Audit Committee Priorities for 2024

Recognition that risk oversight is a continual process requiring updated assessments is essential in the current environment. Securities and Exchange Commission (SEC) Chief Accountant Paul Munter further reminded management, auditors, and ACs that risk assessments must go beyond direct impacts to financial reporting to broadly consider issues that can affect the entire enterprise. These areas extend beyond traditional financial reporting and delve into risks that can materially impact — and threaten — the sustainability of the organization as a whole.

Although not explicitly required, the AC often takes on the responsibility for enterprise risk management (ERM) due to their oversight of financial reporting risk. ERM oversight responsibility should be carefully considered when evaluating governance structure and director commitments. If the responsibility for ERM or even specific risks falls outside the AC, a close collaboration with the AC would be expected to ensure all risks potentially affecting financial reporting were considered and disclosed appropriately.  

Financial reporting is strengthened through an organization’s effective systems of internal controls. However, according to Audit Analytics, adverse auditor opinions over internal controls over financial reporting (ICFR) increased 21% year over year in FY2022, highlighting lack of highly trained corporate accounting personnel, poor segregations of duties , and weak or lacking disclosure controls as the top three areas for improvement.

To address macroeconomic headwinds and capitalize on opportunities, ACs should consider the following:

Financial Reporting: 

• Evaluate the separate effects of macroeconomic conditions that may have a material effect to determine the appropriate level and granularity of disclosure.
• Challenge underlying assumptions within estimates and forecasts, with heightened focus and skepticism for reasonableness and consistency with the current macroeconomic environment.
• Verify accuracy, consistency, and transparency in disclosures. This includes accounting for risks such as geopolitical and other impacts on the supply chain; cybersecurity and other technology-related threats; and removal of previous risks no longer deemed material. 
• Inquire about the quality of systems as well as the underlying data being leveraged for disclosures.

Internal Control:

• Review the organization’s control environment with management, information systems professionals along with the internal and external auditors to identify any necessary changes and required updates to keep pace with new risks and/or identified deficiencies.
• Review management’s assessment of internal control to understand how they arrived at their conclusions (e.g., was internal audit involved?).
• Understand identified control weaknesses and why they have been classified as they have, such as significant deficiency (SD) vs. material weakness (MW).
• Oversee the timely remediation activities of noted MW and SDs, including root cause assessments.

Risk Management Oversight: 

• Review and evaluate the company’s processes, policies, controls, and monitoring around both financial reporting and ERM.
• Consider management’s expertise and experience in ERM and with specific risk areas, advocating for resources as needed.
• Evaluate board expertise with ERM and identified critical risks, and perform a skills/experience gap analysis to be addressed through education, succession/refreshment, and/or advisors.

Evolving Regulatory and Reporting Environment

Rule Setting

Regulations and reporting standards are evolving to address changes in the business environment and expectations of stakeholders. This further increases the responsibilities of the AC and emphasizes the need for directors to remain current. The SEC and Public Company Accounting Oversight Board (PCAOB) both have comprehensive short- and long-term agendas that will run through 2024 and beyond. Increased regulations will challenge organizations to invest significant capital, time and resources in the form of systems, processes, and education of their professionals. 

The PCAOB is currently taking more formal action on rule-making and standard setting than it has in a decade with its most ambitious agenda of its 21-year history. The agenda has further proven to be quite dynamic, with certain projects moving quickly from the long-term to short-term agenda.

Similarly, the SEC released its Fall 2023 regulatory agenda, highlighting 14 rules in the proposal phase, with another 29 in the final rule stage. Recently finalized disclosure requirements include those relating to cybersecurity oversight and incident reporting; pay vs. performance regarding executive compensation; and clawback policies related to restatements. See BDO’s companion publications: 2023 SEC Reporting Insights and 2023 AICPA SEC & PCAOB Conference Highlights for specific disclosure considerations.

