Audit Committee Insights | June 2023

June is a great month for many reasons. For some, school is finally out! It’s Pride Month, we celebrate Juneteenth and we enjoy the longest day of the year. And it’s hard to believe we are nearly halfway through the calendar year. For calendar year-end companies, Q2 is wrapping up and July audit committee meetings are approaching. To help keep you current, we scour available resources and keep up with regulatory developments. Read on to stay informed on these relevant developments for audit committee members.

We welcome input; please let us know what you think. Subscribe here so that you never miss an update from the CAQ.

Ethics and compliance, part 1: New proposed PCAOB auditing standard on NOCLAR and it’s a big deal for companies, auditors and audit committees

NOCLAR is short for “noncompliance with laws and regulations.” The Public Company Accounting Oversight Board (PCAOB) has proposed a new auditing standard, AS 2405, A Company’s Noncompliance with Laws and Regulations, seeking to strengthen auditor requirements to identify, evaluate, and communicate possible or actual noncompliance with laws and regulations. “By catching and communicating noncompliance sooner, auditors can help companies course correct and better protect investors from risk,” said PCAOB Chair Erica Y. Williams.

The two CPA Board members do not support it. Their concerns? Significant expanded auditor responsibilities and increased cost.

Board member Duane DesParte stated, “Many of today’s proposed enhancements are positive. For example, today’s proposal would strengthen requirements during risk assessment and throughout the audit to identify, assess and respond to risks of material financial statement misstatement associated with noncompliance.”

But in his statement, he points out that the wording of the proposal, “suggests the auditor would be expected and held accountable to identify any and all information that might indicate instances of noncompliance of any law or regulation across the company’s entire operations, without regard to materiality. In my view, this is a significant scope expansion; and to meet this requirement, auditors would be required to embed compliance attestation procedures into the financial statement audit. This is well beyond both the scope of the financial statement audit and the auditor’s core competency; and will trigger the need—at great cost– to significantly increase the use of lawyers and others as specialists on many, if not all PCAOB audit engagements on a recurring basis.”

“The scope of the expanded auditor’s procedures cannot be underestimated.”
– Duane DesParte, PCAOB Board member

DesParte continued, “Companies of all sizes are subject to a vast array of laws and regulations with which they must comply, including federal, state, and local laws in each domestic and foreign jurisdiction in which they operate. These laws and regulations continually evolve, and cover a myriad of areas including corporate governance, securities, markets, trade, contracts, taxes, consumers, employment, health, safety, environmental, privacy, intellectual property, mergers, acquisitions, and foreign corrupt practices among others.”

Board member Christina Ho cited concerns that the proposal “is not fully transparent about the significant additional responsibilities it would impose on all public company auditors by eliminating the distinction between noncompliance that has a direct versus indirect effect, on a public company’s financial statements.”

She continued:

Proposed AS 2405.05(a) would require auditors to “dentify the laws and regulations with which noncompliance could reasonably have a material effect on the financial statements” of the public companies being audited… , an auditor must first identify all the laws and regulations applicable to the public company. It is this threshold requirement which causes me the greatest concern and for which the proposal does not seem to fully address. For example, although the proposal includes a sentence that the requirement “would not represent every law or regulation to which the company is subject” in two places of the preamble to the proposal, it appears to be inconsistent with our existing auditing standards. Moreover, in a bit of understatement, the economic analysis explains that “uditors would likely need to expend considerable additional audit effort to identify relevant laws and regulations under the proposed standard” and that “the costs associated with the proposed amendments . . .  may be substantial.”

Public comments are due to the PCAOB by August 7, 2023.

Ethics and compliance, part 2: Questions for the audit committee agenda and a new audit committee blueprint

Certainly, assessing compliance with laws and regulations is important at many levels – management, the company’s compliance function, internal and external audit as well as the board and specifically the audit committee. Deloitte’s Center for Board Effectiveness provides perspective regarding Who’s in charge: The audit committee’s role in ethics and compliance oversight. Deloitte suggests the following are some of the key questions the audit committee can ask about the company’s ethics and compliance policies:

• Do we have the right policies in place?  Are there key risks for which we don’t have policies?
• Have existing policies been updated to address recent developments, including changes in the company, in law or regulation, and otherwise?
• Do we have the right management resources to monitor and enforce compliance with our policies?  How are we using technology to monitor and enforce our policies?

Also, a new PCAOB staff Spotlight suggests questions for audit committee members to consider among themselves or in discussions with their independent auditors, particularly given today’s economic and geopolitical landscape. The Spotlight includes questions on the risk of fraud (among other topics):

• Did the auditor identify any new risks of fraud in the current year audit? If not, what procedures did the auditor perform to identify risks of fraud, and were any procedures different from the prior year?

