Audit Committee Insights | February/March 2022

Hopefully the February grind – for large-accelerated filers – is over and the end is in sight for March filers. March Madness ahead? Indeed. Of course, for audit committees, it’s busy all year long. We are here to help you keep current with the latest news and developments during this busy time and all year long. We welcome input; please let us know what you think. Subscribe here so that you never miss an update from the CAQ.

CISA Warns: Shield’s Up To Protect Against Heightened Cyber Threats

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Russia’s unprovoked attack on Ukraine…may impact organizations, particularly in the wake of sanctions imposed by the United States and our Allies. Every organization—large and small—must be prepared to respond to disruptive cyber activity. CISA recommends all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. CISA urges companies to take action to reduce the likelihood of a damaging cyber intrusion. Recommendations from CISA for corporate leaders include:

•  Empower Chief Information Security Officers (CISO):In nearly every organization, security improvements are weighed against cost and operational risks to the business. In this heightened threat environment, senior management should empower CISOs by including them in the decision-making process for risk to the company, and ensure that the entire organization understands that security investments are a top priority in the immediate term.
• Lower Reporting Thresholds:Every organization should have documented thresholds for reporting potential cyber incidents to senior management and to the U.S. government. In this heightened threat environment, these thresholds should be significantly lower than normal. Senior management should establish an expectation that any indications of malicious cyber activity, even if blocked by security controls, should be reported, as noted in the Shields-Up website, to CISA or the FBI. Lowering thresholds will ensure we are able to immediately identify an issue and help protect against further attack or victims.
• Participate in a Test of Response Plans:Cyber incident response plans should include not only your security and IT teams, but also senior business leadership and Board members. If you’ve not already done, senior management should participate in a tabletop exercise to ensure familiarity with how your organization will manage a major cyber incident, to not only your company but also companies within your supply chain.
• Focus on Continuity:Recognizing finite resources, investments in security and resilience should be focused on those systems supporting critical business functions. Senior management should ensure that such systems have been identified and that continuity tests have been conducted to ensure that critical business functions can remain available subsequent to a cyber intrusion.
• Plan for the Worst:While the U.S. government does not have credible information regarding specific threats to the U.S. homeland, organizations should plan for a worst-case scenario. Senior management should ensure that exigent measures can be taken to protect your organization’s most critical assets in case of an intrusion, including disconnecting high-impact parts of the network if necessary.

CAQ’s Audit Committee Practices Report, co-authored with Deloitte, found that 53% of audit committees are responsible for overseeing cybersecurity. Of those with cybersecurity oversight responsibilities, 69% indicated that they anticipate spending more time on cybersecurity in the coming year. Read the publication for more insights on the role of the audit committees in overseeing cybersecurity.  

Investors Want More ESG Disclosure This Proxy Season

According to EY’s Center for Board Matters, institutional investors want more disclosure this proxy season related to ESG, especially climate risk and energy transition. EY finds that investors are convinced that more effective management of business-relevant ESG issues will lead to better financial performance. Four ways that EY states boards can demonstrate oversight of ESG include:

1. Directly engage with shareholders, putting ESG in the context of strategy
2. Clarify the governance of ESG in committee charters, governing documents and proxies
3. Enhance and communicate the board’s relevant ESG expertise and training
4. Consider the role of ESG in executive pay

EY asked investors if they have audit or audit-committee-related areas of focus, and 36% said they are giving more attention to the audit committee’s role relative to ESG. That includes the audit committee’s role relative to the oversight of ESG risks (e.g., how such risks are integrated into the enterprise risk management program and how audit committees are building their competency to oversee those risks), its role relative to ESG data quality and assurance (particularly as the Securities Exchange Commission is developing a proposal to require climate risk disclosures) and how climate risks are reflected in financial reporting (e.g., in material forward-looking estimates and assumptions). CAQ’s Audit Committee Practices Report, co-authored with Deloitte, identifies certain areas that typically fall within the audit committee’s purview:

1. Focusing on internal and disclosure controls and procedures related to the metrics being publicly disclosed in a sustainability report or otherwise (e.g., on the website, in filings, etc.).
2. Understanding the connection between the ESG strategy and related goals and metrics— and how management considers any impacts it may have on the financial statements.
3. Monitoring assurance-related activities— both understanding why or why not the organization is obtaining assurance, and overseeing the third-party providing that assurance, if applicable.

For more information, see Deloitte’s publications Navigating the ESG journey in 2022 and beyond and The role of the board in overseeing ESG as well as the CAQ’s Audited Financial Statements and Climate-Related Risk Considerations.  