Inspections and Enforcement

In addition to historic standard setting, the PCAOB is also setting records in inspection findings and enforcement actions. Chair Erica Williams has stated that the PCAOB is troubled about trending deficiency finding rates for auditors within Part 1.A: exceeding 40% of audits reviewed in 2022, up 6 percentage points over 2021. The common deficiencies range from auditing ICFR and financial statement areas (e.g., revenue, estimates, business combinations, inventory, long lived assets, and cryptocurrency) to items related to PCAOB standards or rules (e.g., CAMs, audit committee communications, Form AP, etc.). The Board has also increased sanctions, generally deemed to be ethical violations, to over $20 million in 2023, nearly doubling the previous year. The PCAOB provided an overview of staff priorities for 2024 staff inspections and interactions with ACs.

Turning to the SEC, its comment letters on non-GAAP, climate-related information, and macroeconomic impacts on the business have focused on misleading or boilerplate disclosures, as well as the lack of risk-related disclosures. SEC enforcement trends for 2023 increased 3% over the prior year. Enforcement actions continued to highlight trends in holding management and gatekeepers accountable, with approximately two-thirds of cases involving one or more individuals for a range of issues from crypto assets, FCPA violations, fraud, cybersecurity, ESG, etc.  

Regulatory Guidance

The SEC and PCAOB have both released regular communications to support ACs and auditors in continued improvement of audit quality. SEC guidance and comment letters assist in improving financial reporting and recently include non-GAAP measures, management discussion and analysis (MD&A), crypto assets, China-specific risks, supply chain issues due to global conflict, climate, and general transparency and consistency.

The PCAOB continues to issue a consistent cadence of thought leadership directed toward ACs and auditors. The June Audit Committee Spotlight, for example, provides a series of questions that ACs should be asking in their discussions with auditors. Through review of PCAOB’s Staff Priorities for 2024 Inspections and Interactions With Audit Committees and other similar PCAOB communications, ACs can factor trends and regulatory expectations into their oversight responsibilities and enhance discussions with their auditors throughout the course of the audit to drive higher audit quality. 

In support of its goal of enhancing its inspections process, the PCAOB Board has further launched a set of new features on its website to help investors, ACs, and others compare inspection report data among audit firms to better inform discussions with auditors about their systems of quality management.  

Importance of Stakeholder Feedback

The complex, evolving environment regulatory bodies aim to address means that proposed rule changes and standard setting come with nuanced complexities of their own. With that in mind, regulators understand feedback from stakeholders is a vital component to identifying unintended consequences of regulations. ACs are in a position to provide valuable perspective to regulators before new standards and rules are finalized and are encouraged to take advantage of the proposal comment letter process.

For example, while issues expressed with respect to the SEC proposed climate disclosure rules are well known, the PCAOB’s Noncompliance With Laws and Regulations (NOCLAR) proposal is less so and has seen numerous stakeholders express concerns about inadvertent effects, including an expectation that auditors’ roles and expertise would need to be significantly expanded or rely very heavily on legal support during the course of an audit. There was also concern that the lack of materiality surrounding the types of rules and regulations the standard would apply to could dramatically increase the scope and cost of an audit while also creating inefficiencies in the boardroom, where all potential noncompliance, regardless of materiality, would be required to be reported to the AC. Of note, two of the five PCAOB board members dissented on the proposed standard, and more than 200 public company audit committee members signed a public letter expressing concern about the proposal.

To address the evolving regulatory and reporting environment, ACs are encouraged to:

• Monitor evolving regulatory developments from the proposal stage through final approval and effectiveness.
• Ensure directors, management and staff obtain continuing education regarding regulatory, industry, and standard-setting developments.
• Engage with the regulatory community and weigh in on matters that will significantly impact the audit and preparation of financial statements, compliance, and other areas within the AC’s oversight responsibilities.
• Consider regulators’ stated areas of focus and regulatory actions when considering the propriety of the organization’s financial statement reporting and disclosures.

