Audit Committee Insights April/May 2023

Generative AI: Are You Addressing Factors of Trust and Ethics? There’s No Time to Waste

Generative AI is a lot like Roy Kent in Ted Lasso. It’s here! It’s there! It’s every $&!-ing where! (Roy Kent! Roy Kent!). Ask a 15-year old if they’ve heard of and/or used ChatGPT and the response is, “duh… of course.” Have you used it? Created an account? It’s not the only game in town, but it’s interesting to test it out. Ask ChatGPT:

• Where are the best vineyards to visit in Napa? (or some other inquiry that you might know the answer to…best places to visit in Rome?}
• What are the themes of Romeo and Juliet?
• What are 5 things to know about ?

You can test the results based on your knowledge. Your own biography may be way off base. It can be jarring. How do you know the output is correct?

According to Deloitte’s AI Institute, the trustworthiness of Generative AI depends on how an organization uses it, and as enterprises wade into this fast-moving field of AI, there are factors of trust and ethics that should be addressed.

1. Managing hallucinations and misinformationA fundamental risk is that users may place complete confidence in erroneous or biased outputs and make decisions and take actions based on a falsehood. One way to help mitigate this risk is through AI governance, and many of the leading practices associated with other kinds of AI also apply to generative models: workforce upskilling, waypoints for decision making across the AI lifecycle, structured oversight, and ubiquitous documentation.
2. The matter of attributionEven if a model does cite accurate source information, it may still present outputs that obscure attribution or even tread across lines of plagiarism and copyright and trademark violations. How do we contend with attribution when a tool is designed to mimic human creativity by parroting back something drawn from the data it computes? If a large language model outputs plagiarized content and the enterprise uses that in their operations, a human is accountable when the plagiarism is discovered, not the Generative AI model. Recognizing the potential for harm, organizations may implement checks and assessments to help ensure attribution is appropriately given. Yet, if human fact-checking of AI attribution becomes a laborious process, how much productivity can the enterprise actually gain by using Generative AI?
3. Real transparency and broad user explainabilityToday’s Generative AI models often come with a disclaimer that the outputs may be inaccurate. That may seem like transparency, but the reality is many end users do not read the terms and conditions, they do not understand how the technology works, and because of those factors, the large language model’s explainability suffers.To participate in risk management and ethical decision making, users should have accessible, non-technical explanations of Generative AI, its limits and capabilities, and the risks it creates. Business users should have a real understanding of Generative AI because it is the end user (and not necessarily the AI engineers and data scientists) who contends with the risks and the consequences of trusting a tool, regardless of whether they should.

NACD Updates Its Director’s Handbook on Cyber-Risk Oversight

Now in its fourth edition, NACD partnered with the Internet Security Alliance (ISA), the U.S. Department of Homeland Security, and the Federal Bureau of Investigation to present principle-based guidance on the board’s role in securing their organizations in its Director’s Handbook on Cyber-Risk Oversight.

The Question of Adding a “Cyber Expert” to the Board

While the handbook is extensive related to cyber-risk oversight, we call to your attention considerations from the handbook of whether to add a “cyber expert” to the Board.

According to a 2022 NACD survey of publicly traded company directors, 47 percent of boards delegate cybersecurity oversight tasks to the audit committee – the committee which most often oversees complex audits of financial and compliance matters, while 32 percent oversee the risk as a full board and 13 percent delegate it to a risk committee.

Some companies in recent years have considered whether to add cybersecurity and/or IT security expertise directly to the board via the recruitment of new directors. According to the 2022 NACD Public Company Board Practices and Oversight Survey, 43 percent of surveyed companies displayed ambivalence about recruiting a cyber-savvy director to their board, while 42 percent either agreed or strongly agreed that adding this expertise would be worthwhile.

If the US Securities and Exchange Commission’s proposed rule on cybersecurity is passed as it stood at the end of 2022, companies may be compelled by regulation to recruit someone with cybersecurity expertise onto their board.

Should You Have a Cyber Expert on the Board?

