What audit committees should prioritize in 2023

Audit committee's role continues to grow more demanding and complex amid the uncertain and dynamic business environment. Rampant inflation fears across other jurisdictions, geopolitical tensions, and the shadow of the uncertainties are the critical threats occupying the minds of audit committees. This edition summarizes key considerations for audit committees during the 2023 year-end and beyond.

Risk Management

Boards and audit committees are revisiting risk management practices to make sure that risks are managed effectively across the organization and building more resiliency and overall preparedness to respond and manage these headwinds going into 2023. Key considerations include:

• To combat inflation and surging interest rates leading to increased distress among households and severe constraints for businesses and to mitigate these risks, leading organizations are reshaping their operations, which includes building sustainability as a core aspect of all products and services; boosting customer loyalty using technology; and adopting new pricing constructs or innovative pricing models to improve profitability and performance to protect margins. Audit committees are expected to spend more time in discussing resiliency and using scenario planning to bolster such efforts. Further, they would need to re-examine the processes for risk identification and assessment to ensure that a holistic view of interrelated risks is provided and better understand the related implications.
• Cybersecurity risks continues to multiply and accelerate, marked this year by potential threats tied to the war in Ukraine. Following may be considered by the audit committees while overseeing cyber risk:
  • Reconcile value at risk against the board’s risk tolerance,including the efficacy of cyber insurance coverage.
  • Address new issues and threats stemming from remote work and the expansion of digital transformation.
  • Leverage new analytical tools. Such tools inform the board of cyber risks ranging from high-likelihood, low- impact events to low-likelihood, high-impact events (i.e., a black swan event).
  • Enhance enterprise resilience by conducting rigorous simulations and arranging protocols with third-party specialists before a crisis.
• Organizations are transforming their risk management approach by embedding data science and technologies (such as analytics, artificial intelligence, robotic pro automation and machine learning) across the entire risk management process, from identification to assessment to mitigation to monitoring. Integrated risk management platforms and cloud infrastructure are also enabling teams to analyze risk trends more easily and providing the data storage capacity and analytics firepower needed to conduct horizon scanning, scenario planning and stress testing based on multiple variables. Boards and audit committees should assess whether management has a robust strategy for an integrated risk management program leveraging data and technology, with a particular focus on talent and skill sets that may be required.

• With the growing demands and expectations around transparency and sustainability, there is heightened importance of creating a culture that supports ethical decision-making. Key actions audit committees can take to bolster integrity include:
  • Verify that the organization is performing fraud and corruption risk assessments to protect the organization These assessments should be taken seriously from the top down and be regularly and robustly performed.
  • Recognize that systems and processes do not commit fraud, humans do. The best compliance frameworks can be breached if there is not a culture of doing the right thing, which makes building a strong integrity culture as important as the control environment.
  • Support whistle-blower processes — validate that employees are given the opportunity to report suspected wrongdoing in good faith and make them feel assured that there is protection against retaliation.

Questions for audit committees to consider

• What data science techniques and analytic tools is being used to evolve enterprise risk management to deliver deeper insights and create real-time alerts around emerging and disruptive trends?
• How can the organization build resiliency while remaining lean and agile enough to respond to unforeseen risks? Are contingency and response plans related to risks, including cybersecurity and supply chain, periodically simulated and reviewed with the audit committee?
• Did the organization’s stress testing account for ongoing inflation, rate hikes, geopolitical tensions, labor shortages, technology changes, shifts in consumer preferences or climate change?

Financial reporting

Companies are continuing to re-evaluate their disclosures as stakeholders seek to understand the impact of various external developments on the business. We anticipate that audit committees will continue to evaluate impacts and changes in the business environment on their financial reporting processes, including the following:

• Continue to assess changes in the business, trends or uncertainties and the implications for financial reporting. This includes determining how inflation and supply chain issues may be affecting cash flow projections used in forward looking financial information and what discount rate is used to discount those cash flows.
• Revisit disclosures such as risk factors, critical accounting estimates, liquidity, and capital resources to address certain risk concentrations (e.g., customer, supplier, geographic) and other known trends, events, and risks and uncertainties that have had or are reasonably expected to have a material effect on the business.
• Revisit disclosures which are required pursuant to the requirements of Schedule III to the Companies Act, 2013, including those which require exercise of judgement.
• Companies experiencing liquidity issues may be at risk of violating debt covenants, which could affect debt classification. Continue to assess whether disclosures were updated and consider the financial statement effects of the current market conditions (e.g., inflation) and their expectations for the future. It will be important for audit committees not only to understand management’s view of future economic conditions but also to validate that the organization provides transparent disclosures regarding these views. Audit committee would also be interested in validating that the financial information is consistent with those disclosed/ explained in the Annual Report, e.g., Business Responsibility and Entities need to closely monitor the tax environment to recognize both potential challenges and opportunities and to remain agile in the face of uncertainty. Key focus includes the following:

• Audit committees should know how management is both preparing for any new tax liability and determining the applicability of new incentives stemming from these legislative changes. Companies should be tracking new compliance obligations, as well as examining their supply chains and expansion plans where applicable, incorporating potential tax obligations and opportunities into future plans.
• Audit committees should receive a report from management on how the company executed against its internal controls over income taxes for the year. The report should review tax positions, data sources, and non- automatic method changes that might be needed for the upcoming year — all of these areas should be documented and put into an actionable plan for future use.
• Given the current uncertain geopolitical environment, companies and their audit committees should monitor political risks and watch for shifts in leadership and elections in key countries in which they operate, foreign policy actions, tariff changes and regional trade agreements.
• With countries around the world beginning to take steps toward action on the Pillar Two global minimum tax, audit committees should be monitoring and anticipating potential tax changes at the individual country level in relevant jurisdictions.

