Audit Committee Insights | January/February 2024

Just when it seems that February will never end, we have an extra day in 2024. Happy birthday leaplings (read on for some fun trivia)! Even with the extra day, we are making our way through the first two months of 2024, a hectic time for boards, audit committee members, preparers and auditors alike. Hopefully, there is some R&R in sight. And you’ll need it because things are moving quickly as always!

To help keep you current, we scour available resources and keep up with regulatory developments. Read on to stay informed on these relevant developments for audit committee members.

We welcome input; please let us know what you think. Subscribe here so that you never miss an update from the CAQ.

PCAOB to Host Virtual Roundtable on NOCLAR Proposal (March 6), Reopen Comment Period

Following pressure from Members of Congress in December, PCAOB Chair Erica Williams announced during testimony before the U.S. House of Representatives’ Subcommittee on Capital Markets last December that the PCAOB would host a public virtual roundtable on its controversial Noncompliance with laws and regulations (NOCLAR) proposal.

The panelists will include a subset of people and organizations that commented on the proposal, including those representing investors, auditors, preparers, and audit committees; subject matter experts in the fields of economics, corporate and securities laws, accounting, financial reporting, and auditing; and commenters and experts who serve on the Board’s Advisory Groups.

When? Wednesday, March 6 at 9:30 am ET.

Where? Virtually via Webex: access the roundtable here.

What? There will be three panels covering identification, auditor considerations, and economic impacts.

Panel I: Identification

• Topic (1): Threshold for Identification of Laws and Regulations
• Topic (2): Direct Illegal Acts vs. Indirect Illegal Acts

Panel II: Considerations for an Auditor’s Assessment of Noncompliance and Other Legal Considerations

• Topic (1): Competence to assess relevant noncompliance with laws and regulations
• Topic (2): Concerns Regarding Potential Waiver of Attorney-Client Privilege

Panel III: Economic Impacts

• Topic: Benefits and Costs of Proposal

The Board also announced they will reopen the comment period through March 18. If you want a refresher on NOCLAR, take a look at the CAQ’s analysis of those comment letters submitted to the PCAOB last year.

Call for Commitment to Professional Skepticism and Audit Quality from SEC Chief Accountant

The SEC’s Chief Accountant, Paul Munter, issued a reminder to commit to high-quality audits and exercise professional skepticism. The audit is fundamental to trust and confidence in our capital markets.

Being skeptical is a priority for auditors. According to the CAQ’s Professional Judgement Resource, the appropriate exercise of professional skepticism throughout the judgement process is at the heart of effective auditor decision-marking. Our Anti-fraud Collaboration’s Skepticism in Practice report provides information on the value and implementation of an appropriate level of skepticism for all members of the financial reporting supply chain.

What can audit committees do? Chief Accountant Munter’s statement provided these suggestions:

1. Engage with the auditor. Discuss events that impact financial reporting and related issues, including any red flags arising from management responses. Encourage the auditor to express any concerns.
2. Evaluate your process for assessing the auditor’s performance. Consider how you monitor and consider:

1. • results of the auditor’s PCAOB inspections, the firm’s internal monitoring programs, or other firm audit quality reporting;
   • whether the engagement team has appropriate industry expertise, and whether the engagement partner is sufficiently engaged and provides leadership to the engagement team;
   • the engagement team’s total hours and staffing mix (such as, the use of specialists, the composition of experience within the engagement team, or portions of the engagement performed by other auditors); and
   • significant changes (or the lack thereof) in hours or staffing mix from previous audits.

3. Support the auditor’s independence and facilitate the auditor’s exercise of professional skepticism. Audit committees are encouraged to:
   • meet with the auditor, independent of management, through formal or informal meetings;
   • have an open dialogue that provides adequate time for in-depth discussions of financial reporting and internal control matters with the independent auditor;
   • dedicate time to asking the auditor probing questions to assess audit quality;
   • speak directly with the audit engagement team about the importance of professional skepticism and the audit committee’s support of the engagement team; and
   • avoid substituting management’s judgments or interactions with the independent auditor for the audit committee’s own judgments and engagement with the independent auditor.

While audits may be wrapping up for calendar year-end companies, the next audit or an off calendar-year audit is about to begin. Consider how you are engaging with your audit team to promote audit quality.

