Beruflich Dokumente
Kultur Dokumente
Trends
2016
From transformative
technology to complex
regulation to unprecedented
geopolitical risk, an increasing
tide of disruptive trends are
demanding substantive
change to the global role
of audit committees.
kpmg.ca/audit
Audit Trends 2016 | 1
Foreword
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 2
Director commentary
Targeting transformation
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 3
Contents
Audit Trends
1 Technological
risk
6 Cyber security risk
Data protection
Social engineering
7 Business model risk
D&A privacy risk
Technology project risk
Auditing of third parties
Cyber insurance
Remediation procedures
2 Political and
economic risk
8 Economic volatility
Emerging market risks
Geopolitics
9 Spotlight: Industries in crisis
and audit committee priorities
3
The evolution 10 Integrated and 11 Expanded audit reports
of corporate strategic reporting Disclosure of operating and
reporting other performance indicators
4
complexity of
the regulatory IFRS 9 - Financial instruments The impact of global regulations
landscape IFRS 15 - Revenue from Contracts on Canadian audit committees
with Customers
IFRS 16 - Leases
IFRS 4 - Insurance Contracts
Ensuring third-party adherence
to regulatory mandates
Anti-Money Laundering (AML)
legislation
Privacy legislation
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 4
Director commentary
Targeting transformation
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 5
Introduction
Disruption on multiple
fronts is putting audit
committees on high alert
It has become one of the most commonly
used terms in business today.
Virtually no strategic conversation proceeds without someone Disruption can affect audit committees in different ways. In
citing the need to either be disruptive or to respond quickly to some casesfor example, cyber securityaudit committees
disruptive market and industry trendstrends that have must become more knowledgeable and more vigilant in their
typically been connected to technology in one way or oversight due to the rapid, ongoing evolution of the field. In
another. We dont, however, generally think about the other areas, such as oversight of reporting and compliance, it
concept of disruption when talking about the audit is their own approaches and processes that are changing, as
committee, even when were discussing its changing role complex standards up the global regulatory ante.
and responsibilities. This report, as always, is about audit trends affecting the
However, the concept of disruption is broadening its meaning governance and oversight responsibilities of the audit
beyond its current association with the interaction between committee. Our goal this year is to look at some of the more
technology, business and market forces. It is being applied in disruptive trends, at the ways in which they are driving or
other areas and to other, broader trends. One might talk, for necessitating substantive change and at how audit
example, about the disruptive impact of demographic trends, committees are, or should be, responding.
rather than just technological ones. To that end, a high-level
concept of disruption provides a valuable framework for
discussing many of the changes and challenges currently
facing the audit committee. And there are, without question,
a range of audit trends that can only be seen as disruptive,
given the kind of substantive change they are driving and their
potential to transform the way audit committees do what they
doand what they are increasingly being asked to do.
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 6
1. Technological risk
Technological disruption continues to appear on the
audit committee agenda, with audit committees
challenged to ensure they are considering the full-
range of existing and emerging risks and that the
appropriate technological knowledge and
experience are represented on the committee.
Cyber security risk 1 and protection of alternative data 4. Cyber insurance
With cyberattacks on corporate setsbeyond standard credit card Cyber insurance addresses an
networks and systems becoming more informationis being carried out. To organizations liability when faced with
advanced, cyber security remains a augment the information they have at cyber-based risks, such as a data
major oversight concern for audit hand, audit committees can also breach or data destruction resulting in
committees. Years ago, retail and request relevant data directly from IT, the loss of sensitive information.
financial services organizations were for example, testing results, reviews of Organizations are beginning to
most at risk due to the processing of key data and hacking reports. purchase these types of policies, but
credit card data. Today, personal 2. Social engineering there remains some confusion over
information is frequently targeted over Social engineering is a broad term for exactly what is and isn't covered. The
credit card data, placing a much broader any kind of psychological deception or audit committee should have oversight
range of organizations at risk. The cyber exploitation of the "human factor" to over such policies in meeting with the
security challenge can be broken into gain access to information. Email insurer to confirm that the
five more granular topics: phishing is one form, but attacks can be organizations significant financial
much more complex, employing phone exposures are, in fact, included.
1. Data protection
Data protection, while clearly calls, physical impersonation or any 5. Remediation procedures
connected to cyber security, actually scenario that plays on the targets Too often, audit committees look at a
falls into a larger business security sympathy, fear, greed, etc. Proper cyberbreach, ensure a particular,
category, as data loss can occur in oversight should involve social media established process is being followed,
many ways. When considering data acceptable use policies and then move on. More and more,
protection, audit committees often organizational workflows detailing however, we see audit committees
receive from management a list of proper account usage. getting involved in post-mortem
security programs that are currently in 3. Auditing of third-parties follow-up reviews, sometimes even
place; however, the first step should Many organizations are relying more going beyond the standard oversight
really be making sure the right and more on third parties as part of their role in order to understand what went
information has been identified and business model. The audit committee wrong, ensure remediation compliance
data sets clearly defined. This can be should ensure that management has and probe for other areas of
a challenge as what is considered considered and evaluated whether vulnerabilities to help combat future
relevant continues to change. Today, appropriate controls are in place to attacks.
things like user names, passwords, prevent misuse of any confidential
awards program profiles and social customer information aggregated by
media accounts are being targeted. third-party vendors. To be more certain
Given that this list will continually that the organization is not creating
evolve, audit committees should additional liabilities, third-party audits
regularly confirm that the definition are becoming more common.
1 For further analysis of these and other current cyber security issues, read the KPMG publication Cyber Watch Report: Be in a defensible position.
Be cyber resilient. at https://home.kpmg.comcontent/dam/kpmg/pdf/2016/02/cyber-watch-report-en.pdf.
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 7
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 8
2. Political and
economic risk
Political and economic risks are increasingly With falling oil
becoming audit committee agenda topics, with prices, a weak dollar
large enterprises implementing sophisticated and general political
models to analyze them. uncertainty around
Economic volatility How will management mitigate new the worldconsider
risks? Do they fully understand them?
The global economic environment has
How effective are existing controls? Are
the Middle East
become extremely complex, as have
the implications for Canadian more controls needed? And if the conflicts, European
businesses. While there are distinct company already operates in volatile
opportunities around mergers, markets, should a review of risk refugee issues,
management in those jurisdictions be
consolidations, building synergies and
undertaken?
China slowing down
cutting costs, both the dollar and
commodity prices remain difficult to Geopolitics and the UK possibly
predict. Exporters and tourism may
benefit, but mining and energy are
Syrian refugees, Middle Eastern leaving the EU as
conflict, Chinas economic sluggishness:
suffering. Amid these conflicting trends
the complexities abound. While some of just a few examples
and confusing economic datawhere
these global issues are generating more
risk can be rapidly heightened or
traditional geopolitical risks, events such
exercising greater
diminished depending on the
sectoraudit committees need to be
as the massive demographic shift oversight over
created by the Syrian refugeesand the
cognizant of global volatility as it relates
many pressures that they are creating in political and
to their own organizations financial
Europeare different and should be
strategy.
addressed. Even though Chinas
economic risk needs
Emerging markets risks economy is growing faster than the rest to become a priority
Canadian companies are looking to of the world, international stock markets
access emerging markets, but the came to a virtual standstill when Chinas for Canadian audit
market dropped, significantly resetting
question of how to play in those
global trade dynamics. Factor in the
committees.
markets and what risks they raise is
key. Its important to balance your enormous uncertainty surrounding the Kristy Carscallen,
exposure in good and bad times and US election and what impacts its result
Canadian Managing Partner, Audit
given current economic challenges, may have and its clear geopolitical
audit committees may want to instability needs to remain on the audit
scrutinize their organizations new committee radar.
market entry plans more carefully.
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 9
Spotlight
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 10
3. The evolution of
corporate reporting
Much has been made of recent developments
in corporate reporting and that focus will
continue as changes are ongoing.The simple
fact is, a lot more is expected around
reportingfrom regulators, from shareholders
and from companies themselves.
Is the full range of risks being disclosed and adequately an organizations business model and strategic priorities. The
discussed, including those that go beyond the coverage in the aim is to reflect the critical opportunities and challenges that
financial reports and traditional MD&A? Are the right people affect the businessthe same issues that management is
around the table to ensure reporting quality? How reliable is dealing with on a daily basis within the organization.
the information being gathered and reported and how much This trend toward integrating various statutory and voluntary
value door caninvestors place on it? Is there consistency forms of corporate reportingfor example, reporting on areas
around the way reports are being prepared, executed and such as long-term value creation and corporate responsibility2
reviewed to ensure they add real value? To help answer these becomes challenging to achieve while still creating an
questions, we have identified three trends to which audit annual report that is lean and manageable. A Corporate
committees should pay particular attention. Reporting Dialogue (CRD) has been formed to help respond
1. Integrated and strategic reporting to this challenge and bring together IR and other emerging
There is growing recognition that the range of issues and frameworks in this area.3
opportunities affecting long-term business value is much Importantly, this push towards improved disclosure of
broader than can be reflected in a set of current-year financial non-financial information beyond the traditional annual report
measures. Companies reports need to reflect this if they are is becoming critical to the audit committees reporting
to support investors capital-allocation decisions effectively. oversight mandate.4
Initiatives such as Integrated Reporting (IR) are intended to
provide a basis to address this by refocusing reporting around
2 To learn more about the state of non-financial reporting worldwide, see Currents of change: The KPMG Survey of Corporate Responsibility Reporting 2015 at
http://www.kpmg.com/CN/en/IssuesAndInsights/ArticlesPublications/Documents/kpmg-survey-of-corporate-responsibility-reporting-2015-O-201511.pdf
3 http://corporatereportingdialogue.com/
4 For more information on integrated reporting visit: https://home.kpmg.com/xx/en/home/insights/2013/04/integrated-reporting.html
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 11
There is a growing
trend toward what is
being called strategic
disclosure. While
statutory reports
have traditionally
focused on historical
financial information,
many global
governments and
securities regulators
now require some
2. Expanded audit reports 3. Disclosure of operating and
form of strategic Audit committees will be impacted by other performance indicators
the trend toward expanded audit Companies are increasingly distributing
reporting5. In such reporting. Intended to improve audit operating metrics that relate to
reports, the Board is quality and transparency, auditors will volumes, capacity, growth or other
be required to describe key audit indicators of performance that are of
responsible for matters, including what audit work interest to the market. This information
was performed in those areas. The is often provided on a quarterlyor
discussing the main expanded audit report will also provide even monthlybasis. Audit
trends and factors more transparency into auditor and committees should understand the
management responsibilities with nature of the information being
likely to affect the respect to the financial statements. provided, as well as the underlying
The intention is to have a report processes, to ensure that the
future development, tailored to each companys specific information is accurate, complete and
performance and circumstances, particularly with prepared on a consistent basis.
respect to the risk profile and the
position of the auditors understanding of and
response to those risks. Audit
companys business. committees should continue to
Non-financial key monitor developments with respect to
expanded auditor reporting, including
performance experiences in other jurisdictions and
the standard-setting processes in
indicators are often Canada and the US.
included to highlight
these trends and
factors.
Bill Murphy,
Governance and Assurance Leader
5 See, for example, https://home.kpmg.com/content/dam/kpmg/pdf/2014/09/practical-guide-strategic-report.pdf
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 12
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 13
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 14
Conclusion
The disruption paradigm applies
now to manage the transformation
For the most part, disruption has been closelyalmost inextricablylinked to the notion of technological
innovation and its various impacts on business models and businesses themselves. In market-terms, disruption
usually refers to a technological innovation that is so different and creates such a ripple in an existing model (sales,
customer service, production, etc.) that everyone else is forced to change the way they do things just to catch up.
Is this so different from what is happening to the role of the audit committee? The issues we have discussed are
real and either happening or pendingthe ripples are growingand audit committee members are indeed seeing
their mandate transformed. In some ways, audit committees are having to do somecatch up as it relates to these
disruptive forces.
Going forward, managing inevitable change will be both an audit committee priority and a challenge and one that
all audit stakeholdersC-Suite, management, auditors, regulators, shareholders and even the publichave an
interest in facilitating.
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 15
Best practices
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016 | 16
Director commentary
Targeting transformation
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016
Director commentary
Targeting transformation
Best practices
Getting the right expertise
around the tableand
knowing when its time to
reach out for itis absolutely
vital for todays audit
committee. You often need
expertise outside of financial,
but that can present an issue
since the committee remains
financially focused. Looking to
attract people with a financial
focus from specialized
industriesfor example,
a CFO from the technology
sectorcan help augment
expertise while maintaining
general financial acumen.
Deborah Rosati, Director
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Audit Trends 2016
Contributors
Canada United Kingdom
kpmg.ca/audit
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we
endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will
continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the
particular situation.
2016 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative (KPMG International), a Swiss entity. All rights reserved. 12819
The KPMG name and logo are registered trademarks or trademarks of KPMG International.