• Did the auditor identify any significant unusual transactions? If yes, how did the auditor evaluate whether the transaction was for a legitimate business purpose?
• What procedures did the auditor perform to identify potential related party transactions? Did the auditor perform the same procedures for related party transactions that are also significant unusual transactions (e.g., significant related party transactions outside the normal course of business)?

• Did the auditor’s inquiries of management include whether possible illegal acts, such as potential noncompliance with sanctions and other laws or regulations, have occurred? If any acts were identified, what was the impact on the audit?

• What procedures were performed by the auditor to address whether management perpetrated or concealed fraud by presenting incomplete or inaccurate financial statement disclosures or by omitting necessary disclosures?

Legal and regulatory compliance is a focus area for audit committees. According to KPMG’s 2023 Audit committee survey, for US respondents:

• For which risks does your audit committee have significant oversight responsibilities? Top 3:
  • Management’s enterprise risk management process – 74%
  • Cybersecurity and IT – 72%
  • Legal/regulatory compliance – 67%
• Of the various enterprise risks under the purview of multiple board committees, which one are you most concerned about in terms of potential oversight gaps? Top 3:
  • Cybersecurity/data privacy/AI – 44%
  • Human capital management (HCM) – 29%
  • Legal/regulatory compliance – 24%

• In addition to regular interactions/reporting to the board, with whom is the audit committee spending significantly more time in light of the evolving risk & disclosure environment? Chief compliance officer ties for 9^th at 15%. The Top 10 include: CFO (76%), GC (51%), External auditor (48%), CAE (44%), CAO (39%), CISO (35%), CRO (25%), CTO (22%), Controller (15%), CCO (15%).

Looking for more help related to compliance oversight by the audit committee? The NACD published a new Audit Committee Blueprint. As it relates to Compliance and Culture, the report recommends audit committees:

“Closely monitor the tone at the top and organizational culture—particularly across the finance / financial reporting function—with a sharp focus on yellow flags and behaviors (not just results).”

Other Working Group observations include:

• “You have to create an environment in which people feel that they can speak up and say, ‘We don’t have the resources we need to do what you are asking.’”
• “Watch for ‘repeat offenders.’ They are often a symptom of a poor culture, and they raise questions about integrity and openness. Are the finance, compliance, and internal audit functions ‘empowered,’ or is there a culture that discourages leaning in too far?”
• “The audit committee needs to develop a close relationship with the chief compliance officer—and open, candid communications are key.”
• “Excessive turnover on the board or in management is a bad symptom. Management knows more than we do, and excessive or fast departures are usually an indicator of a problem.”

Crypto: SEC sues, PCAOB inspects, new CAQ tool for audit committees

The SEC is suing Binance and Coinbase, the largest crypto platforms in the world and US, respectively. According to the WSJ, the SEC said they operated as securities exchanges without properly registering their business with the SEC. The agency hopes courts will order the firms to follow its rules for stock exchanges or stop trading crypto assets in the U.S.

Why did the SEC act against Binance and Coinbase? The Brookings Institution explains: there’s been a debate about what is crypto and what isn’t it? Is it a security? Is it a commodity? Do they operate exchanges or spot markets? What type of structure is it? And the SEC is aggressively exerting its authority, saying, Oh no, you’re an exchange. You’re under our existing purview in law. We don’t believe you’re complying with it and we’re going to sue you.

What’s being a security or a commodity got to do with it? More from Brookings’ podcast, What do the SEC’s lawsuits signal for the future of cryptocurrency?:

America is unique in that we regulate securities and commodities differently. Why do we regulate commodities differently from securities? Long history. A lot of it has to do with the tension in America between agricultural interests and banking interests, money-centered interests. But we have two different capital markets regulators, the Commodities Futures Trading Commission or CFTC and the Securities and Exchange Commission, or SEC. The SEC is what most Americans know, because most Americans who invest, invest in things like stocks and bonds and trade in mutual funds. And those are all governed by the SEC. It’s rare for retail investors to trade in commodities. Do you know anybody who trades soybeans futures? Right. Or even metallic gold? And so, the CFTC is the smaller of the two regulatory bodies, but has been exerting more jurisdiction in crypto under the argument that crypto is a commodity, not a security. In the rest of the world it would be the same regulator either place. Only in the U.S. do we differentiate between the two.

While the SEC is suing, the PCAOB is inspecting. The PCAOB has published a Spotlight on Inspection Observations Related to Public Company Audits Involving Crypto Assets. The Board observed good practices, including:

• Consultations – Engagement teams are encouraged to consult with members of their firm’s professional practice group and/or subject matter specialists related to crypto assets.
• Subject matter specialists – Establishment of centralized groups related to distributed ledger technology (e.g., cryptography, blockchain technology). These auditor-employed specialists assist audit teams with conducting audit procedures related to crypto assets, as needed.
• Technology-based tools – To support public company audits involving crypto assets, proprietary technology-based tools have been developed.