PCAOB Inspection Priorities and Questions for Audit Committees to Consider of their Independent Auditors

The PCAOB issued a Spotlight, Staff Priorities for 2024 Inspections and Interactions with Audit Committees. Among other areas, the PCAOB inspections in 2024 will focus on:

• Audit firm culture,
• Audits of companies engaged in merger and acquisition activities,
• Financial services sector, including the liquidity impact of ongoing changed in interest rates, allowance for loan losses, classification of investments as available-for-sale or held-to-maturity,
• Information technology sector, including revenue recognition, risk of fraud due to management override, and the impact of disruptions in the supply chain.

The Spotlight offers questions for audit committees to consider:

1. How does the audit firm ensure that audit engagement team members have the appropriate understanding of our business so they can effectively perform their assignments?
2. Every year the auditor asks this audit committee if it has knowledge of fraud, alleged fraud, or suspected fraud affecting the company. What else has the auditor considered when planning and performing the audit to obtain reasonable assurance about whether the company’s financial statements are free of material misstatement due to error or fraud?
   • Did the auditor consider confirming significant revenue transactions with the counterparty to test for side arrangements?
   • If the company has digital assets, consider asking the auditor how existence and ownership of the digital assets, including ongoing safeguarding of private keys, were tested.
3. How would you, the auditor, commit fraud in our organization, and if you were an employee or member of management, what would you do to prevent it?
4. If the auditor has identified information, events, or conditions that suggest that the public company’s ability to continue as a going concern is in doubt, consider asking:
   • Did the auditor conclude that substantial doubt exists or would exist absent management’s plan?
   • When the auditor assessed management’s plans to mitigate the effect of the substantial doubt, did the auditor find the plans aggressive?
   • Is the likelihood that such plans can be effectively implemented realistic based on the current situation?
   • Does the auditor find management’s disclosure regarding the substantial doubt adequate?
5. If other auditors are used, consider asking:
   • How did the auditor ensure that the other auditors are independent?
   • Did the auditor review the work of the other auditors, and, if so, was it performed appropriately and to the auditor’s satisfaction?
6. If portions of the audit were outsourced to a shared service center, how did the auditor determine that service center personnel executed the procedures appropriately?
7. What challenging, subjective, or complex auditor judgment did the auditor apply during the audit? Did the auditor’s application of challenging, subjective, or complex auditor judgment result in disclosure of a CAM? Why or why not?
8. If a cybersecurity event occurred, consider asking how the audit response was impacted. Also ask about the auditor’s impression of the company’s governance to protect systems, information, and other assets.
9. What is the auditor’s overall impression of the company’s use of technology?
   • Did the auditor observe any areas during their testing that warrant audit committee attention?
   • Was the auditor able to effectively use technology in audit procedures, or was the company unable to provide appropriate/sufficient data to be able to utilize technology effectively?
10. What is the audit firm’s use of technology? What was applied during the audit?
11. What is the auditor’s candid impression of the audit committee’s oversight of the internal audit function and how the internal audit plan addresses the company’s significant risks?

While the FY 2023 audit may be wrapping up, these are great questions for the planning phase of the 2024 audit.

GenAI and the Role of the Audit Committee

If you are the type of person – or of a certain vintage – that you can navigate (or remember when you had to) the world with a map (i.e., without GoogleMaps), then maybe using ChatGPT to write a term paper on Catcher in the Rye doesn’t seem that amazing. OK, but there are some pretty exciting applications that seem poised to revolutionize the finance and audit world (Draft reports! Summarize content! Automate first reviews! Conduct analyses! Enhance fraud detection procedures!).

Is it just hype?

This is the conversation that many board and audit committee members are having with each other and tech experts. The CAQ co-hosted a webinar with NACD, AI 101 for Audit Committees. Panelists were united in their enthusiasm for the opportunities presented by generative AI but acknowledged the risks.

EY, who participated in our webinar, has published a GenAI Governance Framework to help build trust in tomorrow’s tech. Assessing the state of artificial intelligence was also the topic at Tapestry Networks’ recent AI Connect Forum.

Our panelists suggested these questions for audit committees to consider:

• How is the company embracing generative AI in the overall business strategy? Is it internal or customer facing?
• For companies dependent on third parties or using external technologies such as ChatGPT, how are the third parties implementing AI? What are the boundaries around usage and data, and what are the implications for the company?
• How is AI technology being used and deployed within the organization? Do management and directors know where AI is currently being used? Are public or open versions being used?
• What data is being used and how is it protected?
• With regulatory frameworks unfolding at state, federal, and global levels, how is the company monitoring and engaging in public policy dialogues? Is the company leveraging existing frameworks?

