2018 Deloitte Audit Committee Symposium Retrospective ... › content › dam › Deloitte › us...
11
2018 Deloitte Audit Committee Symposium Retrospective Signals for the future Center for Board Effectiveness
Transcript of 2018 Deloitte Audit Committee Symposium Retrospective ... › content › dam › Deloitte › us...
w
2018 Deloitte Audit Committee Symposium RetrospectiveSignals for the future
Center forBoard Effectiveness
2018 Deloitte Audit Committee Symposium retrospective
Save the date
2019 Deloitte Audit Committee SymposiumNovember 19–20, 2019 | Mandarin Oriental | Washington, DC
2020 Board Member Experience at CES® January 7–9, 2020 | Las Vegas, NV
2020 Deloitte Board SymposiumMarch 12–13, 2020 | The Ritz-Carlton Hotel | Naples, FL
2018 Deloitte Audit Committee Symposium highlights
Attendees at the 2018 Deloitte Audit Committee Symposium had the opportunity...
Sharing perspectives
Connecting with clientsHunching Business Chemistry® types
...to network and benefit from shared content. Geoff Colvin
The audience responded to several polling questions during the 2018 Deloitte Audit Committee Symposium. Some of these results are included throughout this document.
2018 Deloitte Audit Committee Symposium retrospective
3
Introduction
Friends and colleagues,
Thank you for joining us at the 2018 Deloitte Audit Committee Symposium. The two-day event allowed us to engage, challenge, and discuss with each other critical topics facing audit committees today and think about what may be around the corner.
This retrospective gathers highlights and key takeaways from the symposium and offers a few central themes that ran through several of the panel and audience discussions.
• The responsibilities of the audit committee have expanded greatly since the passage of the Sarbanes-Oxley Act, and, in many cases, the obligations continue to increase. From oversight of the risks related to financial reporting, compliance, and regulation, to understanding how to address risks associated with cyber and geopolitics, managing so-called mission creep has become a vital component of audit committee effectiveness.
• As technology and innovation present both risks and opportunities at an extraordinary pace, audit committees are more engaged than ever before in monitoring the implications of these advances. Cyber tops the agenda of many audit committees, but other technology risks are coming into focus, including the use of artificial intelligence, robotics, and blockchain. At the same time, these and other technologies present opportunities that companies of all shapes and sizes need to consider.
• New and updated regulations and standards have handed many audit committees the responsibility of determining how best to help management stave off rule implementation fatigue, as well as address compliance risks. In some cases, that requires fewer technical experts and more audit committee members with strong enterprise risk and leadership management skills.
Once again, we greatly appreciate your participation—including the robust discussions during the interactive sessions—and look forward to continuing the conversation at the 2019 Deloitte Audit Committee Symposium at Mandarin Oriental, in Washington, DC, on November 19-20, 2019.
Regards,
Deborah L. DeHaas Vice Chairman National Managing Partner Center for Board EffectivenessDeloitte
Henry Phillips Vice Chairman National Managing Partner Center for Board EffectivenessDeloitte & Touche LLP
2018 Deloitte Audit Committee Symposium retrospective
4
Originals: How non-conformists rule the world
Inaction rather than a lack of creativity is more likely the enemy of innovation. Five principles can help individuals and organizations break free of inertia and move from idea to action:
Take risks on novel ideas. Relying on the past to help predict success in the future rarely leads to innovation. What’s more, cognitive entrenchment can crush innovation. Effective leaders tap managers from different departments and functions to gain new—and sometimes ignored—perspectives.
Put your worst foot forward. Identify the weaknesses in an idea or argument and expose it. This tactic disarms critics and allows the idea’s creator to focus attention on how the weaknesses of an otherwise valuable idea might be addressed.
Make the unfamiliar familiar. Build a bridge to the familiar so potential stakeholders can easily recognize an idea’s viability. A shortcut for making the unfamiliar familiar is drawing a direct line from one idea that worked in the past to the new idea being proposed.
Create psychological safety. Breakthrough ideas often surface in an environment where risk is welcomed and embraced, where comforting lies are not tolerated, and where there is no penalty for sharing unpopular notions.
Build a challenge network. Senior executives can benefit from an honest assessment of where they are falling short, and the board—especially the audit committee—should play the role of being a challenge network to these leaders.
