Print
E-MailMaureen Bujno is a Managing Director, Bob Lamm is an Independent Senior Advisor, and Krista Parsons is an Audit & Assurance Managing Director and Audit Committee Program Leader at Deloitte Touche Tohmatsu Limited. This post is based on a Deloitte memorandum by Ms. Bujno, Mr. Lamm, Ms. Parsons, Carey Oven, and Jamie McCall.
Many wise people have noted the importance of planning. For example, Benjamin Franklin stated, “By failing to prepare, you are preparing to fail.” Abraham Lincoln said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” And, of course, Yogi Berra said: “If you don’t know where you are going, you’ll end up someplace else.”
These adages certainly apply to the audit committee. Planning ahead can help ensure that the required items are on the agenda for each meeting and that over the course of the year the committee addresses everything on its “to do” list, while leaving time to tackle new matters that invariably come up.
To advise audit committees on planning for 2024, we have considered some of the major items that we believe are likely to be on audit committee agendas this year.
Regulatory matters
Among the various inputs audit committees receive, those coming from regulators are among the most numerous and often the most important. This is likely to be the case in 2024, when initiatives from the Securities and Exchange Commission (SEC), the Public Company Accounting Oversight Board (PCAOB), and the Financial Accounting Standards Board (FASB) will need to be considered.
SEC
Since the appointment of Gary Gensler as SEC chair in 2021, the SEC has been among the most active in recent memory, from the perspectives of both rulemaking and enforcement, and there is no indication that activity in these areas is likely to slow down in 2024. Accordingly, audit committees need to pay close attention to the SEC in 2024.
One major area of SEC interest that is likely to have an impact on audit committees in 2024 is the adequacy of disclosure controls and procedures. In one 2023 enforcement action, the SEC penalized a company $35 million and other relief for inadequate disclosure controls and procedures relating to a risk factor concerning its workforce—even though the SEC found no disclosure violations.[1] While this action was criticized by many, including one SEC commissioner, it has resulted in reconsideration of companies’ disclosure controls and procedures across a wide range of subjects and may well lead to more rigorous scrutiny of disclosure controls and procedures by audit committees in the future.
It is also noteworthy that throughout 2023, in announcing the adoption of rules mandating disclosures on topics such as share repurchases, cybersecurity, and insider trading policies and procedures, the SEC noted the importance of having the controls and procedures needed to facilitate accurate and timely disclosures.
Beyond the focus on disclosure controls and procedures, the SEC has had an active rulemaking agenda. In July 2023, it issued a final cybersecurity rule, outlined in Deloitte’s Heads Up, that requires companies to report “material” cyberbreaches within four business days, which will in turn require audit committees to consider both whether and when a breach is or becomes material.
In addition, the SEC is expected to engage in significant rulemaking activities in 2024. Perhaps most anticipated is the possible adoption of final rules requiring extensive climate change disclosure. While action on these rules is widely anticipated, the timing of adoption and the requirements to be imposed remain uncertain. However, these rules are likely to require audit committee oversight, particularly to the extent that they require the inclusion of climate-related information in financial statements, require companies to obtain third-party assurance as to the required disclosures, or both. And, as suggested above, even if the final climate change rules do not impose these requirements, audit committees will certainly have to oversee the establishment and maintenance of disclosure controls and procedures regarding any required disclosures.
Other expected subjects of rulemaking in 2024 include human capital management, board diversity, special purpose acquisition companies, and payments made by resource extraction companies. It is too soon to predict whether or to what extent any of these rules will require audit committee oversight, but it seems highly likely that the committee will be involved in some capacity.
PCAOB
Audit committees are a key stakeholder in the financial reporting process and play an important role in audit quality. As part of the audit committee’s oversight of the external auditor, the audit committee can engage with the external auditor regarding PCAOB activities. The PCAOB provides to audit committees various resources on its Resources for Audit Committees webpage that can be used to engage in two-way communications. In November 2023, the PCAOB updated its standard-setting agenda following “record setting action in 2023,” noting that it took more formal actions on standard-setting and rulemaking this year than it has in any of the previous 10 years.
