Site Search

Menu

Capabilities

Menu

Cybersecurity, Risk and Regulatory

Loading Results

2024 Q2 Audit committee newsletter: Prepare for your next meeting

Overview

Audit committees have a critical oversight responsibility and committee members must stay up to date about changing regulations, reporting guidelines and dynamic expectations. Our quarterly audit committee special edition offers potential topics for inclusion in your upcoming audit committee meeting. 

Each quarter we provide highlights of trending financial reporting topics, emerging regulatory and standard setting matters, and updates on current governance topics. We also provide useful links that direct you to more information.

As you perform your oversight responsibilities and plan your next audit committee meeting agenda, check in each quarter for our updated summary.

Financial reporting

1. SEC comment letter trends

What the audit committee needs to know

As the mid-point of 2024 approaches, top comment letter themes have remained consistent over the past few years with non-GAAP measures and management’s discussion and analysis (MD&A) leading as the most frequent areas of comment. SEC staff comments related to non-GAAP financial measures have questioned how registrants describe the non-GAAP measure (for example, as a measure of performance or liquidity) and the appropriateness of adjustments made to calculate the measure, depending on how it is described. The staff also continues to issue comments about specific non-GAAP adjustments, such as adjustments that do not have a corresponding tax impact, restructuring charges and litigation charges.

MD&A continues to be a close second in terms of volume of comments. One area of focus is the impact of the current macroeconomic environment. For example, in the financial services sector, the staff have issued comments specifically related to MD&A disclosures about commercial real estate and the discussion of interest rate impacts in quantitative and qualitative market risk disclosures. The staff has publicly stated that these disclosures may also be relevant to registrants outside of the financial services sector.

Staff comments related to business combinations, segment reporting and revenue recognition round out the top five areas. And while not a top trending comment area, we observed some comments related to cybersecurity incident reporting. Generally, the comments related to asking for more detail regarding how the cybersecurity incident has had (or could have) a material impact on the registrant’s financial condition or ongoing results of operations.

Why is it relevant to the audit committee?

The audit committee will want to stay abreast of the areas of SEC comments, which may help the committee refine its oversight efforts and support the company’s financial reporting transparency. The audit committee will want to confirm that management is adequately addressing regulatory expectations and staying ahead of potential issues.

What questions should the audit committee ask?

  • Has the company received a comment letter and, if so, what were the questions raised by the SEC? How does management plan to respond?
  • How does management stay abreast of financial reporting updates and other required disclosure developments and trends?
  • How has management considered whether additional disclosures related to the top comment trends are appropriate?
  • How does management monitor comment letter trends and the letters issued to other companies in its industry?
  • How is management’s disclosure committee informed of SEC comment letter trends?

Where to go for more information:

PwC: SEC comment letter trends landing page
PwC: To GAAP or to non-GAAP
SEC: Non-GAAP financial measures: Compliance & Disclosure Interpretations

2. Developments in sustainability reporting

What the audit committee needs to know

Last quarter, we reported on the SEC’s release of its final climate disclosure rule. Since then, as anticipated, legal challenges have been filed against the SEC by multiple parties. As a result, the SEC stayed its climate disclosure rule in April to “facilitate the orderly judicial resolution” of pending legal challenges. However, given ongoing interest from investors, and the overlapping nature of many of the sustainability reporting requirements worldwide, companies are encouraged to develop systems, processes and controls to position them to produce high-quality data in support of any non-SEC sustainability reporting responsibilities. Doing so will also position registrants for compliance with the SEC rules should the stay be lifted, and the rules become effective.

On January 1, California bill AB 1305 became effective, requiring information about certain emissions claims and the sale and use of carbon offsets to be posted to a company’s website. In February, a bill (AB 2331) was introduced that, if signed into California law, would amend AB 1305 to clarify that certain renewable energy certificates and low-carbon fuel standard credits are not in scope. The same bill proposes to amend AB 1305 to require initial reporting on January 1, 2025. In May, the bill was approved in the State Assembly and awaits consideration in the State Senate.

In April, the European Council approved a delay of the adoption of certain sector-specific and non-EU European Sustainability Reporting Standards (ESRS) by two years until June 2026. It does not impact the timing of when companies are required to file their initial CSRD reporting using the sector agnostic standards that became law in December 2023. 

