Audit Committee Insights | October/November 2024

They say “the only constant in life is change.” Well, things are changing in Washington, DC. What’s not changing is the CAQ serving as your source of information on all things public company auditing.  As we wait for, and prepare for, the change coming to the nation’s capital, those of us in the corporate reporting ecosystem can all agree to remain focused on our role to protect the capital markets. Read on to learn about the latest developments.

We welcome input; please let us know what you think. Subscribe here so that you never miss an update from the CAQ.

What Audit Committees Need to Know about Cybersecurity Disclosures

Use Form 8-K only for material incidents

In his statement, SEC Corp Fin Director Erik Gerding reminds companies that Form 8-K is for material breaches. Gerding encourages companies that choose to voluntarily disclose an immaterial cybersecurity incident or choose to disclose early while a materiality determination is still being made to do so under a different item of Form 8-K — like 8.01 for Other Events. Gerding points out that reporting immaterial incidents under Item 1.05 (“Material Cybersecurity Incidents”) could confuse investors.

Are cybersecurity controls part of internal accounting controls? No.

On July 18, 2024, a New York federal judge dismissed most of the SEC’s claims against SolarWinds Corp. and its Chief Information Security Officer, Timothy G. Brown, in connection with the Company’s cybersecurity practice. The ruling dismissed all allegations related to SolarWinds’ pre-SUNBURST cyberattack risk factor disclosure and post-SUNBURST Form 8-K disclosure, as well as claims concerning SolarWinds’ internal accounting and disclosure controls. Among the claims dismissed by the Court was the SEC’s allegation that SolarWinds failed to “devise and maintain appropriate ‘internal accounting controls’” sufficient to protect its most critical assets from unauthorized access, violating Section 13(b)(2)(B)(iii) of the Exchange Act. Section 13(b)(2)(B)(iii) requires companies to have “internal accounting controls” sufficient to assure that companies’ assets are accessed only with management’s authorization. Relying on this provision, the SEC argued that SolarWinds’ source code, databases, and products were its most vital assets. The SEC alleged that because of the Company’s poor access controls, weak internal password polices, and VPN security gaps, hackers were able to access SolarWinds’ assets without management’s authorization. SolarWinds countered that as a matter of statutory construction, “internal accounting controls” cannot reasonably be interpreted to cover a company’s cybersecurity controls. The Court agreed, finding the SEC’s reading of the provision to be “not tenable” because the term “internal accounting controls” refers to a company’s “financial accounting,” which is “one element of a control system implemented to safeguard assets and promote reliable financial records.” As “internal accounting controls” are controls to ensure companies “accurately report, record, and reconcile financial transactions and events,” cybersecurity controls do not reasonably fit within this term.” The Court did not deny the vital importance of cybersecurity controls. However, the Court found, the SEC’s interpretation would mean that Section 13(b)(2)(B)(iii) would “broadly cover all systems public companies use to safeguard their valuable assets,” and would have “sweeping ramifications” as to how public companies are regulated.

Fortune 100 Cybersecurity Disclosure Trends

Overall public companies continue to disclose greater amounts of information about cybersecurity. Every aspect of cybersecurity in disclosures tracked by EY has increased since they began this effort in 2018. An analysis of cybersecurity oversight disclosures made by Fortune 100 companies reveals the following:

• Audit committees continue to oversee cyber: Despite an increasingly heavy workload, 81% of Fortune 100 companies report that cybersecurity oversight falls to the audit committee, up from 61% in 2018.
• Cyber expertise is in demand: Although the SEC cyber disclosure rule does not require companies to report on the cyber expertise of board members, the review of company filings show that cyber expertise is in demand. Nearly three quarters (72%) of companies disclose cyber as an area of expertise sought in the board and nearly as many (71%) disclose cybersecurity in at least one director biography, up from 34% in 2018.
• Dedicated cyber risk experts are engaging with the boardroom: 70% of companies report that the Chief Information Security Officer (CISO) provides the board cyber risk information — up from just 9% in 2018.
• Dedicated board time on cyber: More than half (57%) report the frequency of meeting with management on cybersecurity as at least annually or quarterly. The remaining are less specific, saying frequently or periodically. This is more than four times those with a similar disclosure in 2018.
• Preparedness exercises are common: Nearly half of companies (47%) now report performing simulations, tabletop exercises, or response readiness tests as part of their preparation efforts — up from just 3% in 2018.

