Audit Committee Insights | March/April 2024

Wow. Four months into 2024 already. Is the year going by fast or is it just us? For that matter we’re nearly a quarter into this century! It feels like we were just partying like it was 1999 (hopefully a reference that doesn’t date us too much). Maybe it’s because SO much happened in Washington – specifically in the financial reporting regulatory world – in March and April. Read on to stay informed on these relevant developments for audit committee members.

We welcome input; please let us know what you think. Subscribe here so that you never miss an update from the CAQ.

Audit Committee Practices Report – Cyber and ERM Top AC Priorities (Again)

We’ve loved collaborating with Deloitte’s Center for Board Effectiveness on our annual audit committee practices survey. In March 2024, we released our 3rd annual Audit Committee Practices Report.

Other than oversight of financial statements and internal control over financial reporting (ICFR) (which we know is priority #1, hands down), the Top 5 priorities for audit committees over the next 12 month are:

1. Cybersecurity
2. Enterprise Risk Management (ERM)
3. Finance and internal audit talent
4. Compliance with laws and regulations
5. Finance transformation

Cyber and ERM are repeats from our 2023 report. Slipping down the list since 2023 is ESG reporting.

Where are audit committees spending too little time? 66% said they are spending too little time on Artificial Intelligence governance.

We held two webinars on this report: You can check out the recordings of Deloitte’s Board Governance Webinar here and the CAQ’s webinar here. (Be careful, these recordings are on YouTube. Try not to go down a rabbit hole…) A very big thank you to those audit committee chairs and members who completed our survey – your voice helps others!

SEC Final Climate Rule Adopted and Stayed – What Now?

No doubt you’re well aware that on March 6, the SEC adopted the final climate rule. The CAQ’s Desiré Carroll has a great blog post, What We Were Looking For in the Final (Climate) Rule versus What We Found. The key takeaways are:

1. Attestation requirements:
   • Attestation over greenhouse (GHG) emissions disclosures was retained;
   • Large accelerated filers (LAFs) will progress from limited assurance to reasonable assurance at a later date;
   • Accelerated filers will only need to obtain limited assurance.
   • The first assurance report is required 3 years after the GHG emissions compliance date and the move to reasonable assurance by LAFs required after 7 years.
2. Reg S-X requirements:
   • The final rule requires registrants to disclose the effects of severe weather events and other natural conditions;
   • The SEC removed the proposed requirement to disclose the impact on each line item of a registrant’s consolidated financial statements but retained the 1% disclosure threshold at the overall income statement and balance sheet level and also established de minimis thresholds.
3. GHG emissions: Scope 1 and Scope 2 greenhouse gas (“GHG”) emissions, if material, for accelerated and large accelerated filers only. In other words, no Scope 3 required.

Here’s another good summary of the final rule from Gibson Dunn.

The final rules will become effective 60 days following publication of the adopting release in the Federal Register, except, wait for it… the rule was voluntarily stayed by the SEC on April 4, 2024. So, what does this mean? (Remember, auditors are not lawyers.) According to Covington, don’t put your pencils down for the following reasons:

• First, the SEC staff is likely to continue issuing comment letters on companies’ current climate-related disclosures, including comments based on the SEC’s 2010 guidance on climate change disclosures.
• Second, many public companies could become subject to separate climate disclosure requirements under laws and regulations adopted in other jurisdictions, such as the European Union and individual states in the United States, most notably in California.
• Third, even if the SEC’s rules are struck down, it is likely that investor pressure will drive continued private ordering resulting in increased and more comparable climate-related disclosures, particularly for larger public companies.
• Finally, the outcome of the challenge to the SEC’s climate rules is uncertain, including with respect to the content of any portion of the rules that is upheld and the ultimate timing of required compliance with such rules.

