Across virtually every sector of the economy, corporations face unprecedented changes in the business environment, driven by global economic trends, technological developments, and regulatory initiatives, among other forces. Ultimately, the impact of these changes will be evident in the companies’ operational and financial performance.
But there is another area that will be affected by the forces of change: the annual audit, as auditors must take these dynamic forces into account in assessing a company’s risk exposure and controls.
Based on my experience as a CPA and CFO, as well as an instructor in financial-statement analysis and accounting, I see several emerging red flags that will be major issues for auditors — and thus for corporate CFOs and audit committees — during the 2017-2018 audit cycle. Specifically, we believe there are eight significant audit issues, falling into three broad categories, that are worthy of attention by financial executives and audit committees.
A number of the emerging audit red flags arise from prevailing global economic and business trends, especially the disruptive (and to some extent unanticipated) impact of technology.
Cybersecurity Threats. The Equifax data breach, along with the news that the SEC’s EDGAR system was hacked, are the most recent dramatic reminders of the cybersecurity threats that plague businesses with great regularity. While cybersecurity breaches pose a threat to corporate risk management and business continuity, they also create an audit challenge: the SEC since 2011 has required public companies to disclose cybersecurity risks and incidents. It is important for companies to be able to demonstrate to their auditors that they have robust plans to respond to and quickly recover from a cyber-threat.
Retail-Sector Turmoil. The retail industry has experienced enormous disruption due to the success of Amazon and other e-commerce outlets, and the resulting seismic shifts in consumer behavior. The result has been the closure of thousands of brick-and-mortar store locations, and high-profile bankruptcies such as Toys “R” Us.
Auditors will be carefully scrutinizing not only retail companies but any business with exposure to retail (such as real estate owners/operators, lenders, suppliers to retailers, transportation providers, and insurers) to assess whether they have properly accounted for the impact of store closures or non-payment of obligations from retailers.
Municipal Exposure. The past year has seen a spate of credit-rating downgrades for states, including Alaska, Connecticut, Massachusetts, Mississippi, and Pennsylvania. Illinois’ rating is just above junk grade. The dire fiscal condition of many states impacts municipalities, most of which are reliant on state funding, as well as the status of projects or facilities funded by states.
From an audit perspective, any company that does business with states, municipalities, or even private enterprises that receive public funds will need to reflect this exposure in its audited financial statements.
Revenue Recognition. Public companies must adopt new revenue-recognition standards for reporting periods beginning after December 15, 2017, as a result of Accounting Standards Codification (ASC) 606. Simply stated, the new standard affects entities that enter into contracts with customers to transfer goods, services, or nonfinancial assets, and requires that revenue must be recognized in a manner that aligns with the way in which the goods, services or assets are transferred.
ASC 606 will change the top line for many organizations. Auditors will pay close attention to whether the future impact of ASC 606 has been properly disclosed under the requirements of SEC Staff Accounting Bulletin No. 74. Auditors will also assess whether a company’s revenue recognition methodology is reasonable, and challenge controls related to this new GAAP.
In this final category of audit red flags are several issues that have been of concern for some time, but are receiving continued or renewed attention. For example, the following matters rank among the most frequent subjects of SEC comment letters to public companies.
Non-GAAP Financial Measures. The SEC has continued to focus on companies’ use of non-GAAP measures, such as “adjusted earnings” or “adjusted earnings per share.” While companies may supplement GAAP financial reporting with non-GAAP measures to provide investors or other stakeholders with additional insight, the SEC remains concerned that non-GAAP measures may be emphasized at the expense of the GAAP presentation.
Thus, companies must have procedures to ensure clear and accurate disclosure of non-GAAP measures, proper reconciliation to GAAP, and consistency in the use of non-GAAP measures from year to year.
Segment Reporting. Another evergreen issue in audits is segment reporting, which is required for publicly held entities. The SEC wants to ensure that companies provide accurate visibility and transparency with respect to the financial results and position of their operating units. Thus, auditors will be seeking to determine whether a company’s segment reporting truly reflects the way its chief operating decision-makers actually run the business, assess performance, and allocate resources.
Auditors will go beyond the usual audit evidence such as organizational charts and management reporting packages by comparing a company’s segment reporting to its earnings calls and investor presentations.
Income Taxes and Foreign Subsidiaries. The treatment of foreign subsidiaries of U.S. companies for income tax purposes has become a political hot-button issue. From an audit standpoint, it is not simply a matter of whether a business may be sheltering income in overseas subsidiaries, although that is certainly a significant matter. Auditors also will want to gauge the implications of the foreign income on the company’s liquidity position — that is, whether a business would have the ability to repatriate cash if necessary to cover obligations, and what the tax impact would be.
Enhancing the MD&A. While the MD&A of companies’ annual reports is supposed to provide management’s discussion and analysis, the discussion is often rudimentary and the analysis can be lacking in depth.
Rather than “boilerplate” disclosures, companies should make a meaningful attempt to provide transparency in the MD&A — describing the performance of the business in laymen’s terms and providing in-depth analysis, especially in terms of sensitivity to interest rates, economic policies, customer behavior, and other factors. One approach to making the MD&A more useful is to write it from the perspective of users such as investors, equity and credit analysts, etc.
Clearly, this is a starter list of audit red flags, and each sector will have its own industry-specific critical issues. The larger point is to think beyond the “usual suspect” financial-statement and operational issues and to anticipate and prepare for emerging matters of concern to the auditors.
For most companies, with fiscal-year ends fast approaching, now is the time to address critical issues that could affect this year’s audit.