One such project is the proposed Auditing Standard (AS) 1000— General Responsibilities of the Auditor in Conducting an Audit.[2] The PCAOB has stated that AS 1000 is intended to “streamline and clarify general principles and responsibilities of auditors” rather than impose new requirements on auditors or significantly change the existing requirements of PCAOB standards. While commenters were supportive of the PCAOB’s ongoing efforts to modernize its standards, some commenters highlighted areas of concern, including the removal of language in certain areas that, when examined together, may suggest a change in the existing auditing standards, which the Board indicated was not the intent of the proposed guidance.
Another standard-setting project that the PCAOB proposed in 2023 is “Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations,”[3] or NOCLAR. This proposal has generated significant discussion among auditors, attorneys, and other stakeholders as the proposal would expand the auditor’s obligation to identify and communicate an entity’s noncompliance with laws and regulations. During testimony in a congressional hearing in December, PCAOB Chair Erica Williams indicated that the PCAOB plans to hold a public roundtable hearing on the proposal in 2024 to get further feedback.
Deloitte issued a Heads Up on November 10, 2023 on recent PCAOB standard-setting activities, including information on each of the recent standard-setting projects and Deloitte’s perspectives.
Chair Williams has emphasized that, in addition to modernizing audit standards, the PCAOB is focused on enhancing inspections and strengthening enforcement of audit firms to meet its mission.[4] The PCAOB has said that it expects an increase in inspection findings for public company audits inspected in 2022, which Chair Williams has said is unacceptable and indicated that “where we find wrongdoing, we will not hesitate to pursue it where appropriate.”[5] Chair Williams has also encouraged audit committees to review PCAOB inspection reports and consider them in assessing their external auditors, including by asking about whether there has been a PCAOB inspection of the company’s audit, as well as more generally what the audit firm is doing to address any increases in inspection findings.[6]
FASB
In comparison to the initiatives discussed above, the FASB’s agenda may seem relatively light. However, the FASB issued three Accounting Standard Updates (ASUs) to close out 2023 and also added statement of cash flows targeted improvements to its technical agenda. The three ASUs included improvements to segment disclosure, income tax disclosure, and accounting and disclosure for crypto. Details on each of these were shared at the annual 2023 AICPA & CIMA Conference on Current SEC and PCAOB Developments. Additional information on the content discussed at the conference can be found in Deloitte’s December 2023 Heads Up. If they haven’t already, audit committees should meet with management to learn how each of these new requirements will impact their organizations and understand implementation plans and timelines.
Risk
Despite the ongoing addition of new responsibilities, audit committees remain responsible for oversight of other areas of their companies. Perhaps the most significant of these responsibilities is risk. While the audit committee is not responsible for direct oversight of all risks, it is generally responsible for overseeing how other board committees and management monitor, evaluate, and manage risk. In fact, the role of the audit committee vis-à-vis risk has been likened to that of an orchestra conductor—the conductor doesn’t play all the instruments; however, she needs to oversee how the other musicians do so to achieve harmony and effectiveness.
As part of this broad oversight of risk, the audit committee needs to consider how to refresh and reinforce its role in risk oversight. In particular, so-called enterprise risk management, or ERM, programs have been in place at many companies for decades. Given the seemingly ever-expanding number and seriousness of risks, is the ERM program current and vital? Has it become perfunctory and therefore less likely to spot and address evolving risks? Is a “refresh” of the ERM program or any of its key components necessary?
Artificial intelligence and other technology risks
Any discussion of risk in 2024 will almost certainly include the risks associated with the growing use of artificial intelligence, or AI. And it is noteworthy that some of the risks of AI have little to do with the responsibilities of the audit committee. For example, the compensation or similar committee will likely be responsible for overseeing reductions in force and other workforce issues that may result from increasing reliance upon AI, and the nominating/ governance committee may be more heavily involved in overseeing the use of AI. However, the audit committee will clearly be involved from a general risk oversight perspective. At the same time, like so many aspects of technology, AI has the potential to yield great improvements. For example, in the audit committee’s core areas of focus—audit and financial reporting—AI might be used to spot irregular transactions or inconsistencies, to detect fraud, or to identify computational or other errors. And as discussed in the National Association of Corporate Directors’ 2024 Governance Outlook article “Artificial intelligence: An emerging oversight responsibility for audit committees?”[7] additional benefits include the potential to streamline and enhance a company’s internal audit and internal control functions.
