Corporate Controller Leadership Network A peer-to-peer exchange for Fortune 100 companies

DebriefMay 2015

Beginning its second year, the Corporate Controller Leadership Network (CCLN) gathered in New York on 24 March 2015, for its fifth meeting, hosted by Peter Carlson, Executive Vice President and Chief Accounting Officer of MetLife. In its first year, the group met at the headquarters of ConocoPhillips, General Electric (GE) and AT&T after an initial session in Chicago. Nearly half of the corporate controllers at Fortune 100 companies have joined the network, and of those controllers, 11 attended the meeting in New York.

Following a dinner the night before, hosted by John C.R. Hele, MetLife’s Chief Financial Officer and Executive Vice President, the group spent the day on issues that its steering committee and the participants had chosen for the agenda:

• Lessons learned in talent development

• The audit committee: emerging issues and the role of the controllership function

• Tapping into the value of the disclosure committee

• Disclosure effectiveness: remaking the annual report

• The brave new world of cybersecurity

Hot topic: the audit process Before engaging with the agenda items, the group briefly touched on a hot topic that is never far from top of mind: the audit process. In light of the more encompassing regulatory environment of recent years, auditor requests have ratcheted up, straining the finance function, many in the room said. While acknowledging that auditors are caught in the middle, the controllers wondered whether all of the time spent in the effort produced enough benefits.

Many felt unsure about how and where to funnel their frustrations. “What is the organization that can actually do something?” one asked.

Several suggestions were offered. The controllers could send letters to regulators and also seek meetings. Some suggested pressing for change with the Chamber of Commerce and on Capitol Hill. And it would be helpful to come up with hard data to show how difficult the current environment is — in other words, determine just how many hours are needed by public registrants to support an audit.

But no one felt that a silver bullet had been found.

What follows is a summary of the discussion of the agenda topics, including more, on page 5, about the audit process.

Kicking off year two: talent development, audit and disclosure committees, disclosure effectiveness and cybersecurity

1

To identify, groom and retain talent, a system is needed to define different levels of performance, growth and compensation.

Much of the discussion revolved around forced distribution systems, which are still held in high regard by some, perhaps most, HR departments, but drew a mixed response from the group.

One controller noted the “de-motivating consequences” of using such systems, particularly if they involve all levels of the staff, including the most senior people. “How can you do that to senior people?” he asked. “They’re all leaders who are expected to be performing extremely well.” Another participant commented, “I would hope that no one unsatisfactory is at the senior level” — or that it would take a grading system to find that out.

Another controller used a modified forced distribution system, one that didn’t employ labels and wasn’t applied to every level. “There’s less that’s being distinguished,” this participant said, which makes the distribution of compensation more flexible. A more

rigid approach, said another participant, means that there’s not a lot of dollars for the top performers, given that compensation is a zero-sum game.

But without some sort of forced distribution, how do you differentiate, asked a different controller. “Do you default to seniority? That’s not a good result.”

One participant referred to his company’s use of a nine-box grid system to track sustained performance and potential. In its Talent Management brochure, the company says that it employs the grid to make “targeted moves to develop the leadership pipeline” at each level.

Some controllers said their companies told employees which category they were in; some companies did not make such disclosures. As noted earlier, they also varied in how broadly the forced distribution system was applied. One company used a nine-box grid in the controllership function, but, contrary to what some of the others said, only for the most senior people. “For the rest of the staff,” this controller said,

“the system is not particularly good at predicting performance.” Another said that a forced system was used “all the way down.”

Another type of differentiator is the willingness to relocate. “We no longer think of people as ‘high potential’ when they opt out of new postings,” said one controller. Said another, “You can say ‘no’ only once to a move.”

One controller said that sometimes the reluctance to move is widespread enough that outsiders have to be hired, creating hard feelings among those who balked and are now missing out on expected promotions.

But some controllers said that relocation was not a key differentiator because they didn’t have that many expat spots or because of cost concerns. “Some functions need people to move, some don’t,” one said. And another noted that what is needed for promotion is breadth of experience, and while some of that can be gained from going abroad, there are other ways to acquire it.

Lessons learned in talent development

2

Takeaways• When deploying a forced distribution system, consider whether it

should apply to senior management and decide whether to be explicit in categorizing employees.

• In filling relocation assignments, explain the rewards that flow from saying “yes” and the risks that attach when saying “no.”

• Learn to use LinkedIn to identify the hard-to-find candidates for senior roles.

Of the controllers in the room, about half had relocated during their career, but only three had gone abroad.

When people do go abroad, do they return? One controller said that half had come back, half were still out there. It’s important to bring people back to the US, this person said, so that “people can see that it is not exile.”

