Auditors Can Help Directors Cope With the Changing Information Landscape

By Julie Bell Lindsay

12/17/2019

Cybersecurity ESG Audit Online Article

Throughout my career, I’ve been fortunate to have worked in the capital markets at some pretty interesting times: as a lawyer in Silicon Valley during the late-‘90s dot-com boom, at the US Securities and Exchange Commission just after the passage of the Sarbanes-Oxley Act of 2002, and at Citigroup as it emerged from the financial crisis of 2007 to 2009.

As of this posting, I’ve been at the Center for Audit Quality (CAQ) for just over seven months. And this position is yet another example of my being in an interesting place at an interesting time. Why? I see three reasons:

Technology. Technology and data have given rise to unprecedented business models and company structures. We continue to shift to a service- and IP-based economy, where the massive amount of data generated is now an enterprise asset.

Information Beyond the Financials. Stakeholders have an increased interest in and are relying on company-reported information outside of the audited financial statements prepared in accordance with Generally Accepted Accounting Principles (GAAP). This information could include non-GAAP financial measures; key performance indicators such as the sales pipeline; intangible indicators of value not included in the historical financial statements, such as a company’s brand and intellectual property; environmental, social, and governance (ESG) metrics; and cyber-risk management or other types of enterprise risk management disclosures.

Timeliness of Information. This refers to two concepts: First, as we all know, unaudited company earnings releases and analyst presentations are more likely to move markets than the annual release of audited financial statements. Second, the news cycle operates at rapid speed, and a negative news story—accurate or not—can spread quickly and destroy trust and reputations in a flash.

The Role of Auditors: Present and Future

Although I am not a certified public accountant, my experiences in the capital markets have ingrained in me a deep appreciation for the audit profession’s purpose and value.

I often say that the public-company auditing profession is one of those “assumed” or unremarked-upon institutions in the capital market system. The profession largely operates behind the scenes, and people tend not to notice when things are going right.

Yet there is so much taking place behind the scenes, and there is also so much that is going right for this profession. Every day, auditors contribute to high-quality, reliable financial statements, which many have referred to as the bedrock of our capital markets system. Auditors do this by reviewing a company’s financials and internal controls; by serving as an independent check on management and as a resource for audit committees; and by bringing their critical thinking, standards-based analytical skills, and skepticism to those complex areas of the financials, such as fair value. The state of audit quality today is high, thanks in no small part to the profession’s enormous efforts to maintain trust and continuously strive to improve.

The health and stability of the US capital markets depend on consistent, reliable, and comparable information. But much of the company-reported information I referred to above—on which stakeholders are relying—does not go through the rigor of independent third-party assurance.

At the CAQ, we believe auditors can help fill these existing and growing gaps in assured information. It’s a natural evolution for a profession with unique competencies in standards-based analysis, objectivity, professional skepticism, and critical thinking. Auditors can enhance confidence in areas such as:

  • ESG Reporting. Depending on the particular industry, public companies are increasingly issuing stand-alone ESG reports or including ESG metrics and indicators such as gender and/or minority pay gap statistics, greenhouse gas emissions, or other risks to the sustainability of the business in public-facing filings or documents. This information typically is not subject to an independent assessment. Boards should know that auditors can be engaged to perform an attestation of a company’s ESG information.
  • Cybersecurity. Boards should also be aware of the American Institute of CPAs’ cybersecurity risk management reporting framework, SOC for Cybersecurity. According to the CAQ’s Cybersecurity Risk Management Oversight tool, organizations can use the framework to “communicate pertinent information regarding their cybersecurity risk management efforts and educate stakeholders about the systems, processes, and controls they have in place to detect, prevent, and respond to breaches.” The reporting framework also “enables CPAs to examine and report on management-prepared cybersecurity information.”

Learn More: To help directors and other market participants get a handle on this evolving environment, the CAQ has released a new resource, The Role of Auditors in Company-Prepared Information: Present and Future. In clear terms, the paper delineates where the auditor’s role begins and ends today in the context of the audit of financial statements. It also highlights the need for the auditor’s role to evolve for the benefit of stakeholders, public company board members, company management, and the markets.

Of course, expanding the auditor’s role will not happen overnight, and it won’t occur without considerable effort and dialogue. My CAQ colleagues and others in the auditing profession look forward to engaging in this dialogue with all of the stakeholders in our capital markets system, especially our friends in the director community.

We are fortunate to find ourselves in interesting times. Let’s prepare ourselves now to make the most of them.

Julie Bell Lindsay
Julie Bell Lindsay is the CEO of the Center for Audit Quality.