Audit Committee Insights | March 2023

In like a lion and out like a lamb. March madness. Women’s History Month. St. Patrick’s Day. Spring break? March is (can be) all these things. We hope spring is emerging where you are. Just like ever-emerging corporate risks. We scour available resources and keep up with regulatory developments to help keep you current. Read on to stay informed on these relevant developments for audit committee members.

We welcome input; please let us know what you think. Subscribe here so that you never miss an update from the CAQ.

What is happening with the SEC’s climate rule??

If we knew, we’d definitely tell you. Any day now? (Yes, the SEC’s regulatory agenda states April 2023…) While we wait, take the opportunity to get prepared, or give yourself a refresher on what’s in the draft rule. There are a million  great summaries out there. They are detailed, helpful, informative, and at times overwhelming. But this new CAQ resource on the auditor’s role in climate-related information is wonderfully readable. We answer these questions:

• What is driving demand for climate-related information?
• What types of climate-related information are companies disclosing?
• Why do companies seek assurance over climate-related information?
• What is the role of public company auditors in climate-related information?
• What factors and skillsets enable auditors to perform attestation engagements over climate-related information?
• Can a public company use the same independent accounting firm for its financial statement audit and attestation over its climate-related information?

There is also a short appendix with regulatory developments.

Does it seem the discussion on ESG has become polarized? To help you make sense of the noise, here is a good read from PwC, What boards should know about balancing ESG critics and key stakeholders. PwC highlights two key points that may be getting lost in the debate:

1. At its core, ESG is about companies developing long-term strategic plans, identifying and mitigating material risks, recognizing emerging growth opportunities to their businesses, and their boards’ oversight of all of it.
2. More robust ESG data, not less, could lead to companies making more informed decisions and to better public policy.

Regardless of the status of the SEC’s final climate rule, take the opportunity to prepare, prepare, prepare.

SEC priorities in 2023: proxies, crypto, and enforcement. Oh my.

What are SEC priorities for 2023? EY highlights SEC rulemaking activities related to disclosures of climate, cybersecurity, share repurchase modernization, SPACs, human capital, and Dodd-Frank. Phew.

Three other priorities highlighted are:

1. Proxy process: The SEC plans to consider final amendments to Exchange Act Rule 14a-8, which generally requires companies to include shareholder proposals in their proxy statements absent a basis for exclusion.
2. Crypto assets: Continued scrutiny of the crypto asset industry and related disclosures, but minimal rulemaking activity. The SEC did, however, propose a rule in February 2023 that would expand investment advisers’ responsibilities to safeguard customer assets to include crypto assets; currently, these responsibilities apply only to funds and securities.
3. Enforcement: More of it. Continued focus in key areas of cybersecurity, crypto assets, and ESG.

EY notes other areas to monitor in 2023 include ongoing monitoring to ensure compliance with the Holding Foreign Companies Accountable Act and increasing transparency related to private entities, including funds and companies that qualify for exemptions from registration with the SEC.

Take a byte out of crime. Cybercrime. Three key actions.

KPMG provides three key actions boards should take to mitigate cyber risk.