We agree: don’t assume this rule is not going to happen. Investors want more climate information and there are other jurisdictional requirements. Curious about what investors think of climate-related reporting and the SEC’s rule? Checkout the CAQ’s most recent quarterly investor pulse survey (it’s short). Take the breathing room to be ready for compliance if, and when, needed.

PCAOB Proposes Firm and Engagement Metrics and Firm Reporting Requirements

On April 9, 2024, the Board issued for public comment two proposals that would require new firm and engagement metrics (“Firm and Engagement Metrics Proposal”) and additional firm reporting (“Firm Reporting Proposal”).

Comment letters are due June 7.

The Board is proposing metrics in the following 11 areas (for many at both the firm- and engagement-level):

1. Partner and Manager Involvement. Hours worked by senior professionals relative to more junior staff across the firm’s issuer engagements and on the engagement.
2. Workload. Average weekly hours worked on a quarterly basis by engagement partners and by other partners, managers, and staff, including time attributable to engagements, administrative duties, and all other matters.
3. Audit Resources – Use of Auditor’s Specialists and Shared Service Centers. Percentage of issuer engagements that used specialists and shared service centers at the firm level, and hours provided by specialists and shared service centers at the engagement level.
4. Experience of Audit Personnel. Average number of years worked at a public accounting firm (whether or not PCAOB-registered) by senior professionals across the firm and on the engagement.
5. Industry Experience of Audit Personnel. Average years of experience of senior professionals in key industries audited by the firm at the firm level and the audited company’s primary industry at the engagement level.
6. Retention and Tenure. Continuity of senior professionals (through departures, reassignments, etc.) across the firm and on the engagement.
7. Audit Hours and Risk Areas (engagement-level only). Hours spent by senior professionals on significant risks, critical accounting policies, and critical accounting estimates relative to total audit hours.
8. Allocation of Audit Hours. Percentage of hours incurred prior to and following an issuer’s year end across the firm’s issuer engagements and on the engagement.
9. Quality Performance Ratings and Compensation (firm-level only). Relative changes in partner compensation (as a percentage of adjustment for the highest rated group) between groups of partners based on internal quality performance ratings.
10. Audit Firms’ Internal Monitoring. Percentage of issuer engagements subject to internal monitoring and the percentage with engagement deficiencies at the firm level; whether the engagement was selected for monitoring and, if so, whether there were engagement deficiencies and the nature of such engagement deficiencies at the engagement level.
11. Restatement History (firm-level only). Restatements of financial statements and management reports on internal control over financial reporting (“ICFR”) that were audited by the firm over the past five years.

Under the Firm Reporting Proposal, audit firms would publicly report certain information about their organization and operations, including:

• Dollar values of fees collected for audit services, other accounting services, tax services, and non-audit services;
• Governance information regarding firm leadership, legal structure, ownership, and other similar topics;
• Network information regarding network arrangements, network legal and ownership structure, financial obligations, information-sharing arrangements, and oversight of an audit firm; and
• Policies and procedures to identify and manage cybersecurity events.

Is this information you would use? Your voice matters. Engage with us or other trade associations to share your views that can inform a comment letter (or write your own)!

Auditing in the Age of Generative AI

As mentioned in our last Audit Committee Insights edition, we had a great conversation with experts during our CAQ/NACD co-hosted webinar, AI 101 for Audit Committees. Panelists were united in their enthusiasm for the opportunities presented by generative AI but acknowledged the risks. As this hot topic evolves quickly, these conversations sometimes prompt more questions than answers!

Not to worry, we recently published a new whitepaper, Auditing in the Age of Generative AI.

This publication explores fundamental principles of genAI, new risks arising from its use in processes relevant to financial reporting (financial reporting processes) or internal control over financial reporting (ICFR), and related audit implications.

