Setting the 2022 Audit Committee Agenda The webinar on Setting the 2022 Audit Committee Agenda was moderated by Brian Christensen, EVP, Global Practice Leader – Managed Solutions at Protiviti USA. The panelists comprised of: Dr. Nasser Saidi (President of Nasser Saidi & Associates, UAE). Mr. Walid Shukri (Board member and Audit Committee Chairman, KSA). Ms. Dana Al Yazeedi (Director of Internal Audit, Department of Education and Knowledge (ADEK) Abu Dhabi, UAE). Over 120 participants joined the second Middle East focused annual audit agenda updates. The participants included Board & Audit Committee Members, Chief Audit Executives, C-suite executives, and other management levels across different industries in the MENA region. Brian kicked off the webinar by providing an overview of the 2022 Audit Committee agenda. It was followed by a panel discussion where the panelists shared their insights on the key emerging trends. The session was concluded with a Q&A session, where the panelists shared their thoughts on questions from the participants. The key pointers for the Audit Committee to consider on their agenda in 2022 are as follows: Evaluate the scope of the Audit Committee’s responsibilities Review the Board’s coverage of ESG reporting Consider the reporting and disclosure implications inherent in the risk landscape Pay attention to the demands on and resources available to the finance function Understand the CAE's plans to sustain the Internal Audit's relevance Assess the impact of the emerging post-pandemic new normal on financial reporting assertions Assess the impact of the emerging post-pandemic new normal on internal controls Consider the quality and effectiveness of whistleblower programs Topics Board Matters Cybersecurity and Privacy Internal Audit and Corporate Governance Risk Management and Regulatory Compliance Business Performance Digital Transformation Key Takeaways The pandemic has tested Audit Committee's ability, sustainability, and resilience with gradual mission creep, resulting in increased items on the Audit Committee agenda. New skill sets are required among the Audit Committee members to tackle unknown risks. Because of the changing business environment, the risk register should be more dynamic to ensure adequate monitoring of rapidly changing risks. Auditing at the speed of risk by having an agile audit plan. The tone needs to be set from the top on ESG reporting. It should be part of "integrated reporting" which combines financial reports with ESG reports. Some of the key discussions with the panelists covered the following areas: AUDIT COMMITTEE ACTIVITIES Over the last two years of the pandemic, do you feel the items and activities covered by the Audit Committee have increased and are resulting in increased pressure on the Committee? Panelists emphasized that the Audit Committee is in charge of the overall control environment of the organization. Thus, the scope of the Audit Committee is much broader than before. As organizations emerge out of the pandemic, it is the right occasion for the Board and the Audit Committee to review the mandates, Committee members' skills facing the pandemic and climate-related risks, competence, and diversity. The reviews will ensure that the Audit Committee can focus on the organization's resilience, particularly the physical risks, supply chain disruptions, cyber security, data governance, etc. Nonetheless, Audit Committees have started to address the pandemic's internal and external impact. Does company size, legal structure, maturity, and industry change the perspective of what the Auditee Committee is doing? The panelists agreed that the company size, legal structure, maturity, industry, etc. significantly impact the Audit Committee agenda. However, as the organization evolves in size, Audit Committee's task becomes more challenging. As a result, the Audit Committee needs to focus more on their core skillsets, such as reviewing internal controls, financial reporting, and fraud. If required other Committees can be created such as risk and governance Committees to perform the different activities. ESG 29% of the participants believed that sustainability matters are integrated into strategy, and reporting is viewed as an opportunity to enhance brand image. Considering the increasing awareness among customers of the ESG impact and increased focus on climate risk within the global community, how can Internal Audit and Audit Committee help drive this agenda? The discussion highlighted; that climate change is an existential risk that will affect all originations. They considered that "E" in ESG should be replaced by "C" for the climate. ESG is an evolution, and the pendulum has shifted to the extreme right, where everybody has started speaking about ESG. Organizations have to identify the financial and socially material information for the company. They have to assess the impact of climate-related risk and account for its implication in the financial statements. All the panelists concurred that though ESG is necessary, the Audit Committee's role is to audit the function, ensure its part of integrated reporting, and adequacy of reporting crucial matrices relevant to the organization rather than embed it as a vital responsibility of the Audit Committee. TRANSFORMATION IN INTERNAL AUDIT How imperative do you think it is for CAE to undertake transformation and innovation activities around internal audit plans? Expectations from CAEs/Audit Committees have increased from both internal (senior management) and external (external auditors, professional regulators) stakeholders. For example, IA has now to express an opinion of the organization's internal control environment. Regarding transformation and innovation in audit, the panelists concurred that the annual risk assessments might have to make way for a more agile audit plan, updated quarterly/semi-annually to address the rapidly evolving risk environment. 38% of the participants believed that the organization has started discussing and exploring the possibility of implementing Combined Assurance/Aligned Assurance in coordination with various assurance providers (Internal/External Auditors, Compliance, Risk Departments). What kind of paradigm shift is the Audit Committee expecting the CAE to conquer with these changed circumstances and in what areas? The panelists believed that audit needs to accelerate digitalization by using various tools such as Artificial Intelligence, Machine Learning, and Robotics to increase the internal audit efficiency so that CAE can be more productive. However, it also requires good quality of information flow within the organization. Moreover, CAEs and their staff should be well trained and capable of using these tools. DATA GOVERNANCE/PRIVACY AND CYBERSECURITY Do you believe that sufficient resources (monetary and skillsets) are available in the organization to handle the increased importance of data privacy, governance, and cyber security? The panelists concurred that data privacy, governance, and cyber security remain a key concern for all organizations with significant challenges in terms of resources, both financial and skills. Key parameters/metrics to monitor the ROI of financial investments are still unclear, leading to uncertainty in evaluating the investments. Further, there is a shortage of skillsets across both local and global levels in operations and management. Also, it remains a black hole for most Boards, and only a few understand the real implications unless they are hacked, or a security incident takes place. Adding to the above challenges is the lack of a consistent approach to the maturity of regulations, data privacy, and cybersecurity. It is still a big challenge and requires significant investments. The panelists agreed that data privacy, governance, and cybersecurity frameworks need to be in place as threats to organizations within the region will increase in the coming years. 50% of the participants believed that insufficient resources (monetary and skillsets) are available in the organization to handle the increased importance of Data privacy, governance, and Cyber Security. WHISTLEBLOWING/CODE OF ETHICS/ANTI-FRAUD Do you believe there is a need to revisit whistleblowing, code of ethics, anti-fraud policies, and programs considering the changing working environment? The panelists explained that the existing code of conduct and the anti-fraud program should be revisited if still valid while working remotely or outside the physical premise of the organization. In addition, this information should have been communicated to the internal and external stakeholders during the pandemic to account for security controls and assure the whistleblowers and external providers that they are protected. Challenges Cybersecurity continues to be a top global risk ESG reporting standards are evolving Quantifying climate risk Digitalization will change the internal environment Skillsets have to be updated for Internal Auditors and Audit Committee members to factor in the dynamic risk environment Parting Thoughts Sustainability reporting will be mandatory in the near future. The financial statements should incorporate climate-related risk Cybersecurity and data privacy requires huge investment Internal audit needs to digitalize