Insight

Advice to AC members is to ask lots of questions

Panelists addressed the myriad challenges facing audit committees at the 2023 AICPA & CIMA Conference.


There are many challenges at the global, national and local levels that put companies’ financial reporting, compliance, risk and internal control environments to the test – ranging from global economic uncertainty, regional conflicts with far-reaching effects, new major regulatory mandates, and the emergence of generative AI. 

The theme of the session on the regulatory landscape and governance at the Conference on Monday afternoon was how audit committees can tackle these challenges. 

“How can audit committees tackle the many challenges they face? My advice is ask a lot of questions. Question management, internal auditors and external auditors on a regular basis so that committee members are satisfied these stakeholders understand their respective roles in the financial reporting process – and are fulfilling their responsibilities. ”

— John Rodi, Partner, KPMG Board Leadership Center Leader


Risk assessment is comprehensive, iterative and continual

Comprehensive risk assessment – a prevalent theme at this year’s Conference – is an important agenda item for audit committees. Panelists keyed in on several practical suggestions for audit committees to action.

In an August 2023 statement, SEC Chief Accountant Paul Munter mentioned the importance of taking a holistic approach to risk assessment by looking at entity-level risks in addition to risks that directly impact financial reporting. Panelists stressed the importance of overseeing that management implements a holistic approach by timely identifying and disclosing such risks, as appropriate, and designing and implementing appropriate processes and controls.


Robust risk assessment

A company’s risk assessment process must account for the myriad of risks impacting financial and operating results, which can change rapidly in this fast-moving world. Therefore, it is imperative for an audit committee to ensure that management’s risk assessment process is robust.

Panelists noted that oversight of this process can be daunting for an audit committee, but they offered helpful suggestions for managing this responsibility, including a number of questions to ask management.  

Ask: Which executives are responsible for identifying material financial, liquidity and operating risks?

Ask: How is management mitigating these risks?

Ask: Does management have an incident response plan that can be used for a wide range of incidents or crises?

Material cybersecurity incidents

Companies must disclose material cybersecurity incidents on Form 8-K within four business days of concluding that the incident was material. The materiality assessment must be made without unreasonable delay after discovering an incident.

·         Ask: Is management’s cyber incident response plan up to date and is management capable of timely assessing the materiality of cyber incidents?

Kurt Kuehn, Henry Schein Inc. Board member, warned that it may be very challenging to assess materiality within a reasonable time after an incident occurs. However, Kuehn suggested airing on the side of disclosing because transparency is key.

Cybersecurity risk management, strategy and governance disclosures

Detailed and extensive disclosures on these topics are required in annual reports on Form 10-K.

·         Ask: Does management have the right team assembled to reassess the company’s existing risk management and governance processes, ensuring compliance with these weighty disclosure requirements? 

Oversight of GenAI

Panelists mentioned several issues that boards are considering regarding GenAI. They couched these issues in the form of questions to ask.

·         Ask: What GenAI does the company currently use and for what purpose?

·         Ask: What are potential additional uses – e.g. how is our industry using GenAI?

·         Ask: What risks present themselves in the current and potential use of GenAI?

·         Ask: How is the use of GenAI being documented – e.g. are the inputs into the process being properly recorded?

·         Ask: What guardrails are appropriate to put into place regarding the use of GenAI?


New ESG regulatory mandates are growing

Newly released and anticipated regulatory mandates will dramatically increase climate, sustainability and other ESG disclosure requirements for US companies. While companies await final SEC climate rules, the landscape is moving and companies are preparing to comply with a number of sustainability mandates, including: 

  • California climate legislation signed into law in October 2023 – including carbon offset disclosures that are required for January 1, 2024
  • European Sustainability Reporting Standards issued under the EU’s Corporate Sustainability Reporting Directive, which require comprehensive sustainability reporting of impacts, risks and opportunities to a broad range of stakeholders
  • IFRS Sustainability Disclosure Standards issued by the International Sustainability Standards Board, which require comprehensive sustainability reporting of risks and opportunities to primary stakeholders such as investors.

Just determining which standards apply, applicable effective dates and the level of interoperability of the standards requires significant planning. Beyond these preparatory activities, actually complying with the mandates will be a major undertaking. Board oversight of this process is critical, particularly because cross-functional management teams will be needed – e.g. management’s disclosure committee and an ESG team/committee.  

A separate ESG panel on Day 3 of the Conference is expected to cover operational challenges of sustainability reporting.

See our ESG reporting resources here.

New cybersecurity disclosure mandate from the SEC

The SEC’s rules require several new and enhanced disclosures on cybersecurity risk management, strategy, governance and incident reporting. Companies must disclose new information in two broad categories.


Material cybersecurity incidents

Companies must disclose a material cybersecurity incident on Form 8-K within four business days of concluding that the incident was material. The materiality assessment must be made without unreasonable delay after discovering an incident.

Ask: Is management’s cyber incident response plan up to date and is management capable of timely assessing the materiality of cyber incidents?

Kurt Kuehn, Henry Schein Inc. Board member, warned that it may be very challenging to assess materiality within a reasonable time after an incident occurs. However, Kuehn suggested airing on the side of disclosing because transparency is key.

Cybersecurity risk management, strategy and governance disclosures

Detailed and extensive disclosures on these topics are required in annual reports on Form 10-K.

Ask: Does management have the right team assembled to reassess the company’s existing risk management and governance processes, ensuring compliance with these weighty disclosure requirements? 


The audit committee should consider what resources and processes management’s disclosure committee needs in developing and maintaining cybersecurity-related disclosure controls and procedures and internal control over financial reporting.   

Read more about the requirements here.

Generative AI (GenAI)

How to leverage GenAI is a trending topic in C Suites across the globe, as evidenced by the 2023 KPMG US AI Risk Survey. From a finance perspective, survey respondents expect an increase in the use of AI models and expect new audit requirements for AI models by the end of 2026.

The C Suite focus on GenAI likely means that the oversight of this technology will be a priority for many boards in 2024. At a minimum, the audit committee may be tasked with overseeing compliance with differing laws and regulations governing this technology, including the development and maintenance of related internal controls and disclosure controls and procedures. However, it may have broader oversight responsibilities, such as oversight of aspects of the company’s governance structure for developing and using GenAI. 

Oversight of GenAI

Panelists mentioned several issues that boards are considering regarding GenAI. They couched these issues in the form of questions to ask.

Ask: What GenAI does the company currently use and for what purpose?

Ask: What are potential additional uses – e.g. how is our industry using GenAI?

Ask: What risks present themselves in the current and potential use of GenAI?

Ask: How is the use of GenAI being documented – e.g. are the inputs into the process being properly recorded?

Ask: What guardrails are appropriate to put into place regarding the use of GenAI?

 

Additional technology panels on Day 3 of the Conference are expected to highlight the investor perspectives on GenAI and further insights from preparers and auditors.

Read more about GenAI on our dedicated resource page here.