When is it not a busy time of year?!? As we head into end-of-year closures and the holidays, we hope you enjoy time with family and friends. It may be hectic as the year comes to a close or perhaps it’s the calm before the storm – busy season that is. There is no shortage of changes – risks, rules, and regulations. Oh my. To help keep you current, we scour available resources and keep up with regulatory developments. Read on to stay informed on these relevant developments for audit committee members.
The PCAOB Is Coming to Town: Public Roundtable to Be Held in the New Year on NOCLAR
Respondents agree: The current auditing standard related to the auditor’s responsibilities re Illegal Acts is due for an update. Auditors can do more. However, 78% of respondents oppose the PCAOB’s Proposal on Non-compliance with Laws and Regulations or “NOCLAR.”
In a recent hearing of the U.S. House of Representatives Committee on Financial Service Subcommittee on Capital Markets on December 12, PCAOB Chair Williams stated the Board will hold a public roundtable in the new year to respond to comments received.
In the world of the PCAOB, 139 comment letters is a lot. That’s the number of letters received in response to the PCAOB’s NOCLAR Proposal. This represents one of the largest number of comments on a PCAOB proposal since their concept release on mandatory firm rotation (MFR), which received nearly 700 comment letters.
Who responded? The Board’s proposal attracted a broad range of stakeholders. The CAQ categorized the commenters into the following stakeholder groups:
- Academic: Academics
- Accounting: Accounting Associations, Accounting Firms, Consulting Firms
- Business: Audit Committee Members, Business Associations, Compliance Associations, Compliance Officers, Preparers
- Investors: Consumer Advocacy Groups, Investors, Investor Associations
- Other: Exchanges, Individuals, Legal Associations, Legislators, Public Policy Organizations, Trade Unions
Based on the CAQ’s analysis, here are general themes:
- The proposed scope is overly broad. Investors and investor associations had inconsistent views. Some believe the proposed requirements are sufficiently clear while others expressed concerns about the scope of proposal and the potential negative impact on auditor effectiveness.
- The proposed requirements blur the roles of the auditor and a company’s management and legal functions creating auditor independence concerns. The investor community had mixed views on this topic as well. While some investor associations view the proposed requirements as a function of management, others do not view the proposed auditor responsibilities as a replacement or duplication of management’s functions.
- Auditors are not lawyers:
- The business community expressed strong and consistent views that auditors are not legal experts.
- Audit committee members, preparers, and business associations raised concerns the proposal will significantly increase risk to a company’s legal privilege.
- The investor community’s views continued to be mixed. Certain investors and investor associations do not believe that the proposal requires auditors to function as lawyers; whereas other investor associations believe that auditors are not trained in law nor qualified to make the legal judgments that would be required by the proposal.
- Costs and benefits:
- The business community believes that the anticipated benefits of the proposal do not justify the costs and that the economic analysis is inadequate.
- The investor community’s views varied. Some investor associations commented that the benefits would outweigh the costs, while others expressed the opposite view, that the risks of financial misstatements and NOCLAR far outweigh the costs of audits.
- Need for further study and evaluation: The broad consensus among the majority of stakeholder groups is that there is a need for multi-stakeholder engagement and further evaluation before acceptable alternatives to the proposal can be developed, and that the PCAOB needs to conduct more research and engage in an open standard-setting process involving roundtable discussions and public meetings with various stakeholder groups before issuing a revised proposal.
Are Your Audit Committee Disclosures Naughty or Nice? Our 10th Anniversary Audit Committee Transparency Barometer
After a decade of analyzing audit committee disclosures of the S&P 1500, we have seen disclosure rates increase across the majority of the questions and topics being tracked.
In our 10th annual edition of the Audit Committee Transparency Barometer, together with Ideagen Audit Analytics, we feature examples of good disclosures from a variety of public companies including: Activision Blizzard, Inc., Healthpeak Properties, Inc., Unum Group, Tenet Healthcare Corp, Foot Locker, Inc., Pacira Biosciences, Inc., Valaris Ltd, NexTier Oilfield Solutions, Inc., PG&E Corp, and Hanesbrands Inc.
In the current environment of economic uncertainty, geopolitical crises, and new ways of working, it remains as important as ever for audit committees to tell their story through tailored disclosures in the proxy statement. Investors and other stakeholders use these disclosures to understand how the audit committee is exercising oversight to navigate the challenges of this current environment.