1. Level-up monitoring of management’s cyber preparedness to address the growing sophistication of threats. Sharpen your oversight in these critical areas:
   • How sensitive management is to early warning signs of cyber events;
   • The extent to which management embeds cyber considerations into the design process for new products and internal systems;
   • Whether the company’s crisis response plan is robust and ready to go, taking into account the potential loss of critical infrastructure, such as data centers;
   • The quality of processes and controls in place over cyber risk management, and whether they are keeping pace with the ever-evolving threat landscape;
   • The cyber risks posed by the company’s entire supply chain; and
   • If or when a cyber incident occurs, management’s ability to identify the source of the incident efficiently and effectively (i.e., a deficiency in internal controls) and put new procedures in place to prevent future incidents.
2. Keep a close eye on the regulatory environment and plan accordingly. This should prompt an increased focus on the company’s:
   • Cyber security and privacy standards within the context of financial reporting. Audit committees must play a key role in overseeing the impact of a breach or another cyber event on the financial statements.
   • Inventory of all third-party relationships. Dedicated assurance programs can verify cyber security protocols, strengthen vendor relationships and maximize related regulatory compliance across the supply chain.*
   • Assessment of how future cyber regulation may impact the business. While companies are already bound to extensive data privacy legislation, such as the General Data Protection Regulation and the California Consumer Privacy Act, they must also consider what future regulation from the SEC, the Federal Trade Commission or another governing body may mean for operations, strategy and reporting.
   • Understanding of who will do the heavy lifting on regulatory compliance. Boards may use new SEC reporting requirements as a marker to evaluate the composition of the company’s disclosure committee, making sure appropriate functional leaders (i.e., chief supply chain officer, chief information security officer and others) are included.** They may also evaluate internally who will monitor compliance.
3. Recognize the link between cyber security and data governance. For example, fast-emerging technologies that will likely require increased board and committee focus include:
   • Facial recognition software: How is facial recognition data collected? Where is it stored? What are the associated privacy concerns and how is management mitigating them?
   • Artificial intelligence and machine learning: What are the ethical considerations? As technology continues to learn and adapt, what biases are implicit and how is management addressing them? What regulatory compliance (including E.U. regulations) and reputational risks are triggered by the company’s use of this technology?

These are good actions to consider for the audit committee or perhaps at the full board level.

*See KPMG LLP, “Mitigating Risk in an Increasingly Digitized World.”

** See KPMG LLP, “On the 2023 audit committee agenda,” December 2022, https://boardleadership.kpmg.us/relevant-topics/articles/2023/onthe-2023-audit-committee-agenda.html.

Go for the gold: audit committee interaction with the audit team and other external auditor oversight ideas

Tapestry’s Audit Committee Leadership Network published its Summary of Themes from its March 2023 meeting. The broader themes discussed related to the audit committee and external auditor relationship included:

• Create open communication and trust with the engagement partner.
• Establish relationships with others on the audit team.
• Establish relationships with senior leaders at the audit firm.
• Start early and develop criteria to ensure smooth partner rotations.
• Consider the external auditor’s role in emerging issues.
• Determine how the audit committee will assess the external auditor.

In addition, the summary discusses innovation and evolving practices in internal audit, what’s next for artificial intelligence, and responding to economic uncertainty.

ICYMI: CAQ Public Policy and Technical Alerts (PPTA), February 2023

Each month, the PPTA highlights and examines the regulatory, standard-setting, legislative, and broader financial reporting developments impacting the public company audit profession. The CAQ’s February 2023 Alert included these featured articles.

SEC Updates Compliance and Disclosure Interpretations (C&DI) for Regulation S-K Item 402(V) Pay Versus Performance
The SEC updated Section 128D and 228D Pay Versus Performance. See the new C&DIs Questions and Answers at 128D.01 through 128D.13, and 228D.01 through 228D.02.

The PCAOB Expects Firms to Remedy Quality Control Deficiencies
The PCAOB released Spotlight: Additional Insights on the Remediation Process. The report discusses the PCAOB’s expectations for firms when remedying quality control deficiencies.

Financial Accounting Foundation (FAF) Debuts Enhanced Free Access to Online Accounting Standards Codification and Governmental Accounting Research System
The FASB announced that the FAF launched its free, enhanced online access to the Accounting Standards Codification and the Governmental Accounting Research System. The Codification is the complete and official version of Generally Accepted Accounting Standards (GAAP) published by the FASB.

The real March madness? Women’s History

In honor of Women’s History Month, here is inspiration from soccer legend Mia Hamm. BOOM!

Questions and comments about Audit Committee Insights can be addressed to Vanessa Teitelbaum, Senior Director, Professional Practice (vteitelbaum@thecaq.org). This newsletter is intended as general information and should not be relied upon as being definitive or all-inclusive. The CAQ encourages readers to refer to applicable rules, standards, guidance, and other resources in their entirety. All entities should carefully evaluate which requirements apply to their respective organizations.

Check out the CAQ’s Audit Committee Resource Collection for more information.