Canadian audit committees 2024

What Canadian audit committees should prioritize in 2024

Co authored by: Janice Rath, Partner at EY - Canadian Professional Practice Director - National Accounting and Auditing

We highlight key priorities for audit committees on risk management, financial reporting, tax and regulatory developments heading into 2024.


In brief

  • Understanding the risks and opportunities around AI and other disruptive technologies will continue to be an area of focus for boards.
  • Global tax changes could have profound implications for multinational entities and their global tax obligations in 2024.
  • The ESG landscape is shifting rapidly with new standards being issued across jurisdictions.
  • Rulemaking and other actions could meaningfully shift regulatory requirements in the year ahead.

1. Risk management

Boards face sharper challenges in navigating a risk environment that has become more expansive, complex and interconnected. A recent EY Board Risk survey indicates an escalating level of concern amongst boards that a risk will severely impact their business. In an increasingly complex risk environment that is likely to both persist and evolve, boards need to support their organizations in anticipating and adapting to key and other emerging risks, rather than reacting to them. Leading boards are continuing to add value by supporting management in horizon scanning and scenario planning to identify and capitalize on changes in the business environment before they materialize into significant risks.

2. Financial reporting

Companies are continuing to re-evaluate their disclosures as stakeholders seek to understand the impact of various external developments on the business. This includes the continued global economic uncertainty; climate and other environmental, social and governance (ESG) factors; and evolving geopolitical developments. We’ve highlighted some key financial reporting developments and trends to assist audit committees in overseeing audit quality and encouraging an environment and a culture that support the integrity of the financial reporting process.
 

3. Tax and other policy-related developments

In today’s volatile environment, companies will need to carefully monitor geopolitical, macroeconomic and global tax developments to make sound tax decisions for 2024 and beyond.
 

4. Regulatory developments

Get up to speed with key regulatory changes in Canada and around the world with our annual report. Covering topics from environmental, social, and governance standards to new security regulations and vital audit industry findings, our expert insights help you understand and navigate these developments with confidence.

Download the report for more details and questions to consider.

Questions for the audit committee to consider

Risk management

  • How strong are the organization’s capabilities to be highly informed about the internal and external environment, and risks, events and opportunities that may influence or compromise enterprise resilience?
  • How effective is the board’s oversight of emerging risks and other evolving external risks such as geopolitical developments, uncertain economic conditions, and climate risk? Does it have the information, expertise, and professional skepticism it needs to challenge management in these areas?
  • Has the board participated with management in one of its cyber breach simulations in the last year? How rigorous was the testing? Has the board had a cybersecurity maturity assessment performed?
  • Does the board understand management’s strategy for AI, including the process to prioritize investment in AI capabilities, use cases and underlying infrastructure?
  • How is the company using classical and generative AI to challenge the existing business model and key strategic assumptions?
  • Does the organization and the board have a complete inventory/database of AI applications, AI models, AI deployments, embedded AI capabilities, use cases, etc. within the organization to better understand the associated risks and related impacts? How does management establish that these applications are performing as intended to mitigate ethical and compliance risks?
  • How is the company assessing and mitigating the risks of generative AI, including vendor management controls? Is the company using an external framework such as the NIST AI Risk Management Framework to assess the adequacy of their governance and control environment?

Questions for the audit committee to consider

Risk management

  • How strong are the organization’s capabilities to be highly informed about the internal and external environment, and risks, events and opportunities that may influence or compromise enterprise resilience?
  • How effective is the board’s oversight of emerging risks and other evolving external risks such as geopolitical developments, uncertain economic conditions, and climate risk? Does it have the information, expertise, and professional skepticism it needs to challenge management in these areas?
  • Has the board participated with management in one of its cyber breach simulations in the last year? How rigorous was the testing? Has the board had a cybersecurity maturity assessment performed?
  • Does the board understand management’s strategy for AI, including the process to prioritize investment in AI capabilities, use cases and underlying infrastructure?
  • How is the company using classical and generative AI to challenge the existing business model and key strategic assumptions?
  • Does the organization and the board have a complete inventory/database of AI applications, AI models, AI deployments, embedded AI capabilities, use cases, etc. within the organization to better understand the associated risks and related impacts? How does management establish that these applications are performing as intended to mitigate ethical and compliance risks?
  • How is the company assessing and mitigating the risks of generative AI, including vendor management controls? Is the company using an external framework such as the NIST AI Risk Management Framework to assess the adequacy of their governance and control environment?

