in the company’s credit policies, collection history and the ratio of bad debt expense to actual write-offs by reporting period. External factors such as the expected economic outlook, competitive environment and emerging regulatory requirements are also relevant considerations.
Regardless of their designated role in the board’s overall risk oversight process, audit committee members should be cognizant of emerging business risks and changes in critical enterprise risks so that they can put into proper context the representations and assertions they receive from management; newly reportable critical audit matters and audit scope changes raised by the external auditor; and internal control concerns, errors and irregularities, and other findings presented by internal audit.
To that end, it may help the committee to have access to a periodic summary or profile of the top enterprise risks. Clearly, the environment is changing, and digital technology-related opportunities and challenges are driving many of the key risks. The audit committee should consider the following questions:
You can read more on this topic in Setting the 2020 Audit Committee Agenda and by exploring these related tools on KnowledgeLeader: