​The key to handling uncertainty is asking the right questions. This can help audit committees spot issues in internal controls over financial reporting (ICFR) and ensure their organizations are satisfying regulatory requirements with timely and appropriate disclosures.

With the abrupt move to remote work in mid-March, regulators were concerned about changes that needed to be made to processes and internal controls. But it was a common, albeit not universal, experience of organizations that, because they were already using electronic systems for record keeping and communication, there weren't material changes to their ICFR.

Regardless of their initial experience, ICFR is an iterative process, so organizations will need to continue monitoring for issues. This could include establishing a risk register in which they can log concerns and the changes made to address them. At the end of the quarter, an assessment can be made as to whether any changes to ICFR were material and need to be disclosed.

In the early days of the COVID-19 pandemic, there was wide variation in the depth and detail of disclosures. Now, there's much more publicly available financial reporting that organizations can use to benchmark disclosures against their peers, and regulators may question disclosures that stray too far from the mean. Audit committees will also need to monitor changes in regulation and ensure these are discussed with management, external auditors and legal counsel.

Organizations may be given a pass this time because very few predicted this pandemic, but they may not get a pass the second time — so what are they going to do differently?

Jim Newton, Audit Partner,
Financial Institutions, and Co-Leader,
Board Leadership Centre, KPMG in Canada

Tackling uncertainty

One of the main challenges to ICFR and disclosure in the current environment is the heightened uncertainty that has been introduced to accounting estimates and forecasts. It can be tempting to believe that existing models will not be helpful because the pandemic is unprecedented, but these models remain the best starting point. To adapt these models, management can use expert judgment and apply overlays to account for what in the current data is not reflected in the models.

Audit committees will want to thoroughly question and understand the process that management has used to arrive at those estimates. For example, they will want to determine if there has been a sensitivity analysis, how wide the range is, what point has been picked in that range, why it was picked and why it's the best estimate.

But the uncertainty in these numbers can heighten the risk of material misstatement. To be satisfied they're free of bias, additional questions will need to be asked if the point is always at the high or low end of the range. Regulators and other stakeholders can be expected to scrutinize the methods and assumptions used to arrive at these numbers and thorough disclosure will be necessary.

Thinking differently about risk

Organizations need to start thinking in a new way about risk. They may have been given a pass this time because very few predicted this pandemic, but they may not get a pass the second time — so what are they going to do differently?

Audit committees will need to keep their knowledge base current and understand where the risk points are. Cyber risk isn't new but is now of greater importance. Environmental, social and governance (ESG) issues have also been growing in prominence; within the ESG framework, social issues have taken on greater importance during the pandemic.

Risk has always gone beyond cyber — but even more so in today's connected world. We need to enhance the conventional, two-dimensional way of looking at single points of risk in terms of their likelihood and severity and start looking at the interconnectivity of risks and the interplay between them — both globally and at an organizational level. This will require much more robust statistical and scientific analysis of data.

While not directly within the purview of audit committees, lack of attention to the well-being of employees may present an ICFR risk. Employees experiencing excessive stress in the new work environment may become less vigilant about adhering to processes or oversight. And they might be more tempted to commit fraud with more opportunities and a greater ability to rationalize the behaviour in the current environment.

Overseeing your oversight

Audit committees will be asking internal audit leaders about their plans for the coming year, considering the new circumstances. Similarly, the pandemic may affect the scope and timing of external audits. For instance, any forecasts that result in a large change in income may affect materiality calculations and the work that needs to be done. And, particularly for far-flung operations, adaptations for remote work will need to be made.

The current level of uncertainty is daunting. But an audit committee can feel comfortable that they've done their job if they've been given a robust presentation, asked the right questions and are satisfied with the answers.

What should audit committees be asking?

  • How has management arrived at its estimates? Did it conduct a sensitivity analysis, and, if so, what was the range and where is it within that range?
  • What is our risk program doing to anticipate risks and the interrelationship between them at both a macro and micro level?
  • What are our regulators doing and does this create an extra burden for us?
  • What is our internal auditor's plan for the year given all this uncertainty?
  • How are our external auditors adapting to the current circumstances such as working from home?