Questions for audit committees to consider

• Has the organization analyzed the impacts of Budget 2023? Has the company performed modeling and scenario planning reflecting potential tax policy changes and trade developments?
• Does management have the resources within the tax function to monitor international and local legislative and regulatory developments and their impacts on the company, and what oversight does the committee have of the processes?
• Does the organization have a plan for the BEPS 2.0 Pillar Two impact on the provision, compliance, and reporting functions?
• Are Any transactions anticipated that could results in the company being subject to these new taxes?

Questions for audit committees to consider

• Has management assessed whether the company’s current disclosures on climate related matters are relevant and provide insights for objective decision making?
• Have there been any material changes to internal controls over financial reporting or disclosure controls and procedures to address the changing operating environment? Have any cost-saving initiatives and related efforts impacted resources or processes that are key to internal controls over financial reporting? If so, has management identified mitigating controls to address any potential gaps?
• How have economic factors (e.g., supply chain disruption, inflation) influenced the entity’s risk assessment?

Tax and other policy- related developments

Union Budget 2023 is a befitting budget to usher India into Amrit Kaal. The Budget continues its growth focus led by capex push, which should result in a positive multiplier impact for the economy. The thrust on areas like transport connectivity projects and green projects will create new opportunities for the private sector and uplift demand. The Budget considers Green Growth as one of the ‘Saptarishi’ guiding through the vision of the Amrit Kaal, which is likely to place India in a strategically competitive position globally.

Global tax policy is in a period of flux. The Organisation for Economic Co-operation and Development continues to encourage countries to adopt its two-pillar approach to reform of the international tax system (Pillars One and Two of its “BEPS 2.0” initiative, including the Global Anti-Base Erosion model rules). These rules are part of a two-pillar solution to address the tax challenges arising from the digitalization of the economy with an aim to ensure that large multinational groups pay a minimum amount of tax on income arising in each jurisdiction in which they operate, i.e., a system of top-up taxes that results in the total amount of taxes payable on excess profit in each jurisdiction representing at least the minimum rate of 15%. The model typically requires the ultimate parent entity of the group to pay top-up tax—in the jurisdiction in which it is domiciled—with respect to profits of its subsidiaries that are taxed below 15%.

Regulatory developments

Regulatory developments in India continue to evolve with focus on stronger internal controls, company disclosures and investor protection, especially developments which are effective from April 2023. For example - MCA requires all companies to ensure that the accounting software used to maintain books of accounts has prescribed features and attributes of audit trail. These requirements lack specificity and are open for interpretation, e.g., fields or data sets for which audit trails are required to be maintained.

Recently ICAI has issued an Implementation Guide to deal with key implementation challenges. The Implementation Guide provides that management is primarily responsible for ensuring selection of the appropriate accounting software for ensuring compliance with applicable laws and regulations (including those related to retention of audit logs). These requirements are applicable prospectively from financial years commencing on or after 1 April 2023. The Implementation Guide further provides that any software used to maintain books of account will be covered within the ambit of this requirement. For example – if sales are recorded in a standalone software and only consolidated entries are recorded monthly into the software used to maintain the general ledger, the sales software should also have the audit trail feature since sales invoices qualify as books of account defined under Companies Act, 2013. Further, it may be noted that companies are required to maintain audit trail (edit log) for each change made in the books of account. For example, creation of a user in the accounting software may be construed as a transaction in the software.

Related party transactions continue to be an area of focus, especially for listed companies where ambit of related party and related party transactions have been widened. For example, from April 2023, any person/ entity holding 10% (earlier: 20%) or more equity shares in listed entity would be deemed to be a related party under SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015. Further, top 1,000 listed entities are required to prepare Business Responsibility and Sustainability Report where disclosure is not limited to environment related metrics but also includes reporting on quantitative social metrics.

Given these priorities and the changing regulatory landscape, audit committees and entities should keep abreast of the evolving agenda and the impact that such changes have on the organization. Audit committees should consider how their companies should be preparing for potential regulatory changes, which could impact reporting requirements, disclosures, and policies and procedures. Key actions for the audit committee may include:

• Evaluate whether the accounting software has the requisite functional parameters and attributes which would be considered as being compliant with the requirements and where it is necessary to engage with service providers and/ or auditors to implement changes to ensure compliance.
• Evaluate the implications arising from sustainability matters, including climate and cybersecurity risk and how the audit committee oversees these risks.
• Evaluate whether the company has robust and adequate disclosure controls and procedures over the company’s existing climate- related disclosures (including any potential need for third-party assurance).
• Enquire as to ways management can enhance data and information gathering practices to further enhance the overall quality of these disclosures.
• Evaluate how the company is effectively engaging with shareholders regarding shareholder proposals.

Questions for audit committees to consider

• Does the company have sufficient controls and procedures over nonfinancial data? Is internal audit providing any type of audit coverage on sustainability-related data or is the company obtaining any external assurance?
• If sustainability-related matters are being discussed in more than one place (e.g., filings with stock exchange, earnings releases, analyst communications, annual report and shareholder letter), is there consistency in the disclosures? Has the company evaluated controls related to such disclosures?
• What process does the committee have in place for regulatory updates and is the committee sufficiently engaged in dialogue providing views and input as needed on the related impacts?
• Whether the existing accounting software of the company has the feature of audit trail? Are any changes in IT configuration would be required to comply with the audit trail requirements - especially after considering the Implementation Guide of ICAI?
• That controls have been modified to assess the completeness of related parties as covered in SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015?