Sustainability and ESG — Broadening Considerations

Increasing focus on corporate sustainability and ESG matters is creating impact on a global scale, specifically in the drive toward behavioral change through required disclosures. Many U.S.-based companies that do business internationally or are part of international supply chains may find themselves scoped into requirements of rapidly advancing international sustainability rules and regulations. Additionally, the voluntary sustainability reporting that many companies are issuing is falling under closer scrutiny, with stakeholders expecting companies to do more to ensure integrity of nonfinancial ESG data. 

These types of quantitative and qualitative non-financial ESG data may not fall neatly within the AC’s oversight of the financial reporting control environment. While the oversight of specific sustainability risks and opportunities is increasingly being distributed among various committees of the board, there is a need for committee collaboration to ensure reporting is consistent and accurate. This is particularly important when sustainability and ESG factors identified by the company have a material financial impact, requiring appropriate disclosure in public financial filings. Many companies can benefit from leveraging the AC’s expertise in helping develop proper oversight for the management of new processes, controls, and disclosures related to expanding sustainability reporting.  

In March 2022, the SEC released its climate-related disclosure proposal, and the current regulatory agenda indicates a potential final rule this spring. Meanwhile, the European Union issued new sustainability reporting requirements, and individual states within the U.S. have also begun enacting their own sustainability and ESG rules. For example, California passed both the Climate Corporate Data Accountability Act and Climate-Related Financial Risk Act in October 2023, requiring public and private U.S. companies doing business in California to disclose their greenhouse gas emissions and climate-related financial risks.

Sustainability and ESG-related reporting, such as new SEC cybersecurity and proposed climate-related disclosures, requires the creation of new processes, controls, and reporting outside of the traditional financial reporting systems. To oversee this, the AC needs to ensure that management is able to gather/generate appropriate data, verify its accuracy and quality, and address control gaps — including subjecting such data, processes, and controls to appropriate testing and reviews. There will also be a need to look at disclosure controls through a new lens that considers nonfinancial data in addition to standard financial reporting information.

Moving forward, it’s important that ACs:

• Remain alert to the evolving sustainability and ESG regulatory landscape, particularly in light of local, national, and international regulatory actions.
• Ensure management has a framework for assessing material sustainability and ESG risks and has established the appropriate reporting environment to communicate accurately and consistently to stakeholders.
• Evaluate management and committee oversight roles and responsibilities in key risk areas.
• Collaborate with other board committees that may share sustainability and ESG-related responsibilities, such as compensation and human capital as well as nomination and governance. 
• Compare sustainability and other public disclosures for consistency and accuracy throughout company messaging and in financial reporting.
• Confirm that governance documents and proxy disclosures accurately reflect the roles and responsibilities executed by the AC (e.g., cybersecurity, technology, ESG reporting and controls, etc.).

Emerging Technology and Data Security Oversight 

Digital innovation offers tremendous potential for companies, but it doesn’t come without risk. As emerging technologies like artificial intelligence (AI), quantum computing, and other fields continue developing, organizations must stay alert for what lies on the horizon. Regardless of the technology being considered, a common thread is the reliance on good data. It’s imperative that organizations enact policies around enterprise information governance and responsible use of artificial intelligence to comply with laws and regulations, adhere to strategy and risk management, operate within corporate structure, and train personnel in data protection practices to make the most of opportunities while mitigating potential risks.

The rapid proliferation of these new technologies has garnered increased scrutiny from shareholders. Generative AI, in particular, has created a new wave of opportunity and risk that just a year ago was relatively unheard of. And because the technology is so new — with continually updating algorithms, training data that can amplify biases within datasets, and general inaccuracies — unplanned risks can appear unexpectedly. The board must ensure management is implementing safeguards and policies around the use of generative AI tools that can adapt and grow with their use cases while mitigating risk exposure.

Likewise, cybersecurity threats remain a challenge for organizations amidst technology growth and innovation. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, especially in establishing roles and responsibilities that may lie within one or more board-level committees.  When the board does not have a director with a qualified information security background, it may need to consider access to consultants or a business cadence for obtaining assessments from third parties to enhance perspective on company level security plans.