Whatever system is used to differentiate, it is essential to identify who is ready for the next assignment and bigger opportunity — if only for self-defense. LinkedIn is making it easier and easier for companies to “poach” the best people, the controllers agreed. The competition is hottest in Asia, particularly in China. Central America was cited by one controller, who lost 10 people there.

But finding new talent is a two-way street, noted some participants, who credited LinkedIn for being the conduit in helping them locate the most sought-after people — at the level of the business unit controller and assistant controller — who have the right blend of technical skills and business insight.

Finally, reorganization was mentioned by one controller as a boon to succession planning. In cutting his direct reports from 10 to 7, he was able to remove roadblocks to development. “People got roles that developed their skills.”

3

Cigdem Oktem, a principal at Tapestry Networks who oversees a networking program that serves audit committee chairs, and Ruby Sharma, a principal at the EY Center for Board Matters, joined the discussion. They shared their perspectives, gleaned from many meetings with audit committee chairs, on how the committees view the controllership function in today’s volatile audit environment.

There is a broad recognition among committee chairs that what is required of the controllership is evolving, as risks and regulations change, and that management needs to have a solid plan in place to assess skill gaps, they said. That means the audit committees are looking ever deeper within the function to press management to fill gaps and engage in succession planning.

The audit committees are also focusing on data analytics, and the predictive modeling that it makes possible. Big data is changing the nature of work performed by the entire finance organization, helping to shape more

and more decisions, including those involving resources. Audit committees want to understand the challenges being confronted on the new front lines of risk.

In particular, they are asking how data analytics is being deployed in the controllership function and whether controllers are planning for the challenges they’ll face in the coming years. (See page 10 for their concerns regarding cybersecurity.)

In trying to understand the corporate culture and its effect on compliance, audit committees are looking to meet with the controller’s staff, including middle management, to see whether the organization’s cultural tone is working its way down the line. For that reason, many committees are traveling to more locations to meet different levels of employees at a broad range of businesses — sometimes without alerting senior management to their visits. The goal is to assess the “tone in the middle,” not just at the top, to discover if there are disconnects in remote locations about understanding key risks.

Indeed, the organization’s ability to assess and mitigate risk is an ever-present concern of audit committee chairs, noted a recent issue of VantagePoints, a publication about audit committees jointly produced by Tapestry and EY. Audit committee chairs, the publication said, are keenly interested in

“management’s responses to changing operational, regulatory and fraud risks that, if not properly identified and understood, can become strategic risks in their own right.”

The controllers at the meeting were asked to identify questions that audit committees perhaps should be posing. They are looking at the top 100 people, and not inquiring about other levels of talent, said one controller, countering the earlier comments at the meeting about interest in deeper levels of the function. Committee members don’t bring enough questions overall to the table, said another controller. They spend a lot of time on internal audit and its needs, and much less on the rest of the organization, said a third.

The audit committee: emerging issues and the role of the controllership function

4

Takeaways• Data analytics must be embraced as a key tool for managing the

controllership function.

• Assess the “tone in the middle,” not just at the top, to ensure that the function’s culture is understood at all levels, regions and businesses.

• Make the case for appropriate resources, now and for the future.

In terms of disclosure effectiveness, and the move to provide more useful information in financial filings, some audit committees are being more proactive than others, it was agreed. But all seem to be acutely aware of the challenge posed by information overload and the need to tell a meaningful and powerful story in the executive summaries of filings.

Audit committees, by and large, agree with controllers about the audit burden they face, and are trying to find ways to engage with regulators to lift at least some of that burden.

Multiple avenues are available for engagement, Ruby Sharma noted. The Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC) are eager to listen, and are open to companies picking up the phone to ask for a meeting. Financial Executives International (FEI) is also a powerful conduit for concerns, she said, as is the Center for Audit Quality. And sector and industry organizations have programs that reach out to regulators.

5

One of the controllers offered a deep dive into the process employed by the disclosure committee that he heads, including the sub-certification process.

The disclosure committee meets each quarter, about a week before the filing of the 10-Q, and annually for the 10-K. (Open Pages, a compliance software program, is used by the company to collect and load data into the financials.) At its quarterly meetings, the committee has in hand, among other documents, a nearly completed draft of the 10-Q, a summary of the draft and an exhibit from each business unit. The exhibit, signed by the unit’s leader and its CFO, attests to the validity of the controls that were used. Essentially, those signing are saying that everything in the 10-Q relating to their line of business is credible and appropriate. The signed exhibits “provide a lot of comfort,” the controller said.

