Audit Committee Insights | September/October 2022
Monday, October 31, 2022
Happy Halloween! Did you miss us? We took August off. Then September went by in a flash! And now the pumpkin lattes have been out for over a month and holiday candy is in stores. And not Halloween candy…the December holidays! We scour available resources and keep up with regulatory developments to help keep you up to date. Read on to stay informed on these relevant developments for audit committee members.
We welcome input; please let us know what you think. Subscribe here so that you never miss an update from the CAQ.
Ask your auditor. Suggestions from the PCAOB.
How are auditors responding to the financial reporting and auditing risks posed by the current economic environments?
The PCAOB Spotlight offers questions for audit committees to consider, such as:
- How have economic factors (e.g., supply chain disruption, inflation) influenced the auditor’s risk assessment for the current year’s audit?
- If management made changes to certain accounting policies, practices, or estimates as a result of current events (e.g., higher inflation and costs of capital, the invasion of Ukraine), has the auditor considered how those changes may impact the planned audit strategy?
- What is the audit firm doing to attract and retain talent to ensure that all engagement team members have appropriate levels of competency, degree of proficiency, training, and supervision?
- Did the auditor identify and assess cybersecurity risks and evaluate potential cyber breaches within the company’s operations, which may have an effect on financial reporting? If so, what were the results of the auditor’s procedures?
- Are there any complexities (e.g., multiple systems) or concerns (e.g., data security) at the company preventing the use of technology by the auditor?
The PCAOB Spotlight offers other suggested questions for audit committees to consider related to auditor independence, audit firms’ quality control systems, initial public offerings and M&A, and auditing digital assets.
Cyber Governance and Disclosure? Game On.
EY analyzed cyber-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies and found an increase in disclosures related to cybersecurity risk management and oversight.
What does ‘Good’ disclosure look like? Here’s what Fortune 100 companies are disclosing:
- 100% – Cybersecurity as a risk factor
- 70% – Audit committee oversees cyber
- 51% – Cyber in at least one director biography
- 51% – Company maintains a level of cybersecurity insurance
- 14% – External advisor provided attestation
- 9% – Preparedness includes simulations, tabletop exercises or response readiness tests
- 7% – Cybersecurity in executive compensation considerations
The North American and European Audit Committee Leadership Networks of Tapestry held a recent discussion on the future of cyber risk. Key takeaways include:
- AI can be pretty cool… but also creates new cybersecurity and ethical risks. For example, UnitedHealth is being investigated for its algorithm that a study found prioritized care for healthier white patients over sicker black patients. Read more on AI governance from Deloitte.
- Ask questions about what checks and balances are in place as new technologies are developed and deployed.
- Look at cyber from both sides now. You really might not know cyber at all. Audit committees can drill down to understand and prepare for future vulnerabilities
- Close call? Ask management about near misses, not just the big breaches
- Bring it down a level. Bring in business unit leaders on a rotating basis to explain their cybersecurity practices
- Security is multilayered and includes ‘on premises’ and ‘on the cloud’
- Got talent? Talent management is a top cyber concern
- Having trouble finding cyber talent? You’re not alone. The global cybersecurity workforce has 2.72 million unfilled positions
- This lack of skilled talent is the topmost barrier to meeting corporate security needs
- Fake news is an emerging risk
- Companies are facing targeted disinformation – the intentional spread of false or manipulated information to harm an organization, brand, or person – at growing rates.
- Identify relevant stakeholders and assign responsibility
- Train employees to recognize disinformation
- Create an incident response plan and hold practice drills
BDO weighs in. It’s an important time for boards to review their oversight of cyber risk. Taking a proactive stance on cybersecurity can help strengthen an organization’s ability to prevent, detect, mitigate and respond to threats. You can also check out the CAQ’s The Role of the Auditors in Company-Prepared Cybersecurity Information.
Practical Tips for the audit committee chair? Nailed it.
Scope creep. Increased workload. Emerging risks and evolving regulatory requirements. The audit committee and the chair especially are pressed for time. But time you can manage. It’s the right skills and experience you need to focus on. PwC provides practical tips for the chair:
- Committee size – Four audit committee members is typically the right size with at least two financial experts.
- Watch for over-boarding – Directors on NYSE-listed companies must get approval to serve on more than three public company audit committees.
- Succession planning – Formally consider board rotation of five to seven years.
- Successful onboarding – Focus on successful onboarding of new committee members involving the chair, CEO, financial leadership team, internal audit and external audit.
- Board education – Have a mix of in-boardroom education sessions with internal and external speakers as well as external training and events.
- Meet the chiefs – Meet separately in private session with the CFO, chief audit executive, and external auditor at a minimum. Other individuals to consider meeting with include the chief compliance officer, chief risk officer, chief information security officer, chief information officer, general counsel, and tax leaders.
Want to leverage internal audit better? PwC has questions you should ask for that too. (*Spoiler alert*)
- What is your confidence level that the internal audit function is spending time in the right areas?
- How is internal audit working with process owners, functional areas, and possibly external auditors in advance of the finalization of the proposed SEC disclosure rules on climate, human capital, and cybersecurity?
- How is internal audit working with other risk functions (e.g., compliance, enterprise risk) to deliver a combined view of risk to the audit committee?
Need an in-depth resource? Deloitte’s Center for Board Effectiveness has updated their Audit Committee Guide. Check out the online interactive version or download a PDF.
A few quick hits are:
- Detailed audit committee requirements – including SEC, NYSE, and Nasdaq
- Tools and resources, including a sample audit committee charter, sample calendar planning tool and a self-assessment tool
- Tips for managing meetings, and auditor evaluation (including reference to the CAQ’s External Auditor Assessment Tool)
- *Love this* “Questions for the audit committee to consider” on composition, charter, self-assessment, earning release, ICFR, related-party transactions, proxy disclosures, ERM, fraud risk, cyber risk, M&A, ESG, independent auditor oversight, internal auditor oversight, code of ethics and conduct, and hotlines all in one spot. And a manageable 9 pages (really 8 pages as last page is just logo)!
ICYMI: CAQ Public Policy and Technical Alert (PPTA), August & September 2022
Each month, the PPTA highlights and examines the regulatory, standard-setting, legislative, and broader financial reporting developments impacting the public company audit profession. The CAQ’s August and September Alerts included these featured articles.
S&P 500 10-K analysis of climate, GHG emissions, and net-zero carbon neutral commitment
The CAQ posted a new analysis of S&P 500 companies’ 10-Ks in which it sought to understand their SEC filing disclosures regarding climate-related information, greenhouse gas emissions, and net-zero and carbon neutral commitments. CAQ observed that most companies mention climate-related information in their 10-K, but the type of information varies greatly from company to company.
PCAOB signed a Statement of Protocol with the China Securities Regulatory Commission and the Ministry of Finance of the People’s Republic of China
The PCAOB signed an agreement with China, taking the first step toward opening access for the PCAOB to inspect and investigate registered public accounting firms headquartered in mainland China and Hong Kong completely, consistent with U.S. law.
The PCAOB provides 2021 observations from the target team, a group of inspectors who focus on emerging audit risks and topics
The PCAOB posted its August 2022 report Spotlight: Observations From the Target Team’s 2021 Inspections. It spotlights fraud, interim reviews of special purpose acquisition companies (SPACs), going concern, and cash and cash equivalents.
FASB issues standard to enhance transparency around supplier finance programs
The FASB issued an Accounting Standards Update (ASU) that enhances transparency on the use of supplier finance programs for investors and other allocators of capital. Under the new ASU, a company that uses a supplier finance program in connection with the purchase of goods or services will be required to disclose sufficient information about the program to allow a user of financial statements to understand the program’s nature, activity during the period, changes from period to period, and potential magnitude. The buyer will be required to provide the key terms of the program as well as certain information regarding the obligations that the buyer has confirmed as valid to the finance provider or intermediary.
SEC adopts pay versus performance disclosure rules
The SEC adopted amendments to its rules to require registrants to disclose information reflecting the relationship between executive compensation actually paid by a registrant and the registrant’s financial performance. The rules implement a requirement mandated by the Dodd-Frank Act. Specifically, the amendments require registrants to provide a table disclosing specified executive compensation and financial performance measures for their five most recently completed fiscal years. With respect to the measures of performance, a registrant will be required to report its total shareholder return (TSR), the TSR of companies in the registrant’s peer group, its net income, and a financial performance measure chosen by the registrant.
M&Ms and Sour Patch Kids cross the aisle – Halloween’s popular candy by state
The Candy Store reports that M&Ms and Sour Patch Kids (SPK for those in the know) are the top choices in 7 states each. M&Ms are beloved in DC, Vermont, Oregon, Ohio, New Hampshire, Kansas, and Iowa. SPK are the faves in New York, Nebraska, Massachusetts, Maine, Illinois, Delaware, and Alaska. Top billing in 5 states are Reese’s Cups – Wyoming, North Carolina, Kentucky, Florida, and California. Did we take the popular candy by state chart and make a pivot table? Maybe. We might have done that.
Now, The Food Network cites Snickers as the favorite candy in 23 of 50 states. You know, “You’re not you when you’re hungry. Snicker satisfies.” You are now probably craving a Snickers. Their research data is based on a state-by-state breakdown of the top Halloween candies, according to Google search volume. Just goes to show different data, different story.
Are you handing out your state’s favorite candy this year? Or maybe you will pretend not to be home (one in five adults will (21%) according to a 2021 YouGov poll, as reported by Today). Or maybe you’re dressing up in this year’s most popular costumes as characters from “Stranger Things,” “Ted Lasso,” and Yellowstone. 😉 Trick or Treat!
Questions and comments about Audit Committee Insights can be addressed to Vanessa Teitelbaum, Senior Director, Professional Practice (email@example.com). This newsletter is intended as general information and should not be relied upon as being definitive or all-inclusive. The CAQ encourages readers to refer to applicable rules, standards, guidance, and other resources in their entirety. All entities should carefully evaluate which requirements apply to their respective organizations.
Check out the CAQ’s Audit Committee Resource Collection for more information.