Naturally, the answer is, it depends. The NACD handbook offers these Questions to Consider:

• How are we defining a “cyber expert”? The first principle in this handbook is that cybersecurity is not simply an “IT” issue, but rather an enterprise-wide risk-management issue. So, is the board looking to add an expert in enterprise-wide cybersecurity issues? A former CISO? Consider the company’s needs and strategy, and align accordingly.
• Is this strategy really deferring to one individual a responsibility that the full board should undertake? Might it be more appropriate for the full board to increase their understanding of cybersecurity systems in a way that is similar to the understanding that non-lawyers and non-financial experts have of these systems?
• How does having a single cyber expert on the board mesh with the cross-functional cyber-management structures that are becoming increasingly common?
• Does placing a cyber expert on the board set a precedent for assigning seats to other specialized oversight areas?

Material Weaknesses Up Due to Tech Investments and Resource Turnover

According to PwC, the number of material weaknesses disclosed in a company’s 10-K jumped 73% from 2021 to 2022. In the first quarter of 2023, material weaknesses have increased 25% relative to the same period last prior year.

• Some of the developments driving the increase in material weaknesses include:
  • Increase in IPOs and SPACs in recent years. Although IPOs and SPACs have slowed down, the effects of poor controls in transactions completed before 2022 can linger. These companies typically have fewer resources and a leaner operating model, which can result in weaknesses related to inadequate personnel, oversight and level of reviews. Forty-three percent of all US IPOs since 2017 disclosed at least one material weakness before going public. In addition to this, PwC’s research reveals that most de-SPAC companies are likely at greater risk for fraud within just two years of going public due to material weaknesses and internal control deficiencies in a number of key areas.
  • Increase in digitization and technology investments. Companies often overlook risk mitigation measures and controls intended to address digital transformation initiatives such as cloud migration, greater automation, and increasing reliance on machine learning.
  • ​​​​​Increase in turnover of resources. Whether related to restructuring efforts or resignations, there is often insufficient change management, transition, and transfer of knowledge to new control owners as turnover occurs.
• 55% of material weaknesses reported relate to the following key areas:
  • Financial close process, which includes a range of issues related to the timely gathering of data for use in the close process. It can also include issues with accounting policies and procedures that prevent timely, accurate or complete information from being reported.
  • Personnel inadequacies and Segregation of Duties (SOD) issues, which relates to deficiencies in the number, training, qualifications, and conduct of resources. It also captures when issues associated with segregation of duties are raised.
    ​​​
  • IT general controls, spanning the suite of controls across the IT domains (access to programs and data, computer operations, system change management, and system implementation). Deficiencies in IT general controls can be more pervasive in nature, and have a downstream impact on the reliability of business process controls or data.
• 62% of material weaknesses in 2022 are driven from smaller companies with revenue ranging from $100M – $500M. Contrary to this, there has been an improvement in the volume of material weaknesses for larger companies with revenue > $5B as material weakness have dropped 59% since 2020.

What does this mean for you and your audit committee? Consider if these conditions exist at your company. Work with your internal and external auditors as well as management to be proactive to ensure a material weakness doesn’t sneak up on you.

PCAOB Enhances Transparency of Inspection Reports With New Section on Auditor Independence and More

The PCAOB has enhanced its inspection reports with a new section on auditor independence and a range of other changes intended to make more information publicly available that is relevant, reliable, and useful for investors and other stakeholders.

The enhanced inspection reports will include:

• A new section of the report focused on independence violations: Reports will feature a new independence section (Part I.C) that will discuss instances of noncompliance with PCAOB rules related to maintaining independence, as well as potential noncompliance with U.S. Securities and Exchange Commission independence rules.
• More information related to fraud procedures and the identification and assessment of the risks of material misstatements: Reports will expand Part I.B to include deficiencies related to AS 2401, Consideration of Fraud in a Financial Statement Audit, and AS 2110, Identifying and Assessing Risks of Material Misstatement.
• More commentary: Reports will provide additional commentary in Part I.A for certain situations, such as whether the audit was the firm’s first audit of the issuer or whether the firm had identified significant risks, including fraud, for areas in which PCAOB inspection staff identified deficiencies.
• New graphs: For annually inspected firms, reports will include charts to clearly show firm and engagement partner tenure.

ICYMI: CAQ Public Policy and Technical Alerts (PPTA), March and April 2023

Each month, the PPTA highlights and examines the regulatory, standard-setting, legislative, and broader financial reporting developments impacting the public company audit profession. The CAQ’s March and April 2023 Alerts included these featured articles.