“Not being creative is not the problem; not moving from idea to action is the problem.”
— Adam Grant, organizational psychologist, The Wharton School of Business; Author, Give and Take, Originals, Option B; Host: WorkLife, a TED original podcast
Adam Grant kicks off the symposium
Featured speaker:• Adam Grant, organizational psychologist, The Wharton School of
Business; Author, Give and Take, Originals, Option B; Host: WorkLife, a TED original podcast
2018 Deloitte Audit Committee Symposium retrospective
5
Technology, strategy, and innovation
Every company is a tech company, whether management uses technology as table stakes or a differentiator. The innovative “edge” may be free of the “core” business’s administration and bureaucracy, and the board and audit committee can support internal innovation by allowing idea incubators to develop without quarterly EPS pressure.
However, the board should take steps to guide management away from creating a class system that rewards innovators while disregarding contributions of those working for the legacy business. Further, the audit committees may have to learn to apportion risk management efforts so the innovation engine does not negatively affect enterprise risk management.
Given the significant role technology plays in business, audit committees likely will need more access to company technology leaders and third-party experts to validate management’s responses to pointed questions. Many of those questions should focus on the oversight of the technology leader’s role.
“Having a chief innovation officer is a significant value statement about how much a company is weighting itself towards legacy versus innovation and the effort it’s putting behind creating a bridge from one side to the other.”
— Dr. David Brailer, Chairman, Health Evolution; Director, Walgreens Boots Alliance
Featured panel: Technology, strategy, and innovation: Considerations for audit committees• Dr. David Brailer, Chairman, Health Evolution; Director, Walgreens Boots
Alliance• Linda Clement-Holmes, Director, Cincinnati Financial; Retired Chief
Information Officer, Procter & Gamble • Nishita Henry, Principal and Chief Innovation Officer, Deloitte Consulting
LLP• Merline Saintil, Chief Operating Officer, 7 Cups; Director,
Banner Corporation, and Nav
On a scale from 1-5, how would you assess your personal awareness of and comfort with emerging technologies? 5 is the most “tech savvy” feeling almost “tech fluent.”
69 responses
1 2 3 4 5
7%
29%
39%
19%
0
5
10
15
20
25
30
6%
5
20
27
13
4
2018 Deloitte Audit Committee Symposium retrospective
6
Dilemmas and Business Chemistry®
Peer-to-peer discussions provided participants with interactive sessions during the symposium: The first addressed “dilemmas” that audit committees have faced or may face in the future, and another introduced the audience to the practical science of Business Chemistry®.
The first dilemma involved a hack of confidential client data and a potential stock selloff by executives before the breach was made public. The second focused on a due diligence failure related to an acquisition, with possible reputational and financial reporting ramifications. Participants discussed their proposed responses, the rationales for their responses, and the sequencing of decisions. Participants agreed that the dilemmas underscored the value of having a crisis response plan in place before an incident happens, and a playbook that is specific to the threat.
Participants were also introduced to the fascinating science of Business Chemistry®, and learned about the attributes that define each type—pioneer, driver, guardian, and integrator. The discussion addressed how certain attributes usually stand out and describe, among other characteristics, a person’s work style Business Chemistry® type. Participants were tasked to use the system to identify the personality types of their own audit committee and board members. Next, they were asked to consider the Business Chemistry® make-up of the group they were seated with and design an audit committee meeting agenda that would encourage greater engagement based on the “chemistry” of the group.
Business chemistry is more than learning how to be effective in one-on-one interactions. It’s about getting the best out of a group you’re working with by drawing out their strengths and minimizing less desirable traits within the context you are working in.”
— Kim Christfort, architect and global leader of Deloitte’s Business Chemistry® and Managing Director, The Deloitte Greenhouse® Experience, US Leader, Deloitte LLP
Featured speakers: Audit committee dilemmas: What would you do?• Krista Parsons, Managing Director, Center for Board Effectiveness,
Deloitte & Touche LLP Business Chemistry: Practical magic for crafting powerful work relationships• Kim Christfort, Managing Director, The Deloitte Greenhouse®
Experience US Leader, Deloitte LLP
2018 Deloitte Audit Committee Symposium retrospective
7
Roles and broadening responsibilities
The role of the audit committee was expanded by the Dodd-Frank Act, and audit committees will likely never go back to more limited roles. As the audit committee’s task list continues to expand, one idea to manage the “mission creep” expansion, is for audit committees to defensively concentrate on the oversight of risk, and leave the offensive oversight role of strategic initiatives to the full board. Audit committee members also may want to strengthen their relationships with the front-line of defense—the business―including the CEO and business leaders who think about emerging risks as part of their daily jobs.