KPMG Takes a Stance on the 150-hour Rule, Advocating for Alternative Pathways to CPA Licensure

To become a CPA, 30 additional hours of academic credits after earning one’s bachelor’s degree, work under the supervision of a CPA for one-year and passing the CPA exams is required.

In October, KPMG called for alternative paths to replace the additional 30-hour academic requirement with experience or create work-study programs overseen by businesses that deliver the equivalent or better value. KPMG stated their view that the cost of becoming a CPA is too high, including both the expense of the extra education and the opportunity cost of spending an extra year in school.

KPMG highlighted three dynamics happening today:

• Bachelor’s degree completions in accounting dropped 7.8% from 2021 to 2022 after a steady decline of 1-3% per year since 2015–16.
• The time and cost of the 150-hour requirement for CPA licensure is among the top reasons that students do not select accounting as a major. Moreover, Center for Audit Quality and MIT researchers found the 150-hour requirement poses a more pronounced challenge for Black and Hispanic students.
• To combat the decline, states across the country are having conversations on alternative pathways to CPA licensure. In 2025, at least 13 states are having conversations on legislative changes supporting alternative pathways to CPA licensure.

Relatedly, on September 12, 2024, the American Institute of CPAs (AICPA) and the National Association of State Boards of Accountancy (NASBA) proposed an initiative aimed at helping CPA candidates meet initial licensure requirements. The CPA Competency-Based Experience Pathway would provide an additional option for candidates to demonstrate their professional and technical skills after earning a bachelor’s degree and meeting their state’s requirements for accounting and business courses. Comments on the Exposure Draft are due December 6, 2024.

In addition to the debate on the 150-hour rule, there are other discussions on the attractiveness of the profession. PCAOB Board member Christina Ho commented in a recent speech that the AICPA has established the National Pipeline Advisory Group (NPAG), which comprises representatives from accounting firms, State Boards of Accountancy, State CPA Societies, academia, and business, in July 2023, to help shape a national strategy to address talent shortages. A year later, NPAG released a report (and Executive Summary) with “data-driven strategies to boost accounting pipeline.” Ho found the recommendations to be actionable and holistic.

The overarching conclusion she drew from the report is that there is not one magic bullet; instead, the entire accounting profession must work together to solve the problem. In her speech, Ho focused on one of the recommendation themes: tell a more compelling story about accounting careers. This is a recommendation that audit committees can action. Engaging with students, your finance team, your audit teams – share your story and be a mentor to early career professionals.

Curious to find some compelling stories about accounting careers? Through its award-winning Accounting+ initiative, the CAQ has curated and developed a variety of stories that showcase the diversity of paths and people in the accounting profession, like this podcast series, which takes future accountants through a career exploration journey as told through conversations between students and professionals.

SEC Approves New PCAOB Quality Control Standard

In September, the SEC approved the PCAOB’s QC 1000, A Firm’s System of Quality Control. The adopted standard will establish an integrated, risk-based quality control standard that will require all registered public accounting firms to identify specific risks to their practice and design a quality control system that includes appropriate responses to guard against those risks. SEC Chair Gary Gensler and Commissioners Jaime Lizárraga and Caroline Crenshaw voted in support of the adoption, highlighting how the adoption of QC 1000 will require audit firms to design and implement enhanced QC systems. The SEC’s two other Commissioners, Hester Peirce and Mark Uyeda, did not support adoption, both expressing concerns that the PCAOB did not solicit enough feedback and engagement from stakeholders prior to adopting a final QC standard.

QC 1000 includes a requirement for larger audit firms (those that issue more than 100 issuer reports annually) to incorporate an external oversight function in their governance structures. Referred to as the “external quality control function” (EQCF), it is required to be composed of one or more persons who are not principals or employees of the firm and do not otherwise have a relationship with the firm that would interfere with the exercise of independent judgment on the QC system. At a minimum, these responsibilities include evaluating significant judgments made and related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system.

QC 1000 is effective on December 15, 2025. Firms will be required to evaluate the effectiveness of their system of quality control as of September 30 and report to the PCAOB on a non-public Form QC no later than November 30. The first evaluation will be required as of September 30, 2026.

NACD Issues Blue Ribbon Commission Report on Technology Leadership in the Boardroom

It’s hard to imagine a world without cars or electricity or running water. But those were life-changing new technologies in their day. You might remember a time before the internet, smart phones, and WiFi (how did we live without Google!?!) – but that may seem archaic to your kids or grandkids. The point is that technology (and change generally) may feel overwhelming, but we’ve managed innovations in technology for a long time.