Inspection deficiencies include:

• Fraud and Significant Unusual Transactions: Auditor should take into account transactions outside the normal course of business or that are unusual in timing, size, or nature.
• Ownership of Crypto Assets: Auditor should obtain a sufficient understanding of controls over crypto assets and perform tests of such.
• Relevance and Reliability of Information Used As Audit Evidence: Auditor should evaluate relevance and/or reliability of information related to self-custodied digital wallets and external providers’ data to support crypto asset conclusions, test completeness of crypto and mining revenue, and sourcing third party information to support crypto valuation.
• Revenue Recognition in Crypto Asset Transfer: Auditor should perform procedures to assess appropriateness of revenue recognition related to crypto asset transfers.
• Arrangements With Mining Pool Operators: Auditor should obtain an understanding of terms/condition of the public company’s arrangement with mining pool operator’s when revenue is material to financial statements, and evaluate for indicators of potential impairment for property and equipment used in crypto mining.

Need more information about digital assets and crypto? In English? (Yes, please). The CAQ has a new publication, Continuing Your Digital Assets Journey, A Tool for Audit Committees which is a follow-up to the CAQ publication, Jumpstart Your Digital Assets Journey: A Tool for Audit Committees.

The new CAQ tool explores these topics:

ICYMI: CAQ Public Policy and Technical Alerts (PPTA), May 2023

Each month, the PPTA highlights and examines the regulatory, standard-setting, legislative, and broader financial reporting developments impacting the public company audit profession. The CAQ’s May 2023 Alert included these featured articles.

PCAOB Enhances Transparency of Inspection Reports With New Section on Auditor Independence and More
The PCAOB announced it has enhanced its inspection reports with a new section on auditor independence and information. The enhanced inspection reports will include:

• A new section of the report focused on independence violations
• More information related to fraud procedures and the identification and assessment of the risks of material misstatements
• More commentary
• New graphs

IOSCO Sets the Standard for Global Crypto Regulation
IOSCO issued for consultation detailed recommendations to jurisdictions across the globe as to how to regulate crypto assets. In a major initiative designed to improve global standards of regulation of crypto assets, IOSCO has set out how clients should be protected and how crypto trading should meet the standards that apply in public markets. IOSCO has opened a public consultation on its recommendations and aims to finalize them by the end of the year. Comments on the consultation paper should be sent to IOSCO on or before July 31, 2023.

FRC Publishes Minimum Standard for Audit Committees
The FRC announced the Audit Committees and the External Audit: Minimum Standard. The primary objective of the standard is to enhance performance and ensure a consistent approach across audit committees within the FTSE350. The standard will apply to FTSE350 companies. The standard is now available to audit committees on a voluntary basis, ahead of the anticipated legislation that will make compliance with the standard mandatory.

FRC Launches Consultation on Revision to the Corporate Governance Code
The FRC launched a public consultation on proposed revisions to the UK Corporate Governance Code. Areas of focus include:

• Making necessary revisions to reflect the responsibilities of the board and audit committee for sustainability and ESG reporting and appropriate assurance in accordance with a company’s audit and assurance policy.

• Amending the Code to take account of the new Audit Committee Standard (Audit Committees and the External Audit: Minimum Standard).

The FRC will also review the existing guidance which supports the Code: Guidance on Audit Committees, Guidance on Board effectiveness, and Guidance on risk management, internal control and related financial and business reporting. Comments on the questions set out in this consultation document are requested by September 13, 2023.

Wiser than me, wisdom from older women

Why the hell don’t we hear more from older women? So asks Julie Louis-Dreyfus in her podcast, Wiser Than Me. Here are some gems:

“No is a complete sentence.”
– Jane Fonda and Carol Burnett

​“What I discovered as I prepared for my third act was you spend your life exploring. You go back to your girlhood, and you become all the things that she was supposed to be, that you never knew at the time was really who she was, because you were trying to be what other people thought she should be.”
– Jane Fonda

“The most important relationship you have in life is the one with yourself. Once you have that, any other relationship is a plus, not a must.”
– Diane von Furstenberg

“Most people who love to write are horrible writers, so of course they love to write.”
– Fran Lebowitz

Questions and comments about Audit Committee Insights can be addressed to Vanessa Teitelbaum, Senior Director, Professional Practice (vteitelbaum@thecaq.org).

This newsletter is intended as general information and should not be relied upon as being definitive or all-inclusive. The CAQ encourages readers to refer to applicable rules, standards, guidance, and other resources in their entirety. All entities should carefully evaluate which requirements apply to their respective organizations.