Larry Fink Tells Audit Committees – Culture is Main Source of Board Effectiveness

BlackRock’s chair and CEO, Larry Fink, told members of Tapestry Network’s Audit Committee Leadership Network that BlackRock’s commitment to sustainability is embedded across its entire business. Mr. Fink shared that he has guarded optimism about the global economy, his view that there is no quick transition to net zero, and his belief that both national and international government institutions have critical roles to play as enablers of private investment and as drivers of policy consensus. When asked the main source of board effectiveness? Culture. Specifically, cultural elements to focus on:

• Board cohesion – this calls for the board working together and with the organization as a whole.
• Independence – the need to work with the organization notwithstanding, the board needs to exercise independent judgment as it considers management’s proposals for the future of the company.
• Diversity – this is not about checking the boxes…making sure there is enough gender, ethnic and racial representation. That should be a given. The “underdiscussed” aspect of diversity is diversity of mind. This applies to management teams as well. Diversity of mind or of thought requires a variety of backgrounds.

2022 Fraud Risk Outlook – Cyber, Compliance, and Fraud Threats

KPMG’s 2022 Fraud Risk Outlook is not great (the report is great; the news not-so-great). Companies across the Americas are experiencing increasing losses from fraud, compliance breaches and cyber attacks, with the situation expected to worsen in the next 12 months. The reality of this triple threat is grim with respondents indicating they were impacted by a cyber attack in the last 12 months (83%), experienced internal or external fraud (71%), or suffered losses due to regulatory fine or compliance breach (55%). The report details how the pandemic negatively impacted the risk of fraud due to the shift to remote working. 59% of respondents agree that the anti-fraud controls they had in place pre-pandemic have not been effectively updated to reflect the new working reality. These statistics are consistent with the joint CAQ-Deloitte Audit Committee Practices Report which found that 42% of respondents indicated fraud risk has increased due to shifts to the business environment resulting from COVID. Given these results, boards and audit committees would do well to consider the circumstances at their companies in terms of changes to processes, increased threat levels, and changes to existing controls. KPMG recommends these five steps to mitigate the triple threat:

1. Set the right tone from the top
2. Cary out a risk review
3. Communicate effectively
4. Strengthen detection
5. Create a culture of enforcement and accountability

Audit committees can find more resources on deterring and detecting fraud by visiting the Anti-Fraud Collaboration website.

ICYMI: CAQ Public Policy and Technical Alert (PPTA), January 2022

Each month, the PPTA highlights and examines the regulatory, standard-setting, legislative, and broader financial reporting developments impacting the public company audit profession. The CAQ’s January Alert included these featured articles:

• Anthony Thompson and Erica Williams sworn in as PCAOB board member, chair The PCAOB announced that Anthony Thompson and Erica Williams were sworn in as board member and chair, respectively. The SEC conducted the swearing-in ceremonies virtually. Thompson, who was nominated by the SEC last November, will have an initial term running through October 24, 2022. Williams, who was also nominated last November, will have an initial term running through October 24, 2024. The full PCAOB board is now sworn in.
• PCAOB to form two new advisory groups to enhance engagement with investors and other stakeholders The PCAOB announced the creation of two new advisory groups: the Investor Advisory Group (IAG) and the Standards and Emerging Issues Advisory Group (SEIAG). The advisory groups will enable the PCAOB to obtain essential input and insights from investors and other stakeholders on a wide variety of matters related to improving audit quality. The IAG will advise the PCAOB on matters concerning the PCAOB’s mission to oversee the audits of public companies, and related matters (such as the audits of broker-dealers), to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports. The SEIAG will advise the PCAOB on existing standards, proposed standards, potential new standards, and potentially on matters other than standards that are of significance to the PCAOB, including emerging audit issues.
• FRC: New research with audit committee chairs published The FRC published new research that reinforces the case for developing standards for audit committees to help promote a more consistent approach to audit quality. The research, conducted by YouGov, was based on in-depth interviews with audit committee chairs discussing how they carry out their role. The research shows that some audit committee chairs find it difficult to differentiate audit quality from the quality of service provided by their audit firm. The research also found that auditors have adapted quickly to the challenges posed by the pandemic.

Irish Blessings

With St. Patrick’s Day approaching – whether you are Irish or not – here are a few Irish blessings to wish you well:

• May the roof above us never fall in. And may the friends gathered below it never fall out.
• May you have warm words on a cold evening, a full moon on a dark night, and a smooth road downhill all the way to your door.
• May the blessings of each day be the blessings you need the most.

Questions and comments about Audit Committee Insights can be addressed to Vanessa Teitelbaum, Senior Director, Professional Practice (vteitelbaum@thecaq.org). This newsletter is intended as general information and should not be relied upon as being definitive or all-inclusive. The CAQ encourages readers to refer to applicable rules, standards, guidance, and other resources in their entirety. All entities should carefully evaluate which requirements apply to their respective organizations. Check out the CAQ’s Audit Committee Resource Webpage for more information.