Financial reporting

  • Has management considered which financial reporting issues impacted by the macroeconomic environment and ongoing market uncertainty are relevant to the entity?  Have the additional risks identified been disclosed to help users of the financial statements better understand the judgments applied and sources of estimation uncertainty?
  • Have climate-related risks been considered and addressed in the entity’s financial statements with a view to ensuring consistency with other information communicated to stakeholders?
  • Has management assessed the application of Pillar Two Global Minimum Tax Model Rules on the entity? Are there new processes and other information to be developed in preparation for year-end and interim financial disclosures?

Tax and other policy-related developments

  • Has there been an assessment of whether the organization might be in scope of Pillar Two, and if so, have constituent entities been identified in countries that have enacted, or will enact, the Pillar Two rules by year end? Is there a plan in place for determining what may be owed under the new rules in relevant countries?
  • Has the organization begun making the necessary changes to its data and systems that will be needed to do the Pillar Two computations required to establish its estimated annual effective tax rate for its fiscal year ending in 2024 and its other provision, compliance and reporting obligations?
  • Has the organization assessed the impact of the significant Canadian legislative developments and how such developments may impact current and deferred tax on a go forward basis, including the ability to continue to recognize the benefit of deferred tax assets?
  • What resources and processes are in place for monitoring legislative and regulatory developments in relevant jurisdictions (at the national, provincial and international level) and does the audit committee have a line of sight into these activities?
  • Is management prepared to address any potential financial or reputational risks that may accompany expanded reporting requirements and calls for greater transparency?
  • Has the organization adopted, or does it plan to adopt, dedicated technology in response to new and evolving data and reporting requirements and to help assess tax risks and manage tax controls?

Regulatory developments

  • What process does the committee have in place for assessing the impact of regulatory updates and is the committee sufficiently engaged in dialogue providing views and input as needed on the related impacts?
  • How does management stay informed about regulatory and legislative developments related to AI, machine learning, data privacy, and emerging technologies in relevant jurisdictions? How is it monitoring whether the company is staying in compliance and assessing potential impacts to strategy particularly in relation to the US Executive Order and the EU AI Act pronouncements?
  • Has management considered which of the various ESG related jurisdictional requirements they may be subject to, including those of the European Union and the ISSB standards? In anticipation of the finalization of SEC rules over sustainability matters (if applicable), as well as any forthcoming CSSB standards, is management monitoring developments in relation to the potential scope and underlying disclosure requirements of these?
  • Does the company have sufficient controls and procedures over nonfinancial data? Is internal audit providing any type of audit coverage on ESG-related data? Has the company considered doing a pre-assessment on their processes and reporting in advance of obtaining external assurance?
  • If ESG-related matters are currently being discussed in more than one place (e.g., continuous disclosure filings, earnings releases, analyst communications, annual report, sustainability report, company website), is there consistency in the disclosures? Has the company evaluated controls related to such disclosures?
  • In light of the changing environment, what additional voluntary proxy disclosures might be useful to shareholders and stakeholders related to the audit committee’s time spent on certain activities, such as cybersecurity, data privacy, business continuity, corporate culture and financial statement reporting developments?

Download the report for more details and questions to consider.

Summary

With the changing risk landscape, the audit committee’s role continues to grow more demanding and complex amid the uncertain and dynamic business environment. This report will assist audit committees to proactively address developments in risk management, financial reporting, tax and the regulatory landscape.

About this article