This is a service specifically targeted at the needs of busy non-executive Directors.  We aim to give you a “heads up” on the things that matter for NEDs in the week ahead – all in two minutes or less.  

In this edition, we consider ASIC’s commitment to communicating negative audit review findings to directors, the AICD and AISA’s Board and Cyber Resilience study and updates to the ASX Listing Rules in relation to oil and gas entities.  We also consider an application received by the Takeovers Panel in relation to the affairs of Moreton. 

In Risk Radar, we consider the increased risk in business email compromise scams, which cost Australian businesses $277m in 2021.

GOVERNANCE & REGULATION 

ASIC’s negative audit review findings to be communicated to directors.  ASIC has announced that moving forward, it will routinely discuss negative findings from audit reviews with directors, instead of on an exception basis as is currently the case.  ASIC has advised that it will communicate with directors where it has formed the view that an auditor has not obtained reasonable assurance that the entity’s financial statements are free of any material misstatements, has concerns that the auditor did not meet the independence requirements of the Corporations Act 2001 (Cth) or considers it prudent that any other matter should be brought to the attention of the directors of the entity or its audit committee.  This will commence with audit file reviews for the 12 months to 30 June 2023 which will be covered by ASIC’s public inspection reports.  See media release.

AICD and AISA release study showing that boards need to take cybersecurity action.  The Australian Institute of Directors (AICD) in conjunction with the Australian Information Security Association (AISA) have conducted a ‘Boards and Cyber Resilience’ study which sought to determine board preparedness for cybersecurity risks.  850 directors were surveyed, and the results showed that while the issue of cybersecurity is a prominent issue on the minds of boards, it is not receiving corresponding levels of action.  72% of directors said that they consider cybersecurity to be a high priority issue for the board.  However, only 53% said that they have a formal cybersecurity framework in place.  Further, there are clear gaps in cybersecurity training, with only 44% of directors indicating that they have received some cybersecurity training, and only 39% making cybersecurity the focus of a board committee.  The CEO of the AICD noted “directors are awake to the risk of cyberattacks, but that awareness needs to translate into action at a board level”.  See media release.

Reporting requirements for oil and gas entities - updates to Chapters 5 and 19 and Guidance Note 32 of the ASX Listing Rules now effective.  The amendments to the ASX Listing Rules give effect to changes made to the Petroleum Resources Management System in 2018 and address other issues relating to oil and gas entities, largely around consistency in reporting requirements.  New rules have been implemented which (a) set out the disclosure requirements for an entity reporting forecast financial information derived from estimates of economically not viable contingent resources, (b) impose constraints and prohibitions on the disclosure of certain information relating to prospective resources, (c) require further disclosure around flow rate tests, and (d) make consequential amendments to the Chapter 19 definitions for consistency.  See ASX notice.

LEGAL

Takeovers Panel receives application in relation to the affairs of Moreton Resources Limited.  The Panel has received an application from the Board of Moreton Resources Limited (in Liquidation) (Receivers Appointed) (Subject to Deed of Company Arrangement) (Moreton) in relation to the affairs of Moreton.  Moreton has approximately 2,100 members and is under various forms of external administration.  Numerous parties have been appointed as administrators and liquidators of Moreton.  First, on 10 June 2020, Mr Sparks and Mr Orr of Deloitte were appointed joint and several administrators of Moreton.  They were subsequently appointed as liquidators on 15 July 2020.  Then, on 3 May 2022, Mr Hambleton and Ms Chau of Rodgers Reidy were appointed joint and several administrators of Moreton.  Further, on 25 May 2022, Mr Kirk and Mr Joiner of Cor Cordis were appointed receivers under the terms of a secured debenture debt.  A deed of company arrangement was then executed on 7 June 2022, appointing Mr Hambleton and Ms Chau as deed administrators.  The Board are seeking a declaration and multiple orders, including orders setting aside the appointment of the receivers. The Panel has yet to make a decision whether to conduct proceedings.  See media release.

RISK RADAR

Business email compromise costs Australian businesses $227 in 2021.  The ACCC’s latest Targeting Scams Report discloses that Australian businesses lost $277m as the result of a payment redirection scam (or business email compromise) in 2021, which was a 77% increase compared to 2020.  Business email compromise refers to a scam technique whereby scammers impersonate a business or its employees via email and request an upcoming payment to be redirected to a fraudulent account.  The report identifies this as the most financially damaging scam in 2021.  The largest monetary impact was felt by medium sized business (20-199 staff) while the largest number of attacks occurred on micro sized businesses (0-4 staff).  That being said, it is estimated that only around 13% of victims report scams to Scamwatch, and therefore these numbers only reflect a small proportion of instances.  The risk of scams continues to grow year upon year and cause significant damage to businesses.  Boards are reminded to be aware of cybersecurity risks and put policies and procedures in place to mitigate financial and reputational losses arising from scams such as business email compromise.