It can be tempting to view AI as the “shiny new object” and to assume that other types of risk that have been around for a while are being appropriately managed. However, that assumption would be misguided. For example, cybersecurity remains a major component of risk and one that companies of all shapes and sizes, as well as individuals, are facing daily. According to the latest Audit Committee Practices Report published by Deloitte and the Center for Audit Quality, cybersecurity remains a top concern for audit committees. In addition, how many people go to their laptops every morning and see a pop-up that a password has been compromised in a breach, or that access to critical websites is becoming increasingly complex due to dual-factor authorization, mandated use of passkeys, and the like?
As discussed earlier, in 2023 the SEC adopted extensive new disclosure requirements regarding cybersecurity risk. Among other things, companies will have to publicly report material breaches, possibly at a time when the materiality of a particular breach is not known. Audit committees will likely be heavily involved when a breach occurs and the company needs to determine whether it is material, when the breach needs to be reported, and the potential harm to the company as a result of the breach.
Other risks
The risks likely to remain on (or to be added to) audit committee agendas in 2024 include data privacy, compliance, and the seemingly rapid increase in global geopolitical risks and what may flow from them.
In fact, the number and severity of risks facing companies in 2024 suggests another risk-related topic that audit committees will need to address—crisis management. Many companies have general crisis management guidelines or playbooks that outline steps to be taken in particular types of crises. In 2024, audit committees need to consider reviewing these guidelines and playbooks to determine whether they are current, comprehensive, and practical. As part of this process, audit committees may need to consider “war-gaming” various risks to determine whether and to what extent current crisis management plans are practical and suitable.
Finance talent
As noted earlier, AI may yield significant and rapid improvements in many areas that fall within the audit committee’s direct responsibilities. However, the human factor remains an area of critical importance to audit committees; do their companies have the right talent? If not, is it possible to bring on new talent, or is the “war for talent” noted by the PCAOB chair overwhelming? And is existing talent—including those in finance and internal audit — being used effectively? In 2022, Deloitte reported that most public company hiring managers for finance and accounting roles had faced talent retention challenges (82.4%) and that they expected to experience recruiting difficulties in the year ahead (82.3%). Nearly one-quarter (23.4%) of the respondents indicated that the need for more technological skills would most likely be the driver behind their organization’s need to hire financial and accounting talent in the short term. All of this suggests that audit committees should remain focused on talent in finance and internal audit. Their discussions should include a focus on current talent and succession planning for the future.
Finally, audit committee effectiveness
Audit committee effectiveness is an important consideration for members as their oversight responsibilities continue to expand. As a result, audit committees should consider more robust self-evaluations and efforts to continuously improve, from making pre-reads more effective, to encouraging better discussions (in part by avoiding “stand and deliver” presentations where someone recites a pre-read that committee members have presumably read), to enhancing the quality of communications with management and the external auditors.
A key factor in making audit committees more effective is the chair. Leading the committee through the process of addressing existing responsibilities and facing new ones is a daunting task. Thus, selection of the “best” audit committee chair is yet another challenge faced by audit committees and the boards of directors of which they are a part.
Conclusion
Audit committees have long been referred to as the “kitchen sink” of the board, in that anything that is not clearly within the jurisdiction of the full board or another committee often ends up on the audit committee agenda. However, we see audit committees and their chairs continuing to rise to the challenges they face, as they have for so many years. Staying on top of topics such as those suggested above will help them continue to do so.
Endnotes
1US Securities and Exchange Commission (SEC), press release, February 3, 2023.(go back)
2Public Company Accounting Oversight Board (PCAOB), Proposed Auditing Standard – General Responsibilities of the Auditor in Conducting an Audit and Proposed Amendments to PCAOB Standards, PCAOB Release No. 2023-001, March 28, 2023.(go back)
3PCAOB, Proposing Release: Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations and Other Related Amendments, PCAOB Release No. 2023-003, June 6, 2023.(go back)
4See speech by PCAOB Chair Erica Y. Williams at the 18th Annual Audit Conference (Baruch College Zicklin School of Business), November 28, 2023.(go back)
5Mark Maurer, “Accounting watchdog expects deficiencies in 40% of public-company audits in 2022,” Wall Street Journal, July 25, 2023.(go back)
6PCAOB, Proposing Release: Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations and Other Related Amendments.(go back)
7Brian Cassidy, Ryan Hittner, and Krista Parsons, “Artificial intelligence: An emerging oversight responsibility for audit committees?,” National Association of Corporate Directors (NACD) 2024 Governance Outlook, December 13, 2023.(go back)