The committee uses the meeting, which lasts an hour, to discuss significant changes that have occurred during the quarter and to poll its members: speak now or forever hold your peace. In other words, they all have to agree that everything is ready to go to the audit committee the next day. (The outside auditor reviews the 10-Q in advance — significant changes are highlighted in yellow — and is very engaged in the process, but doesn’t attend the meetings.)

The committee is large — there are 19 members, including the vice president for investor relations (IR). When the committee was first formed, the controller said, IR was not a participant. But the absence was felt — “something was missing,” he recalled, in terms of coordinating the communication. “We felt we must include IR to ensure that the story is consistent between the press release and the MD&A [Management Discussion and Analysis], or if we decided that we must disclose an item, IR could figure out how to tell the story.”

All in all, the controller said, “our disclosure committee is working extremely well,” noting that no filings have had to be reissued in recent years.

Other controllers described a range of approaches taken by their committees, everything from how often they met and for how long (one favored a six-hour meeting each quarter, others more frequent hour-long sessions) to how involved they were with their audit firms.

A key dividing line was whether a committee saw the 10-K or annual report as part of the company’s messaging vis-à-vis investors or as purely a compliance document. That division affected who owned or drove the committee as well as IR’s role.

Several controllers said their committees met closer to the release of the filings, say 36 to 48 hours before, to lessen the

Tapping into the value of the disclosure committee

Unlocking the committee’s potentialA recent report prepared by the Financial Executives Research Foundation (FERF) — in conjunction with EY — examined why companies have disclosure committees, how they are positioned in the overall organization and in what ways they are used to drive efficiency, effectiveness and accountability.

In the report, Unlocking the potential of disclosure committees: leading practices and trends, more than 100 companies responded to survey questions, and more than a dozen experts were interviewed.

The responses supported the view that a well-managed disclosure committee can help senior finance executives discharge their responsibilities while also serving as an integral part of risk mitigation. That said, how such committees are established and operated is very much a work in progress. Indeed, some companies are coming up short on implementation, the report showed.

For example, it is important for the disclosure committee to interact with the audit committee, many of those interviewed said. And yet, 43% of the survey respondents who have disclosure committees conceded that there was no formal interaction.

6

possibility of a surprise development that would require changes.

But others said they use disclosure committee meetings to debate and work on the documents, not as an opportunity for sign-off.

The committee functions as an early warning system, one controller said, citing its reviews of business unit balance sheets and P&Ls. “It’s way forward-looking, versus today and backward-looking.”

What parts of the process warrant tweaking?

• Hearing more from management, with more participation from the CFO and business members

• Adopting one unified process for certification, encompassing both disclosure controls and internal controls

• Adding vigilance to avoid close calls when deciding whether to disclose

• Solving systems issues — one controller said that a lot of data collection is still done manually, a real burden given 100-plus sub-certifiers

Takeaways• The disclosure committee can be the linchpin to driving

transparent, investor-friendly filings.

• IR should be at the table, to understand the context of disclosures, a prerequisite to shaping a consistent message for investors.

• The sub-certification process forces business unit leaders to raise any necessary issues.

• Data collection requires the right software and a minimum of manual effort.

7

In less than a year, lightning speed in the world of financial reporting, GE has pulled off the nearly impossible — a wholesale rethinking of the company’s 10-K and annual report, both in print and online, with the goal not only of simplification and transparency but also of more effective storytelling. In short, GE has succeeded in doing what the SEC, the Financial Accounting Standards Board (FASB) and the investor community have been asking for.

The print version of the combined 10-K/annual report now begins with a package of graphics and photos that remake the business and MD&A sections. Dense blocks of type that were a challenge to the reader have been replaced by magazine-style accounts of business units that highlight the salient facts and figures. The new approach

also personalizes the company’s executive teams while spelling out GE’s structure, strategy, performance and goals in attractive bite-size portions. The online version, filled with links and interactive elements, adds dazzle to the presentation as it customizes its use.

GE’s sense of itself — the 2014 cover title is A New Kind of Industrial Company — is clearly presented to investors, some of whom had a hard time understanding the organization’s complex industrial/capital mix in recent years.

The report is “more strategic, better aligned with the way we talk about the company on our earnings calls and much easier to read,” Jeffrey S. Bornstein, GE’s Senior Vice President and CFO, said in a recent article about the change.

The shift to the new structure and look involved working with stakeholders throughout GE to gather support and cooperation, overcoming numerous obstacles on the IT front (the SEC requires, for example, that all information in charts be searchable) and keeping regulators informed of the changes that were coming. The report has drawn much praise. And so far, at least, there has been no blowback from regulators. Those at the CCLN meeting agreed that GE had raised the bar very high.

Disclosure effectiveness: remaking the annual report

8

Takeaways• Keeping all stakeholders in the loop is essential.

• So is recruiting people to the makeover effort who are not wed to the legacy versions.