The World Economic Forum produced the Empowering AI Leadership Toolkit for Board Directors, which is worth checking out. A few key areas to focus on related to governance of AI for board and audit committees in included in the Governance module:

• Board oversight– clarifying which board committee(s) provide oversight, which AI activities they oversee, and whether AI necessitates establishing a new board committee.
• Ethics board– deciding on the responsibilities of the ethics board overseeing AI, how it will maintain its independence and selecting and confirming its members.
• Risk assessment– identifying AI-specific risks that should be considered while providing AI governance.
• Monitoring, audit and response– evaluating the effectiveness of compliance and ethics assurance programs, and the response to allegations of violations.
• Training– providing education for employees, contractors and other third parties about compliance risk and programs.
• Reporting to shareholders– as required by law, ensuring reports to shareholders and filings to regulators include information about the risks of AI. They should also report on the use of AI in financial reporting and auditing, as part of verification of the accuracy of financial statements.

It seems clear that we will be continuing this conversation. It’s an exciting and necessary topic to learn more about.

ICYMI: CAQ Public Policy Technical Alert (PPTA), December 2023 / January 2024

Each month, the PPTA highlights and examines the regulatory, standard-setting, legislative, and broader financial reporting developments impacting the public company audit profession. The CAQ’s December 2023 and January 2024 Alerts included these featured articles.

The Statement of Cash Flows: Improving the Quality of Cash Flow Information Provided to Investors
The SEC posted a statement by SEC Chief Accountant Paul Munter on the statement of cash flows. Munter addresses the importance of cash flow reporting for investors, provides key reminders of professional responsibilities around the statement of cash flows, and discusses improving cash flow information for investors.

Fall 2023 Regulatory Agenda Update
The SEC released the Fall 2023 Unified Agenda of Regulatory and Deregulatory Actions by the U.S. Office of Information and Regulatory Affairs (commonly referred to as the Reg Flex Agenda). The Fall 2023 Unified Agenda of Regulatory and Deregulatory Actions includes contributions related to the SEC and short- and long-term regulatory actions that administrative agencies plan to take. The Climate Change Disclosure Rule Final Action is listed as April 2024.

FASB Issues Standard to Improve the Accounting for and Disclosure of Certain Crypto Assets
The FASB published an ASU intended to improve the accounting for and disclosure of certain crypto assets. The amendments in the ASU improve the accounting for certain crypto assets by requiring an entity to measure those crypto assets at fair value each reporting period with changes in fair value recognized in net income. The amendments also improve the information provided to investors about an entity’s crypto asset holdings by requiring disclosure about significant holdings, contractual sale restrictions, and changes during the reporting period. The amendments in the ASU are effective for all entities for fiscal years beginning after December 15, 2024, including interim periods within those fiscal years.

Happy Birthday leaplings!

The chances of being born on leap day are so rare that less than 0.1 percent of the world’s population is born on February 29. For a leapling, 2024 is a special year!

Did you know:

• There’s no set rule on which day to celebrate a leapling’s birthday in a non-leap year. Some prefer Feb. 28, others March 1 and many do both according to NPR. “My answer to this question has evolved over the years,” said Michael Kozlowski Jr., a leap day baby based in Belgium. “It used to be February for the reasons that I identified more with that month compared to March. But these days I honestly like to celebrate both days or even the entire week. It seems only fair and it works and it feels great.”
• Many online forms — including for the DMV — don’t recognize Feb. 29 as a possible birth date.
• In Hong Kong, all babies born on Feb. 29 are given the birthday of March 1 on their birth certificate, to keep from legal confusion.
• In 5th-century Ireland, St. Bridget lamented to St. Patrick that women were not allowed to propose marriage to men,” according to History.com. “Legend has it that St. Patrick designated the only day that does not occur annually, February 29, as a day on which women would be allowed to propose to men. In some places, Leap Day thus became known as Bachelor’s Day.”

Until 2028, we wish leaplings a Happy Birthday!

Questions and comments about Audit Committee Insights can be addressed to Vanessa Teitelbaum, Senior Director, Professional Practice (vteitelbaum@thecaq.org).

This newsletter is intended as general information and should not be relied upon as being definitive or all-inclusive. The CAQ encourages readers to refer to applicable rules, standards, guidance, and other resources in their entirety. All entities should carefully evaluate which requirements apply to their respective organizations.