One of the most important discussions an audit committee chair can have with a CEO is on evolving and changing risks and how the audit committee and internal audit can help oversee addressing those risks. Communication with the CFO also is critical, not only on audit matters but also on succession planning, to stay informed on who is retiring, ready for promotion, or needs further development. There also seems to be a shifting mindset about audit committee composition, away from only technical financial and accounting experts to members with keen enterprise risk and leader management skills.
.
“You can’t let strategy creep into the audit committee. This comes back to the risk tolerance and risk acceptance question. The board has to focus on strategy and the audit committee has to monitor, within its own mandate, how much risk the organization is going to tolerate.”
— Alice Schroeder, Director, Bank of America Merrill Lynch International, Prudential PLC, Quorum Health
Featured panels: The audit committee’s role in risk• Michael Gelles, Managing Director, National Security and Cyber Leader,
Deloitte Consulting LLP• Michael Johanns, Director, Deere & Company; Governor of Nebraska
(1999-2005); Secretary of Agriculture (2005-2007); US Senator (2009-2015)
• Alice Schroeder, Director, Bank of America Merrill Lynch International, Prudential PLC, Quorum Health
Perspectives from audit committee chairs• Brenda Gaines, Audit Committee Chair, Tenet Healthcare• William Hernandez, Audit Committee Chair, Northrop Grumman,
Albemarle , and USG
Michael Johanns, Alice Schroeder, and Michael Gelle
Brenda Gaines and William Hernandez
2018 Deloitte Audit Committee Symposium retrospective
8
Data, digital, disruption: Design with humans at the center
In addition to significant marketplace attention on data, digital, and disruption, we are seeing a shift to a focus on design—human-centric design.
Shifting the focus from Artificial Intelligence to Human Ingenuity and designing for humans at the center is needed for launching agile strategies, addressing emerging issues and outcomes, as well as developing scenario plans and playbooks.
Conversation starters for audit committees and management:
• How is management approaching the finance and risk implications around the emerging data regulations around the world? Is data governance a key agenda item? What is the Company’s data strategy?
• If management has invested in tech savvy for Finance, how are those investments paying off? Is it time for a refresh? If management has not invested in this, what would be a good start?
• Is management considering what areas of finance would benefit from an Agile approach—iterating, learning fast, using interconnected teams rather than waterfall handoffs?
• Has the audit committee reviewed scenario-planning that may be uncomfortable or politically challenging to talk about within the company?
“Good scenario planning requires two things a robot or artificial intelligence cannot give you: imagination and courage. When a scenario feels uncomfortable and your first impulse is to think such an event would hurt the organization―but you find yourself saying it won’t happen―it’s a signal to pay close attention to that scenario.”
— Cathy Engelbert, Chief Executive Officer, Deloitte
Opening keynote by Cathy Engelbert
Featured speaker:• Cathy Engelbert, Chief Executive Officer, Deloitte
The responsibility of the Technology Committee
The responsibility of the Audit Committee
The responsibility of the full board
81 responses
3%
22%
75%
Where does Technology and Innovation sit on your board?
2018 Deloitte Audit Committee Symposium retrospective
9
Regulatory and financial reporting updates
The audit committee has a significant role in the oversight of management’s implementation and ongoing application of new accounting standards. The PCAOB and SEC panelists encouraged audit committees to understand the status of the implementation of the new leasing standard through open dialog with both management and the auditors. The SEC’s recently released guidance related to cybersecurity policies and controls was discussed including those controls related to escalation procedures and the application of insider trading prohibitions. The board of directors’ role in overseeing the management of cyber risk was noted. The panelists affirmed that the recent guidance was not intended to imply that cybersecurity risk should dominate a board’s agenda, however, it is an area that the board should be evaluating. The PCAOB is considering how advanced technology may affect audits with the intent of understanding its role in supporting innovation while improving audit quality.
A separate panel discussed the changes to the auditor’s report made by the PCAOB and SEC in 2017. The most significant change relates to the requirement for auditors to include critical audit matters (CAMs) in audit reports. A CAM is any matter arising from the audit of the financial statements that was communicated or required to be communicated to the audit committee that relates to accounts or disclosures that are material to the financial statements and involve especially challenging, subjective, or complex auditor judgment. To eliminate surprises, Deloitte and other audit firms are performing CAM dry runs to identify, draft, and discuss CAMs with management and the audit committee, with the objective of identifying CAMs prior to the effective date. Communication of CAMs is first effective for audits of large accelerated filers for fiscal years ending on or after June 30, 2019.
“Technology is an ally of effective corporate reporting and good audits. But advanced technologies should be evaluated, monitored, and managed because they are not without risk.”
— Wes Bricker, Chief Accountant, US Securities and Exchange Commission
What is your level of familiarity with the new PCAOB requirement for auditors to identity and communicate CAMs?
Featured panels: Signals from regulatory developments: Considerations for audit committees on critical audit matters• Christine Davine, Deputy Managing Partner, Quality & Professional
Practice, Deloitte & Touche LLP• Melissa Naple, Audit Practice Leader, Greater TriState Area,
Deloitte & Touche LLP• Dave Sullivan, National Managing Partner, Quality & Professional
Practice, Deloitte & Touche LLP Regulatory and standards setting update: A discussion with the PCAOB and SEC• Wes Bricker, Chief Accountant, US Securities and Exchange Commission• William Duhnke III, Chairman, Public Company Accounting Oversight Board• Joe Ucuzoglu, Chairman and Chief Executive Officer, Deloitte & Touche LLP
0
5
10
15
20
25
30
35
Very familiar
40%
28
Somewhat familiar
Not familiar at all
44%
3116%
11
70 responses
2018 Deloitte Audit Committee Symposium retrospective
10
Strategic risk and crisis management
“I don’t think anyone in a boardroom feels like a cyber expert. But that does not prevent you from asking management probing questions, especially with reputation risk being ever more important today.”
— Frances Townsend, Executive Vice President, MacAndrews & Forbes Inc.; Former US Deputy National Security Advisor to President George W. Bush; Director, The Western Union Co., Freeport-McMoRan Inc., and Scientific Games Corp.
Being the White House’s bearer of bad news is in some ways akin to the audit committee chair role. As a presidential adviser, the official is not expected to be the expert the country needs to handle unthinkable scenarios, but rather the person charged with asking the questions about the response―and the adviser who is not afraid to ask the tough questions.
The company’s cyber risk leader should be prepared to discuss at a high level the metrics used to detect cyber breaches, to help audit committee members understand potential risks. Those metrics can include: How many times the network was penetrated; network downtime; how fast the system was restored; the company’s schedule for penetration testing (twice a year is ideal, once annually is the minimum); and whether the company’s archive policies follow industry leading practices.
One way to move beyond a discussion and better understand real-world implications is to have management model responses and test them through a wargaming exercise, where there is an opportunity to correct inadequate responses.
Audit committees also should ask management about the extent of cyber education and training they require and make available to employees, as insider threats from poorly trained staff can be as harmful as insider threats from bad actors.
Featured speaker:• Frances Townsend, Executive Vice President, MacAndrews & Forbes
Inc.; Former US Deputy National Security Advisor to President George W. Bush; Director, The Western Union Co., Freeport-McMoRan Inc., and Scientific Games Corp.
Closing keynote by Frances Townsend
76 responses
5%
44%51%
The responsibility of the Technology Committee
The responsibility of the Audit Committee
The responsibility of the full board
Where does cyber risk sit on your board?
Center forBoard EffectivenessThe Center for Board Effectiveness helps directors deliver value to the organizations they serve through a portfolio of high quality, innovative experiences throughout their tenure as board members. Whether an individual is aspiring to board participation or a veteran of many board experiences, the Center’s programs enable them to contribute effectively and provide focus in the areas of governance and audit, strategy, risk, innovation, compensation and succession.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
© 2019 Deloitte Development LLC. All rights reserved.