We included a very handy, easy-to-use matrix including:

• Potential Risk Areas (i.e., Governance, Regulatory, Knowledge and Skills, Fraud, Data Privacy, Security, Selection and Design of GenAI Technologies, Use of a Foundation Model, Model Training and Development, Model Performance, Prompts, and Ongoing Reliability and Monitoring – this thing is ROBUST!)
• Example Risks or Source of Risks (i.e., Governance – AI solutions are not identified and managed appropriately and consistently across the company.)
• Questions for Auditor Consideration (related to risk above):
  • Who (individual or group) in the company is responsible for oversight of the use of genAI?
  • Has the company developed a framework for responsible use of genAI?
  • Has the company established policies regarding the acceptable and ethical use of genAI?
  • How are policies regarding acceptable and ethical use of genAI documented and communicated to appropriate individuals throughout the company?
  • How does the company monitor compliance with policies regarding acceptable and ethical use of genAI?
  • Does the company have a process to track and monitor the use of genAI throughout the company, including use by third-party service providers?
  • How does the company evaluate the impact (nature and affected groups) of genAI technologies being deployed?
  • How does the company track risks arising from the use of genAI technologies and mitigating responses?

ICYMI: CAQ Public Policy Technical Alert (PPTA), February / March 2024

Each month, the PPTA highlights and examines the regulatory, standard-setting, legislative, and broader financial reporting developments impacting the public company audit profession. The CAQ’s February 2024 and March 2024 Alerts included these featured articles.

Future Updates to Corporate Governance Code Guidance
The Financial Reporting Council announced it updated the UK Corporate Governance Code guidance, following the publication of the revised Code earlier this year.

IAASB Moves to Strengthen Auditors’ Efforts Related to Fraud
The International Auditing and Assurance Standards Board proposed a significant strengthening of its standard on auditors’ responsibilities relating to fraud. The proposed revisions to International Standard on Auditing 240 (Revised), The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, include:

• Clarified auditor responsibilities relating to fraud in an audit.
• Emphasized professional skepticism to ensure auditors remain alert to possible fraud and exercise professional skepticism throughout an audit.
• Strengthened identification and assessment of risks of material misstatement due to fraud.
• Clarified response to fraud or suspected fraud identified during the audit.
• Increased ongoing communication with management and those charged with governance about fraud.
• Increased transparency about auditors’ responsibilities and fraud-related procedures in the auditor’s report.
• Enhanced audit documentation requirements about fraud-related procedures.

The IAASB invites all stakeholders to submit their comments by June 5, 2024.

Warren Buffett’s 11 Best Quotes

I think I saw this on LinkedIn (author’s note). You can’t deny it’s good stuff and a fun read.

1. “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that you’ll do things differently.”
2. “The difference between successful people and really successful people is that really successful people say no to almost everything.”
3. “Risk comes from not knowing what you’re doing.”
4. “Someone’s sitting in the shade today because someone planted a tree a long time ago.”
5. “I insist on a lot of time being spent, almost every day, to just sit and think. That is very uncommon in American business. I read and think. So, I do more reading and thinking, and make less impulse decisions than most people in business. I do it because I like this kind of life.”
6. “The most important thing to do if you find yourself in a hole is to stop digging.”
7. “Rule No. 1: Never lose money. Rule No. 2: Never forget Rule No. 1.”
8. “I will tell you how to become rich. Close the doors. Be fearful when others are greedy. Be greedy when others are fearful.”
9. “You never know who’s swimming naked until the tide goes out.”
10. “Price is what you pay. Value is what you get.”

While these are great, my favorite is actually missing, which is:

“No matter how great the talent or efforts, some things just take time.”

A good reminder in times of pressure and stress. Slow is smooth. Smooth is fast.

Questions and comments about Audit Committee Insights can be addressed to Vanessa Teitelbaum, Senior Director, Professional Practice (vteitelbaum@thecaq.org).

This newsletter is intended as general information and should not be relied upon as being definitive or all-inclusive. The CAQ encourages readers to refer to applicable rules, standards, guidance, and other resources in their entirety. All entities should carefully evaluate which requirements apply to their respective organizations.