In May, the IFRS Foundation and EFRAG published guidance to illustrate the alignment between the IFRS Sustainability Disclosure Standards and the EU ESRS.

Why is it relevant to the audit committee?

Given the evolving regulatory and standard-setting environments and impending related reporting requirements, companies that are impacted should be gearing up for disclosures. This means developing processes and controls and having technology in place to produce quality reporting. It may also involve having internal audit allocate time in its audit plan to weigh in on the design and operating effectiveness of new processes and controls. Understanding management’s processes and controls in place relating to the scope and quality of disclosures is an important aspect of the audit committee’s oversight role.

What questions should the audit committee ask?

  • Which sustainability reporting requirements is the company subject to?
  • What oversight role does the audit committee have compared to that of the full board and/or other committees as it relates to sustainability disclosures?
  • What processes and controls are in place to support high-quality data collection and reporting? 
  • How is management monitoring and evaluating the impacts of national and international sustainability reporting developments?
  • To what extent are the company’s finance function, internal audit and other reporting units involved in creating and/or strengthening the control environment for sustainability disclosures?

Where to go for more information:

PwC: Sustainability Reporting Guidance (Chapter 2)
PwC: The audit committee has specific responsibilities under the EU’s CSRD
PwC: Navigating the ESG landscape

3. Trends in SEC enforcement actions

What the audit committee needs to know

Enforcement actions are an important tool used by the SEC to advance its mission of protecting investors and promoting market integrity. In its fiscal year ended September 30, 2023, the SEC actively pursued close to 800 enforcement actions against individuals and corporations for violations of securities laws, which is a 12% increase over the past two years. The drivers of the violations spanned a range of topics including improper accounting, misleading disclosures and earnings manipulation. The SEC also continued its focus on emerging issues such as cybersecurity, crypto assets and ESG. 

The SEC has also been increasingly focused on the implications of advancements in AI and machine learning, including potential violations of securities laws. Recent remarks by commissioners and senior SEC staff highlight their growing concern that these advancements could pose emerging risks as the technologies may lead to noncompliance with the securities laws.

“So looking ahead, where do we see potential risk? …[T]here’s certainly one brewing around AI.”

Gurbir S. Grewal, Director of the Division of Enforcement, SEC
April 15, 2024

Why is it relevant to the audit committee?

The audit committee may find it helpful to consider lessons learned from past and expected SEC enforcement actions in its oversight of the company’s control environment, risk management processes, compliance programs, financial reporting and the external auditor. Reviewing enforcement actions could also aid the audit committee in improving its governance practices (e.g., frequency and depth of reporting from management).  

What questions should the audit committee ask?  

  • How do internal controls adequately address issues found in recent SEC enforcement actions such as revenue recognition, leases and asset valuations?
  • How is management evaluating the potential implications associated with AI relating to internal control over financial reporting and disclosure controls and procedures?
  • What processes are in place to adequately protect sensitive information, and make appropriate disclosures of cybersecurity risks and material cybersecurity incidents? How are these processes tested to determine if they are operating as designed?
  • What training programs are in place to educate employees about the importance of compliance and recent SEC enforcement actions? 
  • What is management’s process for responding to a potential securities law violation? What is the communication protocol for notifying the audit committee/board?

Where to go for more information:

PwC: Trends in SEC enforcement actions
PwC: Audit committee oversight checklist

4. IFRS 18: Redefining financial performance reporting

What the audit committee needs to know

In April, the IASB issued IFRS 18, Presentation and Disclosure in Financial Statements, introducing new requirements to improve comparability of the financial performance of similar entities, with a focus on updates to the statement of profit or loss. The standard includes three major areas of change:

1. Defined structure of the statement of profit or loss

  • Categories – Items in the statement of profit or loss will be classified into one of five categories: operating, investing, financing, income taxes and discontinued operations.
  • Required subtotals – Entities will be required to present specified totals and subtotals, including “operating profit or loss,” “profit or loss,” and “profit or loss before financing and income taxes,” with some exceptions.

2.  Related disclosures

  • Management-defined performance measures (MPMs) – Information related to these measures should be disclosed in a single footnote, including a reconciliation between the MPM and the most similar specified subtotal in IFRS Accounting Standards.
  • Disclosure of expenses by nature – Entities will present expenses in the operating category by nature, function or a mix of both.

