15 minute read 27 Sep 2022
Sailboat with red sails in front of large icebergs

How audit committees can prepare for 2022 Q3 reporting

Authors
Pat Niemann

EY Americas Audit Committee Forum Leader

Community champion. Family man. USC Trojan alum.

Jennifer Lee

EY Americas Center for Board Matters Audit and Risk Specialist

Provider of board and audit committee insights. Conversent on financial reporting, risk and regulatory issues. Dedicated to family, team and client.

15 minute read 27 Sep 2022

Show resources

  • ey-cbm-how-audit-committees-can-prepare-for-2022-q3-reporting.pdf

Heading into the final quarter of 2022, we provide considerations for audit committees as they talk with management and external auditors.

In brief

  • Audit committees need to maintain vigilance over cybersecurity and learn how leading companies are addressing the future of cyber risk.
  • It is important to understand how macroeconomic developments, including inflation, rising interest rates and the war in Ukraine, might impact financial reporting.
  • The SEC continues to engage in rulemaking, and audit committees should consider how to best prepare for potential regulatory changes.

Presented by the EY Audit Committee Forum

This report is intended to help audit committees as they proactively address recent and upcoming developments that may affect quarterly reporting.

Risk management

Given the ongoing changes in the business environment, it remains essential for audit committees to stay on top of critical drivers of risk and changing macroeconomic conditions (e.g., impacts stemming from inflation, rising interest rates, recession risk) to better assess near- and long-term risk implications to companies.

Show resources

  • Download the PDF to read about key actions audit committees may want to consider taking

  • What we’re hearing from audit committee chairs on the future of cyber risk

    While cybersecurity has been a well-established topic on board and audit committee agendas for several years, constant vigilance is required to keep pace with an ever-changing and intensifying risk landscape. Companies are experiencing ongoing nation-state and ransomware attacks, increased exposure fueled by digital transformation efforts, and risks stemming from emerging technologies such as AI and machine learning.

    Tapestry Networks recently brought together one of the foremost authorities on cybersecurity and cyber executives from leading companies to meet with the audit committee chairs of more than 100 large US public companies to exchange views on the future of cyber and other emerging risks. Tapestry Networks summarized the key points arising from this discussion in its recently released report: The future of cyber risk.

    Notable themes from these discussions include:

    • Cyber threats are creating a growing and complex risk landscape: Diverging priorities between the United States and nations such as China and Russia are fueling cyber threats that directly impact companies, underscoring the need to stay on high alert. In addition to theft of intellectual property, there is a growing risk of data destruction, which may create near-term risk in supply chains.
    • Technology advancements are creating new types of risks: New technologies such as AI and machine learning can create opportunities for companies but also bring new cybersecurity and ethical risks. Boards should ask questions about what checks and balances are in place as new technologies are developed and deployed at their companies. Criminals can quietly modify the data that trains a machine learning system, leading to misclassifications and operational damage that may take many months to detect.
    • Audit committees can drill down to understand and prepare for future vulnerabilities: One of the cyber experts recommended that audit committees ask management about near misses, not just the big breaches. A good practice that was shared with audit committee chairs included bringing in business unit leaders on a rotating basis to explain their cybersecurity practice in order to receive different perspectives on the cyber topic.
    • Talent management is a top cyber concern: Given the competitiveness of cyber talent, boards should ask their chief information security officers about how they develop and retain talent for their cyber and technology programs. A good practice includes companies working closely with human resources teams and universities to develop talent early.
    • Organizations need to be crypto agile: Data security is a high priority for companies amid the current threat environment, where data is continuously targeted by myriad bad actors. AI, machine learning and quantum capabilities used for malicious purposes bring even more urgency to this issue. As existing encryption methods become ineffective, companies should stay abreast of new technologies and prioritize the protection of sensitive data and assets. Audit committee chairs were advised to make crypto agility a priority and to make sure that their companies are prepared to rapidly respond to any changes in cryptographic standards.
    • Disinformation is an emerging risk for companies: Disinformation is easy to create and spreads quickly, making it particularly dangerous. Unlike traditional cyber threats, targeted disinformation events have a low barrier to entry, requiring less sophistication and very little technical acumen. Most audit committee chairs indicated that disinformation is a new risk area that is not on their boards’ current agendas, but should be. Actionable recommendations include training employees to recognize disinformation, creating an incident response plan that outlines key processes and decision-makers in the event of a disinformation incident, and holding practice drills.

    Source:

    Tapestry Networks’ Audit Committee Leadership Summit: The future of cyber risk, August 2022

    Learn more

    EY Center for Board Matters

    We support board members in their oversight role by helping them address complex boardroom issues.

Accounting and disclosures

Organizations continue to be affected by macroeconomic factors such as inflation, rising interest rates, supply chain disruptions and stock market volatility, as well as the war in Ukraine and its ripple effects. We expect that audit committees will continue to evaluate these evolving impacts and changes in the business environment on their financial reporting processes.

Companies should continue to update their disclosures and consider the financial statement effects of the current market conditions (e.g., inflation, pandemic) and their expectations for the future. It will be important for audit committees not only to understand management’s view of future economic conditions, but also validate that the organization provides transparent disclosures regarding these views.