Of particular note, the SEC’s new cybersecurity disclosure requirements will obligate registrants to make annual disclosures regarding cyber policies and procedures for identifying cyber risks, how the board oversees risks stemming from cybersecurity threats, and management’s role in assessing and managing material cyber risks. They will also need to disclose timely material cybersecurity incidents in Form 8-K. 

To address these evolving innovations, changes, and related regulations, ACs should:

Technology Innovation

• Review policies and procedures, controls, monitoring, and reporting activity by management and the board. In doing so, recognize that even a single instance of noncompliance may indicate a larger problem that should be investigated.
• Define, communicate, and document roles and responsibilities for oversight to specific board committees.
• Identify the use of technology in the company, associated policies and procedures, and oversight and accountability. (The identified framework should be formally documented and leveraged in future reviews).
• Perform gap analysis within management and the board to identify areas where enhanced knowledge and experience may be needed. 
• Advocate for strategic alignment of capital investments within the information technology (IT) and risk functions.
• Explore opportunities for technology to enhance board oversight.

Cybersecurity

• Evaluate risk assessment and accountability reporting related to cyber breaches.
• Document policies and procedures related to incident response plans so boards and management have clear action steps to avoid delays, and further consider performing tabletop exercises to keep up to date on threat preparedness.
• Consider whether the organization has the right expertise at the management and board level in overseeing and managing cybersecurity and breaches.
• Consider the roles of assessments and consultants to identify missed opportunities and compare the information security program to industry practices.
• Verify that disclosures reflect the organization’s cyber readiness, as well as timely and accurate data when material breaches do occur under the newly effective SEC reporting requirements.

Attracting and Retaining Financial Talent is Increasingly Complex

Attracting and retaining talent remains a challenge for both internal corporate accounting departments and auditing firms. In the current risk environment, organizations must understand the level of knowledge and experience among the financial reporting management team, auditors, and the AC, and carefully evaluate if the experience and skill sets align with the organization’s strategy and risk profile. The C-suite has also been affected by talent retention issues, notably Chief Financial Officers. Losing key functional roles and having to fill them is a costly endeavor for organizations, and one that can be highly disruptive, time consuming, and resource intensive. 

The need for experienced talent extends to the AC as well. As the AC’s mandate broadens, directors need to stay current on a broad variety of risks as well as industry trends. Additionally, ACs and management need to make sure their auditors are knowledgeable and experienced in their respective industries, with additional proficiencies in areas such as emerging technology (e.g., data analytics).

To address challenges in attracting and retaining talent, ACs should:

• Consider the impact that culture plays on attracting and retaining talent – both within the company as well as for advisors.
• Verify that management has adequate resources to evaluate and implement new regulatory requirements, and continue to monitor developing requirements.
• Inquire into educational and developmental investment in financial reporting team members. 
• Pay attention to staffing turnover and the reasons for such, which can lead to high costs and increase the risk of material weakness and internal controls.
• Evaluate skill sets and determine how to fill such gaps.
• Capitalize on opportunities to improve efficiency through technology.
• Perform an annual assessment of the external auditor, with consideration of partner and team rotation, as well as firmwide quality control.
• Complete evaluations of directors — as well as self-evaluations — to reaffirm they are fit for the purpose of the committee.

Conclusion

The audit committee's priorities for 2024 are centered around addressing the evolving challenges and risks in the business environment. The AC must navigate the macroeconomic impact on financial reporting, risk assessment, and control environment while also keeping up with the evolving regulatory and reporting environment. Additionally, the AC needs to broaden its considerations to include material ESG factors and sustainability reporting, as well as engage in the oversight of emerging technology and data security. Attracting and retaining financial talent also remains a key focus for the AC. By prioritizing these areas, ACs can position their organizations for success in the coming year and help ensure effective oversight of financial reporting and risk management.