• Don’t underestimate the technological hurdles that must be overcome in making a significant shift.

• The end product will look simple, but the journey will be anything but.

9

Kevin Jacobsen, EY’s Executive Director of Forensic Technology and Cyber Investigations, joined the discussion. Kevin is a retired US Air Force Brigadier General who commanded the Office of Special Investigations (the Air Force’s law enforcement and cyber investigative agency) and also led the Defense Department’s Defense Cyber Crime Center.

In the short history of the CCLN, cybersecurity has vaulted from being a somewhat obscure potential danger handled by the IT folks to a first-rank risk that has grabbed top billing on the agendas of everyone from the audit committee chair and the CFO to the CEO and the board of directors.

Two members of the CCLN were gracious enough to share their recent experiences dealing with a cyberattack. Wryly noting that there is “no first-mover advantage” on this front, one of the controllers listed some of the lessons learned: that an attack is inevitable; that it is essentially impossible to stop the bad guys from getting in (they are armed with military-grade technology

and endless persistence) and that the best defense is to detect them as quickly as possible and limit the damage.

The newest tools for doing business in a globally connected digital world — the web, the cloud, social media, offshoring, shared services — have all raised the risks. And when an attack comes, the particular worry facing the controller is whether the company’s financial data has been tampered with. If no plan is in place to be up and running quickly, the penalty is severe: time, energy and effort will be sucked out of regular operations.

The impact from an attack can be felt in three ways, according to one of the affected controllers. On one level, it is an accounting exercise, with implications for contracts and reserves, among many other things. An attack also triggers intense scrutiny of internal controls: What was breached? What has to change? The answers require long conversations with internal and external auditors, outside counsel and IT specialists. And finally, there is the corporate governance piece,

involving enterprise risk management, organizational structure and accountability, and a flood of questions from the audit committee and IR, not to mention the need for reactive and possibly proactive disclosures.

With audit committees now focusing in a much greater way on the risk environment, many controllers are being told to become engaged in conversations to find and fix cybersecurity gaps now. Meanwhile, auditors are also asking questions about protections for critical finance and accounting systems.

The problem, besides the cost and time involved in revamping existing systems, is that the very nature of the cyber world makes security a relative term, General Jacobsen said. In all likelihood, every major company is already infiltrated, with the timing of an actual attack up to the intruder. To be sure, many defensive steps can be taken to lessen the risk (by reducing the number of legacy IT systems, for example), but the question is no longer if you will be attacked, but rather when and how badly.

The brave new world of cybersecurity

10

Takeaways• Victory in the cyber theater of war is a relative thing — it is the

ability to minimize the disruption that the bad guys cause once they flip the switch.

• Companies have to accept the need for constant vigilance.

• The cost of effective protection is high and ongoing — the cost of inadequate protection is much higher.

There are too many entry points to guard them all (just one wayward employee, innocent or not, can be the entry point) and too many ways for the bad guys to avoid detection once they are inside. Any sense of security that a company has is in all likelihood a false sense of security.

The right strategy, the general said, is to be ready to do something when the attack occurs — specifically to complicate your adversary’s advance enough to keep him from getting to your crown jewels (whether they are intellectual property, client information or some other form of invaluable electronic asset). Whatever is most critical to your enterprise must be protected first and at all costs.

The company’s financial data has to be protected as well, of course, to ensure that SOX reports remain clean — and that auditors can be comfortable.

Controllers need to ask themselves the following: How well do you know your IT security? Are you asking the right questions? Do you need someone to help guide you in this area?

However intense the protective efforts may be, companies have to understand that there is no “tech fix” for cybersecurity, the general explained. The fix is in staying involved. In part, that means being willing to share information about any attack you have withstood so that others can sharpen their defenses.

Above all, it means remaining flexible in the face of an ever-evolving threat. As one recent report put it, companies must maintain “sustainable, resilient operations in the cyber ecosystem. They must decide if, and how, they will achieve their business outcomes within an ecosystem in which individual survival is never guaranteed.” Achieving resilience in the cyber ecosystem.

11

Looking ahead The next CCLN meeting will be held in early fall in Chicago, hosted by John Stott of Archer Daniels Midland.

For more details about the upcoming session or the meeting described herein, or to suggest ways to make the network more valuable, please feel free to contact us.

Ken MarshallAmericas Financial Accounting Advisory Services Leader +1 212 773 2279 kenneth.marshall@ey.com

Chuck SeetsAmericas Assurance +1 404 817 5522 charles.seets@ey.com

12

13

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.

© 2015 Ernst & Young LLP. All Rights Reserved.

SCORE no. BB2992 1504-1443489ED None

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey.com