3. Aggregation and disaggregation

  • The standard provides enhanced guidance on the principles of aggregation and disaggregation, which are used in defining the line items presented in the primary financial statements and information disclosed in the notes.

The new standard will be effective beginning in 2027 for calendar year-end IFRS reporters and requires retrospective application.

Why is it relevant to the audit committee? 

While the standard is applicable to companies that report under IFRS, audit committees of US multinationals may want to get up to speed on the changes as they could impact subsidiaries reporting under IFRS. Additionally, developments in international reporting can influence the perspectives of stakeholders and standard setters in the US. Audit committees may want to monitor how stakeholder views may be evolving. Audit committees may also want to consider how the requirements might be used as a basis for enhancing existing disclosures.   

What questions should the audit committee ask? 

  • What is management’s process for monitoring, evaluating and implementing new accounting standards?
  • Have investors or other stakeholders shared with management a desire to have greater disaggregation of income statement expenses?
  • Has management considered providing greater disaggregation of income and expenses? If so, has management assessed any systems changes that may be necessary to do so?

Where to go for more information: 

PwC: IFRS 18 is here: redefining financial performance reporting
PwC: Hello IFRS 18 (Podcast)

Other topics

Scroll to read more

The audit committee may consider discussing the above topics with management to understand how they are being addressed. For an in-depth discussion and more insights on these topics, see PwC’s The quarter close – Second quarter 2024.

Other topics

5. Mid-year considerations for internal audit

What the audit committee needs to know

The audit committee’s responsibilities and agenda continue to expand as companies implement new technologies and business models, respond to the impacts of a challenging geopolitical landscape, implement new regulations and standards, and provide increased reporting to stakeholders. In managing its expanding responsibilities, the audit committee should confirm that it is fully engaged in its “core” oversight responsibilities, such as oversight of internal audit. A mid-year "check in” can provide an opportunity to reassess the current year plan and evolving priorities and to make any necessary adjustments. Key audit committee considerations could include:

  • Reviewing internal audit’s progress against its plan
  • Confirming the internal audit plan aligns with the company’s risk assessment and includes timely topics such as those related to IT risks, business transformation risks, merger integration risks and applicable climate-related rules, among others
  • Evaluating internal audit findings and follow-up actions, including understanding overdue recommendation implementations
  • Assessing internal audit’s performance
  • Confirming changes in regulations or standards (e.g., Global Internal Audit Standards) are integrated into the internal audit plan and processes
  • Assessing the use of technology and data analytics within the internal audit process to enhance effectiveness and efficiency
  • Reviewing the quality and frequency of board reporting from internal audit (e.g., use of dashboards for key KPIs)

Why is it relevant to the audit committee?

The audit committee’s role in overseeing internal audit is a cornerstone of its governance responsibilities. As technology, regulatory and other risks continue to expand, internal audit should be a third line of defense in risk management and monitoring. Helping maximize the value of the internal audit function is a critical factor in the audit committee’s effective oversight. 

What questions should the audit committee ask?

  • What processes are in place to confirm internal audit has the appropriate resources (e.g., competencies, technology) to address the appropriate areas in a thorough and high-quality manner?
  • What is the bench strength of the internal audit team? Is there a talent management and succession plan in place? 
  • How is internal audit evolving as the company’s business strategy and associated risks evolve? 
  • What percentage of internal audit’s plan covers strategic or value-add areas versus business process or compliance reviews?
  • Do other groups in the organization view internal audit as a resource — for example, using internal audit to review/audit thirdparty vendor contracts for supplier compliance (e.g., cyber) or to review ESG data used in disclosures?
  • What tools and techniques has internal audit implemented to identify trends or growing risk areas (e.g., data analytics, AI)? 
  • How is internal audit appropriately supporting emerging priorities or newer risk areas of focus under the audit committee’s responsibility (e.g., review of system implementation controls, company use of AI/GenAI, culture)?

Where to go for more information:

PwC: Getting the most out of internal audit
PwC: Audit committee effectiveness: practical tips for the chair
PwC: Audit committee oversight checklist

6. Keeping risk oversight in focus

What the audit committee needs to know

In its ongoing responsibility to evaluate and monitor risks, now is a good time for the audit committee to review the company’s risk management process, including ERM, discuss emerging risks and confirm that management has appropriate processes in place to manage risks effectively. As the risk landscape continues to shift, companies are grappling with risks associated with new technologies and digital transformation initiatives, including AI/GenAI, cybersecurity and data privacy, operational and financial risks, sustainability risks, and third-party and supply chain risks, among others. 

However, according to PwC’s Board effectiveness: A survey of the C-suite, executives believe boards may not be spending sufficient time on transformative areas of risk. It is essential for the audit committee to keep its focus on high priority risk matters to support effective risk oversight tailored to the company’s specific circumstances.

Why is it relevant to the audit committee?

While the board has primary oversight responsibility of risk, many boards delegate oversight of management’s process to the audit committee, in addition to delegating oversight of many of the risks. This means the audit committee has a role in overseeing many of the key, emerging risks facing companies. Given the dynamic and often unpredictable nature of today’s business environment, it is essential that the audit committee keeps its focus on risk oversight as a top priority.  

It should continue to ask questions of management, itself and other stakeholders. This means the audit committee should confirm that it has a comprehensive understanding of the organization’s risk landscape, that appropriate measures are being taken by management to manage and mitigate risks effectively, that the audit committee has the appropriate skill sets among its members (or access to external specialists and resources) and that it is receiving effective reporting from management. The audit committee should also confirm the scope of its oversight responsibilities for monitoring risks with the board, including which key risks it oversees on behalf of the board—keeping in mind that risk oversight among committees can be reallocated given changes in committees’ capacity/competencies or other factors.

What questions should the audit committee ask?

  • What are the top risks facing the company currently, and how are they identified by management?
  • What processes are in place to mitigate key risks, and how effective have the strategies been?
  • What is management’s process to support the audit committee receiving appropriate reporting of management’s risk identification, monitoring, measurement and mitigation efforts?
  • How does management define and communicate the company’s risk appetite and tolerance levels across the organization?
  • What are the external auditor’s views on the key risk trends and issues observed in the industry and among peer companies?
  • Do the skill sets represented among audit committee members match the committee’s oversight responsibilities? Does the audit committee need to supplement the skill sets represented?
  • Does the audit committee access perspectives from outside experts, hear from management specialists or actively identify continuing education opportunities to upskill on risk-related matters under its responsibility (e.g., cybersecurity, AI/GenAI)?

Where to go for more information:

PwC: Board effectiveness: A survey of the C-suite
PwC: Director’s guide to ERM fundamentals
PwC: Risk oversight and the board: Navigating the evolving terrain
PwC: Overseeing cyber risk: the board’s role

7. PCAOB member Christina Ho talks tech and talent 

What the audit committee needs to know

On May 16, PCAOB board member Christina Ho provided remarks during a webcast hosted by PwC and the Center for Audit Quality (CAQ). Titled Tech, talent and the Audit Committee’s evolving role, the webcast was the inaugural event of a PwC/CAQ collaboration aimed at helping audit committee members stay ahead of their ever-evolving responsibilities. Ms. Ho provided her perspectives on how technology and talent impact audit quality.  

Ms. Ho encouraged audit committee members to engage with the PCAOB during its rulemaking process, challenge management and the external auditor on how technology such as AI could be leveraged to prepare financial statements and enhance audit quality, and to use their platforms to speak with young people about the auditing profession. She emphasized that AI could enhance audit quality through consistent and effective execution of routine and repetitive tasks, proactive application relating to fraud detection and through continuous risk assessment. She also emphasized that appropriate talent is essential for companies to produce quality information and is needed by external auditors so that audit quality remains high. 

Why is it relevant to the audit committee?

Given its oversight responsibilities related to the company’s financial reporting and internal controls, the audit committee should understand AI’s benefits, risks and broader implications for the company. The audit committee should also understand who has the responsibility for AI governance within the company as part of an overall AI governance model. The audit committee should also stay informed about how the company is using (or plans to use) AI in areas under its oversight responsibility, such as in financial reporting and related controls, internal audit, finance transformation, and the compliance and ethics program. 

While talent management oversight is typically a topic for the full board, with input from other committees, the audit committee should understand management’s plans for talent management disclosures. This would include (1) an understanding of processes and internal controls that might be put in place to produce accurate, complete and reliable information, (2) how external reporting might be impacted and (3) the talent risks in areas that fall under its purview (e.g., finance, accounting, tax, internal audit, compliance and IT, among others).

What questions should the audit committee ask?

  • What is the overall AI strategy, and which AI use cases or policies could impact financial reporting and/or underlying processes and controls?
  • What is the organization’s risk appetite relating to the adoption of new technologies?
  • How does management identify and address AI’s benefits and risks that could impact financial reporting?
  • What is the strategy for retaining and upskilling existing talent in finance, tax, financial reporting, internal audit and other key areas under the audit committee’s oversight responsibility?
  • What is the current succession plan for key finance and accounting positions? 
  • What changes has the company made to expand its employee pipeline for key finance and accounting positions?

Where to go for more information:

PwC: Tech, talent and the Audit Committee's evolving role (webcast replay)
PwC: The power of AI and generative AI: what boards should know
PwC: Talent management: an evolving board imperative

8. Receive deep dives on key oversight areas

What the audit committee needs to know

Many audit committees remain challenged with overseeing an ever-expanding list of responsibilities, including risks associated with evolving regulations and standards, the impacts of geopolitical and economic shifts, processes and controls relating to significant business and finance transformations, and a host of other matters. However, amid the expanded workload, it is important for the audit committee to allocate enough focus and depth to key oversight areas. And while it may be receiving periodic updates on many matters, now is a good time for the audit committee to receive deep dives from management on key areas of oversight (especially those that may not be on the agenda as frequently), including:  

Financial reporting and accounting – Detailed review of financial statements, including significant accounting policies, judgments and estimates, and any changes expected in the short term

Internal controls and risk management – Deep dive into key areas of risk (e.g., cyber, operational, compliance)

Tax matters – Review of the company’s tax strategy; updates on significant tax matters, including changes in tax laws and their implications 

Regulatory and compliance matters – Updates on compliance with regulatory requirements, including any new or pending regulations and status of any ongoing regulatory investigations

Fraud risk and ethics compliance – Review of whistleblower reports and investigations; evaluation of the effectiveness of ethics and compliance programs

Litigation and legal matters - Updates on significant legal risks and proceedings and potential liabilities

Third-party and vendor management – Review of the risks associated with key third-party relationships and vendor management practices

Why is it relevant to the audit committee?

Deep dives from management can provide detailed insights and promote understanding that help the audit committee fulfill its oversight responsibilities more effectively. Allocating time in the audit committee’s agenda for such discussion can confirm that management is addressing critical matters appropriately and keeps key matters in focus for the audit committee as they may evolve.

What questions should the audit committee ask?

  • What are the key assumptions and estimates that have the most significant impact on the financial statements? How are these assumptions and estimates impacted by current macroeconomic trends?
  • What enhancements have been made to the internal control environment this year?
  • How is management considering the company’s tax strategy and potential tax exposures to positions taken? How has management considered the adequacy of systems capabilities in response to changes in US and global tax laws?
  • What is management’s process for monitoring regulatory changes relevant to the business? Which areas of compliance have been identified either individually, or when aggregated, as having a significant risk of non-compliance?
  • What is management’s process for identifying and addressing cybersecurity threats?
  • What mechanisms are in place to detect and prevent fraud? 
  • What is management’s process for evaluating the effectiveness of the ethics and compliance program?

Where to go for more information:

PwC: Audit committee oversight checklist
PwC: Financial reporting oversight
PwC: How your board can oversee third-party risk
PwC: Finance transformation: four areas of focus for the audit committee
PwC: Get your Audit Committee activities in shape before regulators come knocking
PwC: Audit committee dashboard reporting

9. Recurring items for the audit committee agenda

Every audit committee meeting agenda should include these important items or, at least, they should be discussed at scheduled intervals:

  • Hotline complaints and code of conduct violations
  • Changes in the regulatory environment
  • Private and executive sessions
  • Related-party transactions
  • Internal and external audit plan reviews
  • Discussions with the CIO, CISO, and GC as needed

Related content

Contact us

Maria Castañón Moats

Maria Castañón Moats

Leader, Governance Insights Center, PwC US

Linkedin Follow Email
Stephen G. Parker

Stephen G. Parker

Partner, Governance Insights Center, PwC US

Linkedin Follow Email
Tracey-Lee Brown

Tracey-Lee Brown

Director, Governance Insights Center, PwC US

Linkedin Follow Email
Gregory Johnson

Gregory Johnson

Director, Governance Insights Center, PwC US

Linkedin Follow Email
Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide
Trust solutions Consulting Tax services Newsroom Alumni US offices Contact us

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.