To that end, the NACD has issued a Blue Ribbon Commission Report with ten recommendations for technology leadership in the boardroom:

Strengthen Oversight

1. Ensure trustworthy technology use by aligning it with the organization’s purpose and values.
2. Upgrade board structures for technology governance.
3. Clearly define the board’s role in data oversight.
4. Define decision-making authorities for technology at board and management levels.

Deepen Insight

1. Establish and maintain necessary technology proficiency among the board. (CAQ note – talk to your kids or grandkids; they can keep you current!)
2. Evaluate director and board technology proficiency.
3. Ensure appropriate and clear metrics for technology oversight.

Develop Foresight

1. Recognize technology as a core element of long-term strategy.
2. Enable exploratory board and management technology discussions.
3. Design board calendars and agendas to ensure appropriate focus on forward-looking discussions.

NACD members can read the full report. Want to attack Recommendation #5 related to GenAI? Check out our recent webinars: AI for Audit Committees Part I and Part II and also this blog, The Age of Generative AI: How Audit Committees Can Respond, from the CAQ’s Erin Cromwell.

ICYMI: CAQ Public Policy Technical Alert (PPTA), September / October 2024

Each month, the PPTA highlights and examines the regulatory, standard-setting, legislative, and broader financial reporting developments impacting the public company audit profession. The CAQ’s September and October 2024 Alerts included these featured articles.

The Role of the Auditor: Assessing and Responding to Fraud Risk
The Anti-Fraud Collaboration posted a new publication The Role of the Auditor: Assessing and Responding to Fraud Risk, that provides insights into practices, tools, and considerations to help auditors enhance their professional skepticism and overall approach to assessing and responding to the risks of material misstatement resulting from fraud during the audit. The publication provides clarity and understanding of the auditor’s current role and responsibilities related to fraud, which may provide insights for those who are involved in evaluating and using financial reporting information, as well as for policymakers and regulators.

Audit Partners’ 2025 Economic Outlook Highlights Recession, U.S. Election Concerns
The CAQ published the results of its Fall 2024 Audit Partner Pulse Survey. The Audit Partner Pulse Survey provides independent and objective perspectives on a range of topics, including economic risks and business transformation. Going into 2025, a potential recession, ongoing inflation, and geopolitical instability are just some of the top concerns of audit partners and the companies they audit. Key findings from their observations include:

• Partners Neutral on the Economy Despite Perceived Risks
• Businesses are Concerned for the U.S. Election
• Labor Strategies Signal Mixed News for Workers
• Technology Shifts in AI and Cryptocurrency

Accounting for Crypto-Asset Safeguarding Obligations, a Facts-Based Analysis
The SEC posted a statement delivered by Paul Munter, Chief Accountant, before the 2024 AICPA & CIMA Conference on Banks and Savings Institutions regarding Staff Accounting Bulletin No. 121. In remarks titled, “Accounting for Crypto-Asset Safeguarding Obligations — A Facts-Based Analysis,” Munter highlighted observations from recent accounting consultations with entities his staff conducted.

Calgon Take Me Away: Top Ten Lesser-Known Holiday Traveling Tips

1978: The traffic. The boss. The baby. The dog. That does it! Calgon take me away!
2024: The traffic. The economy. The divided country. Holiday travel. Helpful travel tips take me away!

Here are ten lesser-known travel tips from Forbes:

1. Pre-book Airport Lounges
2. Reserve a Spot in the Security Line (what?!? Click on the article above for details.)
3. Use Digital Hotel Keys for Faster Check-In (this is why the NACD recommends keeping up with technological trends…)
4. Download Mobile Passport Control (it’s about time…)
5. Check In on Rental Car Prices (i.e., reserve early)
6. Take the First Flight of the Day Out (#pro move)
7. Don’t Wrap Your Gifts Ahead of Time (a TSA agent may unwrap… even better, send ahead pre-wrapped)
8. Ask Ahead for Hotel Room Decorations
9. Book Your Rideshare in Advance
10. Make Sure Your Passport Meets Requirements (i.e., some countries have a six-month rule).

Take a break. Recharge. Be grateful and be safe!

Questions and comments about Audit Committee Insights can be addressed to Vanessa Teitelbaum, Senior Director, Professional Practice (vteitelbaum@thecaq.org).

This newsletter is intended as general information and should not be relied upon as being definitive or all-inclusive. The CAQ encourages readers to refer to applicable rules, standards, guidance, and other resources in their entirety. All entities should carefully evaluate which requirements apply to their respective organizations.