What Canadian audit committees should consider at the beginning of 2022 and beyond

As audit committees prepare for year-end discussions with the board, management, auditors, and external stakeholders, they should consider the following issues.

This 2022 edition of our annual review of issues affecting audit committees during the year-end audit cycle summarizes key considerations for audit committees. With the changing risk landscape, the audit committee’s role continues to grow more demanding and complex amid the pandemic and a dynamic business environment. This report will assist audit committees to proactively address developments in risk management, financial reporting, tax, and the regulatory landscape.

• Risk management
  • How is the company using new technologies and data to enhance stress testing and scenario analyses to better prevent surprises and significant variability in operating performance?
    
  • Do scenario analyses consider an appropriate range of extreme and even improbable scenarios, including existential threats? Do they incorporate the potential compounding effects of various risks?
    
  • How can the organization build resilience while remaining lean and agile enough to respond to unforeseen risks? Are contingency and response plans related to risks, including cybersecurity and supply chain, periodically simulated and reviewed with the board?
    
  • How is the company revisiting and adapting its risk management strategy and management’s approach to the three lines model in response to potential changes in the external and internal environment, changes in strategy and risk landscape and the company’s operating model?
    
  • How is the company managing critical third-party and systemic risks, including those related to financial and operational resilience, IT security, data privacy, and the company’s supply chain?
    
  • Has the board considered how the organization’s technology strategy is evolving, including how AI and other emerging technologies can be used to review and validate data and information to unearth insights into enterprise risks and opportunities?
    
  • Have the company’s information security measures and other controls been reviewed and adapted to be responsive to ongoing digital acceleration efforts, technology changes and the shifting business environment?
    
  • How has the company’s cybersecurity risk management program evolved to address the post-pandemic context, in which attackers are targeting a larger surface area and using increasingly unpredictable tactics? How is cybersecurity proactively integrated into all major strategy or tactical decisions, such as transactions, alliances, new products or services, and technology upgrades?

• Financial reporting
  • How is the organization proactively assessing opportunities to enhance stakeholder communications, including corporate reporting, to address changes in operations and strategies as well as changing stakeholder expectations?
  • Have there been any material changes to internal controls over financial reporting or disclosure controls and procedures to address the changing operating environment? Have any cost saving initiatives and related efforts impacted resources or processes that are key in internal controls
  • over financial reporting? If so, has management identified mitigating controls to address any potential gaps?
  • What approach has management taken to consider multiple scenarios related to its projections and underlying assumptions that are expected to have a material impact on the results of operations or capital resources?
  • Have there been material changes in controls and processes to evaluate the reasonableness of the assumptions and key estimates?
  • Does the audit committee understand how management uses non-GAAP financial measures and how they supplement the GAAP financial statements?
    
    
• Tax
  • Did the organization use any COVID-19-related tax benefits in 2021? How were those benefits identified and documented?
    
  • Has the organization reviewed its approach to tax controversy management in light of the ongoing pandemic and the shifting economic, trade and tax policy environment?
    
  • What systems are in place to keep the organization informed of changes and related developments?
    
  • Has the company performed modeling and scenario planning reflecting potential tax policy changes and trade developments?
    
  • What role does tax play in the organization’s ESG strategy?
    
    
• Regulatory developments
  • Does the company have sufficient controls and procedures over nonfinancial data? Is internal audit providing any type of audit coverage on ESG-related data or is the company obtaining any external assurance?
    
  • In anticipation of CSA and SEC rule-making on disclosure of ESG-related matters, what steps will be taken to evaluate and adopt processes and controls related to potential new disclosure requirements?
    
  • What process does the audit committee have in place for regulatory updates and is the committee sufficiently engaged in dialogue providing views and input as needed on the related impacts?
  • In light of the changing environment, what additional voluntary proxy disclosures might be useful to shareholders related to the audit committee’s time spent on certain activities, such as cybersecurity, data privacy, business continuity, corporate culture and financial statement reporting developments?
    
  • External auditors: were there material changes to materiality assessments, scope, physical inventory counts and the overall planned audit approach? Were there any “close calls” or areas that were particularly challenging as a result of the current environment and remote workforce? What additional procedures has the external auditor performed to gain comfort regarding key assumptions, estimates and prospective financial information? How has the engagement team considered the potential increase in errors due to work-from-home distractions or changes to the incentive, opportunity and rationalization of the fraud triangle? Has there been a re-evaluation of key audit matters and how will auditor reporting requirements be impacted?