Providing detailed and relevant disclosures, instead of relying on boilerplate language, provides investors with useful information about the processes, considerations, and decisions made by the audit committee. Every year, each audit committee has a unique story to tell, and detailed disclosures in the proxy statement relay the extent of engagement of the audit committee, which contributes to audit quality.
Check out our publication for examples, sample audit committee report, and questions for audit committees to consider. Make it a new year resolution!
Making Disclosures and Checking Them Twice: SEC Executive Comp Clawback Rules, Cyber, and Climate
While there is a lot on the horizon, the SEC’s Climate Rule final action is now slated for April 2024 based on their updated their Reg Flex agenda. Human Capital disclosures too. Stay tuned!
But what is final is the SEC’s Executive “Clawback” rule – Listing Standards for Recovery of Erroneously Awarded Compensation. It’s been a long-time coming. Each issuer is required to adopt a policy related to the recovery of erroneously awarded compensation no later than December 1, 2023. Yup, that’s now. So, while your company’s policy has been adopted, it’s not too late to check it twice.
Remind me, what does the rule require?
The issuer must:
- Disclose and file its recovery policy as an exhibit to its annual report,
- Indicate by check boxes on its annual report whether the financial statements included in the annual report reflect a correction of an error to previously issued financial statements and whether the corrections are restatements that triggered a recovery analysis, and
- Disclose any actions taken from the recovery analysis.
For purposes of performing a recovery analysis, a “restatement” is both “little r” and “Big R.”
Ugh, I always get these confused…
- “Big R” is a restatement that corrects an error in previously issued financial statements that is material to the previously issued financial statements (think 8-K is required);
- “little r” is a restatement that would result in a material misstatement if the error was either corrected in the current period or left uncorrected in the current period.
How about retrospective changes to previously issued financial statements that do not represent error corrections, such as changes in accounting principles, stock splits, change in reporting entity, etc.? Nope. Those situations do not trigger a recovery analysis.
So, if the policy has been adopted, what’s left to talk about?
- Consider doing a dry run:
- If a recovery analysis were to be triggered, does the company have all the information necessary?
- Is it clear which executives are in scope?
- Is the exact amount of executive compensation subject to analysis known?
- How does the audit committee expect to coordinate with the compensation committee?
- Review draft disclosures new for the 2023 Annual Report, including discussing with the external auditor; and
- Assess the disclosure controls in place to maintain and update the policy and analysis.
1. Disclosure of cybersecurity incidents
a. Report “material” cybersecurity incidents within four business days, based on materiality determination, without “unreasonable delay”
b. Describe the incident’s material impact or reasonably likely material impact
c. Disclose if one or more of the above required items is not determined or is unavailable at the time of the ﬁling
Periodic Form 8-K Item 1.05
2. Disclosure of cybersecurity risk, management, & strategy
a. Disclose processes for assessing, identifying, and managing material risks from cybersecurity threats
b. Describe how processes have been integrated into an overall risk management system or processes
c. Describe risks, including those resulting from previous incidents that have materially aﬀected or are reasonably likely to materially aﬀect business strategy, results of operations, or ﬁnancial condition
d. Disclose whether cybersecurity program engages consultants, auditors, or other third parties, as well as the processes to identify and manage risk from third parties
Annually 10-K, Regulation S-K Item 106(b)
3. Disclosure of cybersecurity governance
a. Describe the board’s oversight of risks from cybersecurity threats, and identify the committee or subcommittee responsible for oversight and the process for informing such committees
b. Describe management committees or positions responsible for, and experience with, assessing and managing cyber risks
c. Disclose whether and how management reports cybersecurity information to the board or a committee or subcommittee of the board
Annually 10-K, Regulation S-K Item 106(c)
As per SEC, materiality of an incident is based on company’s evaluation of the incident.
Don’t forget to discuss with your auditor. Cybersecurity is another type of risk that a business must manage. Auditors understand the environment in which businesses operate, and can use their industry knowledge to help offer perspective about how cybersecurity considerations fit with other business risks.
In addition to providing insights regarding cybersecurity disclosures, CPAs can assess and report on cybersecurity processes and disclosures. Obtaining any level of assurance by a CPA involves obtaining an understanding of the processes, systems, and data, as appropriate, and then assessing the findings in order to support an opinion or conclusion. Further, CPAs:
- Have a long history of and are highly experienced at independently gathering evidence to assess internal controls and the reliability and accuracy of data and information that is used to make decisions and is reported externally.