PCAOB Investor Advisory: Exercise Caution With Third-Party Verification/Proof of Reserve Reports

The PCAOB’s Office of the Investor Advocate issued an Investor Advisory due to concern that investors and others may place undue reliance on proof of reserve reports (“PoR Reports”), which are not within the PCAOB’s oversight authority. The Office of the Investor Advocate is aware of some service providers, including PCAOB-registered audit firms, issuing PoR Reports to certain crypto entities (e.g., crypto exchanges, stablecoin issuers). The Investor Advisory says investors should note that PoR engagements are not audits and, consequently, the related reports do not provide any meaningful assurance to investors or the public.

PCAOB Proposes Modernization of Standards Addressing Core Auditing Principles and Responsibilities

The PCAOB issued for public comment a proposed new standard, AS 1000, General Responsibilities of the Auditor in Conducting an Audit. If adopted, AS 1000 would reorganize and consolidate a group of standards that were adopted on an interim basis by the PCAOB in April 2003 and that address the core principles and responsibilities of the auditor, such as reasonable assurance, professional judgment, due professional care, and professional skepticism. The proposal would also amend certain other standards that address responsibilities fundamental to the conduct of an audit.

Comments are due by May 30, 2023.

A New PCAOB Staff Spotlight Reminds Auditors That Professional Competence and Skepticism Are Essential to Quality Audits

The PCAOB posted a new report, Spotlight: Professional Competence and Skepticism Are Essential to Quality Audits. The staff of the PCAOB reminds auditors of the importance of critically assessing the audit firm’s capabilities, obtaining proper understanding of the company they are auditing, and performing work with due professional care and professional skepticism. These matters are particularly important in circumstances where changes to economic conditions or other factors affect the company. Auditors are reminded of their responsibility to take into account all evidence obtained when evaluating the results of the audit, including information regarding potential bias in management’s judgments about the amounts and disclosures in the
financial statements.

FASB Seeks Public Comment on Proposed Improvements to the Accounting for and Disclosure of Certain Crypto Assets

The FASB published a proposed ASU intended to improve the accounting for and disclosure of certain crypto assets. The amendments would require an entity to measure crypto assets at fair value each reporting period with changes in fair value recognized in net income. They also would improve the information provided to investors about an entity’s crypto asset holdings by requiring disclosure about significant holdings, restrictions, and changes in those holdings. The amendments would apply to all entities holding crypto assets that meet all the following criteria:

• Meet the definition of intangible asset as defined in the FASB Accounting Standards Codification Master Glossary
• Do not provide the asset holder with enforceable rights to, or claims on, underlying goods, services, or other assets
• Are created or reside on a distributed ledger based on blockchain technology
• Are secured through cryptocurrency
• Are fungible
• Are not created or issued by the reporting entity or its related parties

Comments are due by June 6, 2023.

FRC Publishes Conversation Starters to Boost Investor-Audit Committee Engagement

The FRC announced the launch of a new web page providing conversation starters aimed at promoting better engagement between investors and audit committees. The resource is intended to facilitate better understanding of companies and their approach to financial reporting and internal control. The series of conversation starters is aimed at investors wishing to engage with audit committees and companies on assurance-related topics. The conversation starters have been developed in consultation with stakeholders, including investors, audit committees, and other interested parties.

CAQ Audit Quality Reports Analysis: A Year in Review

The CAQ announced a study that examines the most recent audit quality reports for each of the eight accounting firms represented on the CAQ’s Governing Board. The study observed over 100 unique qualitative disclosures and quantitative audit quality metrics providing transparency into the firm-level processes that accounting firms employ to promote and enhance audit quality.

Corporate Decision-Making: Why Choose a CPA for Your ESG Assurance Needs?

The CAQ and AICPA teamed up to release a new publication on choosing a CPA for ESG assurance. The publication explores:

• The increasing demand for independently assured ESG information by public companies
• How third party, independent assurance may be required or desired by private companies
• The benefits of engaging a CPA for third party assurance of ESG information

Reframing failure as steps to success

Giannis Antetokounmpo, the Milwaukee Bucks’ power forward, after being asked if he considered the past season a failure: