Audit Committee Insights | July/August 2023

Is it hot and humid where you are this August? It sure is in Washington, DC. It’s not just the weather that is steamy. As always, there are lots of regulatory developments to keep financial reporting stakeholders busy. We hope you are finishing up your Q2 review and looking forward to a pre-fall vacation. But don’t check out just yet.

To help keep you current, we scour available resources and keep up with regulatory developments. Read on to stay informed on these relevant developments for audit committee members.

We welcome input; please let us know what you think. Subscribe here so that you never miss an update from the CAQ.

What’s Happening at the SEC? Final SEC Cyber Rule is Out; Top 10 Comment Letter Trends to Watch

Final Cyber Rule – Material cyber incidents must be disclosed within 4 business days

The final SEC cyber rule is out. Here is a good summary from EY.

The final rule requires disclosure of:

• On Form 8-K within 4 Business Days of Determining the Incident Is Material: Material cybersecurity incidents, with a delay only when the US Attorney General concludes disclosure would pose a substantial risk to national security or public safety, and
• Annually: Material information regarding cybersecurity risk management, strategy, and governance.

Is cyber expertise required on the board? No.

The SEC did not adopt the proposed requirement to disclose board members’ cybersecurity expertise. The adopting release states that effective cybersecurity processes are designed and administered at the management level, and the board can effectively oversee management’s efforts without specific subject-matter expertise.

The rules require registrants to disclose the board’s role in overseeing risks from cybersecurity threats. Registrants are required to identify any board committee or subcommittee that oversees cybersecurity risks, if applicable, and describe the processes by which the committee is informed about such risks.

The rule requires disclosures about management’s role in assessing and managing material risks from cybersecurity threats, including whether certain management positions or committees are responsible for assessing and managing cybersecurity risk and their relevant expertise. Registrants must also disclose the processes by which management is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents, including whether management reports information about such risks to the board.

The final rules will become effective 30 days following publication of the adopting release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. Calendar-year registrants must provide the risk management, strategy and governance disclosures in their 2023 annual reports.

Top 10 List – SEC comment letter trends to watch – Non-GAAP, MD&A, Business Combinations top the list

PwC’s Governance Insights Center has analyzed SEC comment letters to registrants during the period July 1, 2022 – June 30, 2023. This chart depicts the Top 10 trends. Check out the interactive version where you can click on a trend from the table to learn more (sorry the one below is static!):

What’s Happening at the PCAOB? Make Your Voice Heard on NOCLAR and Ask About Inspections

Help the PCAOB modernize auditor rules for NOCLAR

In June, we told you about the PCAOB’s NOCLAR proposal. NOCLAR is short for “noncompliance with laws and regulations.” The two CPA Board members do not support it. Their concerns? Significant expanded auditor responsibilities and increased cost.

The auditing profession is supportive of enhancements to existing AS 2405, but we believe that updates need to be principles based and allow the auditor to take a risk-based approach.  The CAQ submitted our comment letter to the PCAOB on August 7 with the following key observations:

1. Fundamental shift in the objectives of an audit: The requirements proposed in the standards represent a fundamental shift in the auditor’s objectives in planning and performing the audit. The proposed standard puts auditors in the position of performing procedures consistent with the objective of a compliance audit or forensic investigation. We recommend the Board look to the rulemaking history of Section 10A of the Securities Exchange Act, as well as the rulemaking history of PCAOB Auditing Standard No. 2, and the later need for PCAOB Auditing Standard No. 5, when finalizing the proposed standard.
2. Scope of the proposal: The securities laws and their implementing regulations do not require a public company’s management to identify all laws and regulations to which the public company is subject, and yet this proposal appears to essentially require auditors to do so. Our concern with the lack of clarity related to the “threshold” auditors would use to identify laws and regulations on which to focus their procedures is at the heart of our concerns with the proposed standards. Clarifying the threshold of which laws and regulations an auditor would need to focus on, and how this would relate to the risk assessment the auditor performs with respect to the historical financial statements being audited, would improve the operability of the proposed standard.
3. Auditors are not lawyers or forensic specialists: Broadening the scope of the laws and regulations for which the auditor must consider whether non-compliance “could reasonably” have a material impact on the financial statements would require a deep level of legal and regulatory subject matter expertise and interpretation, which does not fall within the core competencies of financial statement auditors and could be viewed as the auditor engaging in the unauthorized practice of law. The proposed standards significantly expand auditors’ need for expertise from significant numbers of lawyers, regulatory experts, fraud experts, and other specialists.
4. Role of auditor versus role of management: A long-established accountability framework exists, whereby management prepares and discloses financial and other information; auditors obtain reasonable assurance about whether the financial information is prepared in accordance with a financial reporting framework, in all material respects; and regulators provide oversight of the public companies and auditors. The proposal essentially transforms the auditor’s role into a responsibility to monitor an entity’s compliance with evolving laws and regulations, which is, at a minimum, a compliance function and, potentially, a management function. Such a transformation would come at the detriment of the auditor’s core responsibilities of performing an independent assessment of the financial statements prepared by management.
5. Costs and benefits of NOCLAR proposal require further study: The costs and benefits of the NOCLAR proposal have not been adequately studied. The proposal does not quantify the substantial costs that could be incurred as a result of the proposed standards, nor does it provide evidence that benefits will be achieved.

In addition to the CAQ’s letter above, we organized a “sign-on letter” addressing the concerns that audit committees have about the PCAOB’s proposal, which was also submitted to the PCAOB on August 7. In this comment letter, 170 audit committee chairs, board members and other capital markets stakeholders signed on to share their concerns about the PCAOB’s NOCLAR proposal. This letter was submitted on behalf audit committee chairs, members, and other public company board members who collectively sit on the boards of public companies aggregating to over $2 trillion in market capitalization. If you’d like to add your voice to the sign-on letter, it’s not too late. Click here to sign and we’ll monitor and submitted an updated version to the PCAOB.

All comment letters submitted to the PCAOB are public and maintained on their website here.

PCAOB’s inspections: Questions to ask your auditor

The PCAOB recently issued a new Spotlight, Staff Update and Preview of 2022 Inspection Observations, which previews the findings from the PCAOB’s inspections during 2022. The report found that approximately 40% of the audits reviewed across 157 audit firms and portions of 710 audits will have one or more deficiencies that will be included in Part I.A of the individual audit firm’s inspection report, up from 34% in 2021 and 29% in 2020. 157 audit firms reviewed include both US and non-US annually inspection and triennially inspected firms.

Suggested Questions for the Audit Committee – According to the PCAOB’s Spotlight, the following are suggested questions that audit committees may want to consider in discussions with their independent auditors:

• Has our audit engagement been inspected, and, if so, would you share the results? Were there any audit areas that required significant discussions with the PCAOB that did not result in a comment form?
• Has the engagement partner been inspected on other engagements? If so, what were the results of that inspection?
• What is the audit firm doing to address overall increased inspection findings?
• Are there any audit procedures that are unnecessarily complicated or not “straightforward” because management is not providing clear, supportable information?

Audit committees can effectively work with their auditor to ensure they have the resources necessary and audit committee support to perform a high-quality audit. Read the CAQ’s Guide to PCAOB Inspections for more information, including Appendix B:  A tool for audit committees – Questions for the auditor regarding PCAOB inspection reports.

Key Takeaways When Overseeing a Special Investigation

It’s not a situation you want to encounter – a special investigation. And if you encounter a special investigation, you may not be an expert in navigating it. But others have been through it and certain professionals are experts. Therefore, learning from them is the best place to start. To that end, during the second quarter of 2023, Tapestry Networks discussed oversight of special investigations, with a focus on: The preliminary inquiry, overseeing the investigation, and concluding the investigation.

Key takeaways for audit committee members include:

The preliminary inquiry

• Decide whether and when to launch a board-led investigation
  • Set expectations with management on when and how to escalate issues.
  • Establish which matters require board involvement.
  • Consider all audiences with the end in mind.

• Determine who from the board should lead the investigation
  • The audit committee
  • A special committee of the board
  • The full board

• Select the best legal counsel for the matter
  • Determine whether retaining outside counsel is appropriate.
  • If so, ensure that outside counsel have appropriate experience and expertise.

Overseeing the investigation

•  Partner with advisors to properly scope the investigation
  • Plan and scope the investigation appropriately
  • Redefine the scope as required.

• Ensure timely and appropriate communications
  • Keep management appropriately informed, with clear expectations on involvement and visibility.
  • Establish a regular cadence of communication with the board.
  • Communicate with the external auditor early and often.
  • Communicate with shareholders at the right time.

• Prepare for interactions with regulators
  • Stay updated on DOJ and Securities and Exchange Commission (SEC) enforcement priorities.
  • Assess whether and when to self-report.

Concluding the investigation

• Know when to end an investigation
  • Remember that counsel serves at the pleasure of their client.
  • Determine whether the investigation’s objectives have been reached.
  • Ensure that the investigation’s procedure and results are defensible and relevant stakeholders are satisfied.
  • Ask and answer the right questions.

• Remediate during and after an investigation
  • Make improvements as you go.
  • Find and eradicate the matter’s root cause.

Read the full publication for great insights on overseeing a special investigation and don’t go it alone.

ICYMI: CAQ Public Policy and Technical Alert (PPTA), June/July 2023

Each month, the PPTA highlights and examines the regulatory, standard-setting, legislative, and broader financial reporting developments impacting the public company audit profession. The CAQ’s June 2023 and July 2023 Alerts included these featured articles.

FASB Seeks Public Comment on Proposal to Improve the Accounting for Purchased Financial Assets
The FASB published a proposed ASU intended to improve the accounting for purchased financial assets. Investors and preparers provided feedback that having two accounting models for purchased financial assets is unnecessarily complex and they would prefer to apply a single accounting model to recognize credit losses for all purchased financial assets. The proposed ASU would require that all acquired financial assets, with certain limited exceptions, follow the existing gross-up approach. Stakeholders are encouraged to review and provide input on the proposed ASU by August 28, 2023.

 ISSB Issues Inaugural Global Sustainability Disclosure Standards
The International Sustainability Standards Board issued its inaugural standards—IFRS S1 and IFRS S2—ushering in a new era of sustainability-related disclosures in capital markets worldwide. IFRS S1 provides a set of disclosure requirements designed to enable companies to communicate to investors about the sustainability-related risks and opportunities they face over the short, medium, and long term. IFRS S2 sets out specific climate-related disclosures and is designed to be used with IFRS S1.

What You Need to Know About International Standard on Sustainability Assurance 5000
The International Auditing and Assurance Standards Board (IAASB) issued the proposed, landmark International Standard on Sustainability Assurance (ISSA) 5000, General Requirements for Sustainability Assurance Engagements, for public consultation on August 2. When approved, ISSA 5000 will be the most comprehensive sustainability assurance standard available to all assurance practitioners across the globe. Comment letters are due December 1, 2023.

S&P 500 ESG Reporting and Assurance Analysis
The CAQ updated its analysis of ESG reporting and assurance by S&P 500 companies. Among the key takeaways:

• The number of companies reporting ESG information increased from 93% to 99% of S&P 500 companies (however some of the increase is due to a methodology change the CAQ made)
• The number of companies seeking assurance over certain ESG metrics increased by 13% from 2020
• In 2021, the scope of information being subject to assurance increased – this was most pronounced when public company audit firms provided the assurance

Summer of ‘23

How is your summer of ’23 going? Has it been flying by for you too? Perhaps you saw the Barbenheimer double feature to get out of the extreme heat? Or you crisscrossed the country with other Swifties to watch Taylor Swift (how did you get tickets?!?!?)? No? Perhaps you visited a national park out west and summited the Half Dome in Yosemite as 93-year-old Everett Kalin did in July? No? Well, that’s OK. There’s always next year. Hope you are having a great summer wherever you are.

Questions and comments about Audit Committee Insights can be addressed to Vanessa Teitelbaum, Senior Director, Professional Practice (vteitelbaum@thecaq.org).

This newsletter is intended as general information and should not be relied upon as being definitive or all-inclusive. The CAQ encourages readers to refer to applicable rules, standards, guidance, and other resources in their entirety. All entities should carefully evaluate which requirements apply to their respective organizations.