- Are required by professional standards to plan and perform assurance engagements with professional skepticism.
- Are experienced in reporting on compliance with various established standards and frameworks.
- Are required to maintain a system of quality control that is designed to provide the CPA firm with confidence that its engagement partners and staff complied with applicable standards and the reports issued by the CPA firm are appropriate.
- Are required to adhere to continuing professional education, independence, ethics and experience requirements, including specialized training.
You can learn more about what the management needs to know from this joint CAQ-AICPA resource.
ICYMI: CAQ Public Policy Technical Alert (PPTA), October/November 2023
Each month, the PPTA highlights and examines the regulatory, standard-setting, legislative, and broader financial reporting developments impacting the public company audit profession. The CAQ’s October 2023 and November 2023 Alerts included these featured articles.
FASB Issues New Segment Reporting Guidance
The FASB issued a final ASU that improves disclosures about a public entity’s reportable segments and addresses requests from investors and other allocators of capital for additional, more detailed information about a reportable segment’s expenses. The key amendments:
- Require that a public entity disclose, on an annual and interim basis, significant segment expenses that are regularly provided to the chief operating decision maker and included within each reported measure of segment profit or loss.
- Require that a public entity disclose, on an annual and interim basis, an amount for other segment items by reportable segment and a description of its composition.
The ASU applies to all public entities that are required to report segment information in accordance with FASB Accounting Standards Codification Topic 280, Segment Reporting. All public entities will be required to report segment information in accordance with the new guidance starting in annual periods beginning after December 15, 2023.
New PCAOB Staff Report Sheds Light on Rising Audit Deficiencies Related to Engagement Quality Reviews
The PCAOB announced a new staff report that reveals 42% of firms the PCAOB inspected in 2022 had a quality control criticism related to engagement quality reviews (EQRs), up from 37% in 2020. The staff report, “Inspection Observations Related to Engagement Quality Reviews,” focuses on the PCAOB-mandated EQR process, in which a reviewer who is not part of the engagement team evaluates significant judgments made by the audit engagement team. In addition to covering recent trends in audit deficiencies related to EQRs, the staff report provides good practices and reminders for auditors so they can avoid such deficiencies. It also highlights key questions related to EQRs that audit committees might want to consider as discussion points as they engage with external auditors.
Steelers Announce Partnership With the Center for Audit Quality to Introduce Students to Accounting
The Pittsburgh Steelers announced a multi-year partnership with the CAQ Accounting+, a first-of-its-kind, multi-stakeholder nationwide campaign to attract a new generation of diverse students into the accounting talent pipeline. The core focus of this partnership is the ‘Steelers Showcase’ program, which will launch this fall. This program will expose students from across Western Pennsylvania to the field of accounting, with the committed goal of increasing the diversity of the accounting profession’s talent pipeline. At Steelers Showcase events, students will have the opportunity to network with members of the Steelers’ Finance Department and local industry executives.
Red, Green & Blue? Lessons from the Blue Zones – Living to 100+
As the new year approaches, thoughts turn to resolutions. The plan to live a healthier life – vowing to exercise more, eat healthier and to lose weight are among the top resolutions in the U.S. You know how the gym is packed the first week in January? Or maybe you were in the 41% of U.S. adults who intended to take part in Dry January 2023? (16% actually managed.)
If living healthy is the goal, who better to look to than those who do. Dan Buettner identified the five original blue zones – the places in the world with the healthiest, longest-living populations:
- Nicoya, Costa Rica
- Sardinia, Italy
- Loma Linda, United States
- Ikaria, Greece
- Okinawa, Japan
What do these centenarians have in common?
- A plant-based diet (and two other food philosophies: the 80% Rule – stop eating when you are 80% full and Wine @ 5 – moderate but regular consumption of wine with friends and/or food. Win-win.)
- Daily activity – Move naturally throughout the day – walking, gardening, doing housework
- A Positive Outlook & Sense of Purpose – Call it ikgai or plan de vida – those in the blue zone have a reason for living
- Strong Connections & Community – Strong family and friend connections are part of a healthy life.
Happy Holidays and Happy New Year!
Questions and comments about Audit Committee Insights can be addressed to Vanessa Teitelbaum, Senior Director, Professional Practice (email@example.com).
This newsletter is intended as general information and should not be relied upon as being definitive or all-inclusive. The CAQ encourages readers to refer to applicable rules, standards, guidance, and other resources in their entirety. All entities should carefully evaluate which requirements apply to their respective organizations.