SEC rulemaking and other reporting considerations

The SEC has continued to engage in rulemaking that impacts public companies in Q3, including a final rule on proxy advice and proposed rule amendments relating to shareholder proposals.

Regarding proxy advice, the SEC adopted amendments that rescind two conditions added in 2020 that proxy voting advice businesses have had to meet to qualify for exemption from the proxy rules’ information and filing requirement. Those conditions required that (1) registrants that are the subject of proxy voting advice have such advice made available to them in a timely manner and (2) clients of proxy voting advice businesses are provided with a means of becoming aware of any written responses by registrants to proxy voting advice. These amendments are effective as of 19 September 2022.

The SEC also proposed amendments to its shareholder proposal rule, Exchange Act Rule 14a-8, which generally requires companies to include shareholder proposals in their proxy statements absent a basis for exclusion. The proposed amendments would narrow certain substantive bases that permit the exclusion of shareholder proposals in proxy statements. Comments on this proposal are due by 12 September.

The SEC is currently considering the public’s feedback on its proposal to enhance and standardize disclosures that public companies make about climate-related risks, their climate-related targets and goals, their greenhouse gas (GHG) emissions and how the board of directors and management oversee climate-related risks. The proposal would also require registrants to quantify the effects of certain climate-related events and transition activities in their audited financial statements. The SEC received thousands of comment letters on the proposal and now must decide whether and how to amend the proposal before voting on a final rule. If the rules are adopted as proposed by the end of 2022, the compliance date (which depends on a registrant’s filer status), would be phased in beginning with fiscal year 2023.

In June, the SEC also issued an updated rulemaking agenda for the coming months, which includes plans to propose rules to require disclosures on human capital later this year and board diversity in 2023.

Audit committees should consider how their companies should be preparing for potential regulatory changes, which could impact reporting requirements, disclosures and enforcement trends.

Show resources

  • Download the PDF to read about key actions audit committees may want to consider taking

  • Notable PCAOB updates

    In June 2022, the Public Company Accounting Oversight Board released its Spotlight: Staff Overview for Planned 2022 Inspections, which provides discussion of the PCAOB’s focus areas in the current inspection cycle. Some of the key excerpts and selected areas of inspections focus are:

    • Fraud and other risks
    • Key auditing and accounting risks, including a) unreasonable assumptions affecting the timing and amount of revenue recognition due to the negative effects of the COVID-19 pandemic and supply chain disruptions; b) unreasonable assumptions used in projections to account for business combinations or in testing goodwill or other intangibles for impairment; c) earnings manipulation; d) complexities regarding existence and valuation of inventory; e) financial, economic and business uncertainty that impacts the required assessment to evaluate threats and uncertainties concerning a public company’s ability to continue as a going concern.
    • IPOs and M&A activity, with focus on the auditor’s work on the following: (1) valuation of financial instruments using complex valuation models; (2) the determination of whether a business combination should be accounted for as a reverse merger; (3) internal control over financial reporting; (4) financial statement presentation and disclosures; and (5) restatements related to warrants or other issues.
    • Audit firms’ execution challenges
    • Audit areas with continued deficiencies, including revenue recognition and related risk assessment; allowance for loan losses and other accounting estimates; and internal control over financial reporting (particularly controls with a review component).
    • Other noted focus areas include: broker dealer-specific considerations, independence, use of service providers in the confirmation process, critical audit matters (CAMs), firms’ quality control systems, and technology (in particular — auditing digital assets, responding to cyber threats, use of data and technology in the audit).

    The document may be useful to audit committees as it highlights some of the anticipated financial reporting and audit risks and issues that may be challenging in the current environment. It may also provide audit committees insights into the external auditor’s work plan for the upcoming audit cycle.

    Additionally, in August 2022, the PCAOB published a new resource for audit committees titled, Spotlight: Audit Committee Resource. This resource provides a reference point for audit committees by offering questions they may want to consider as part of their ongoing engagement and discussions with the external auditors. The topics and questions are reflective of the current economic environment and include questions that are reflective of the PCAOB’s inspection focus areas.

Questions for the audit committee to consider

In discussions with management, compliance personnel and auditors, audit committees should consider the following in addition to standard inquiries. Download the PDF to access the full list of questions.   

Risk management-related inquiries

  • How is the company seizing strategic opportunities to tap into larger talent pools? How is the organization nurturing its existing and future talent pools (e.g., re-skilling and upskilling, educational alliances) to position the company to meet current requirements, address enterprise risks and prepare for continued strategic pivots?
  • What processes does management have in place to accelerate idea generation, trialing and assessment while also encouraging appropriate risk taking? What more can be done to accelerate digital transformation efforts and foster a culture of innovation?
  • How is management understanding and monitoring the effectiveness of risk management of critical third parties with respect to financial and operational resiliency, IT security, data privacy, culture and environmental, social and governance factors?
  • In the event of a ransomware attack, what protocols and criteria will be considered to determine if/when/how ransom will be paid? For example, what are the insurance protocols? Should the organization have a ransom negotiator on retainer? Do system backups exist and what is the projected speed of deployment? If ransom is paid to an ill-defined attacker with an unknown location, what regulatory and legal implications might inadvertently be triggered?
  • As it relates to the Inflation Reduction Act of 2022, has management fully vetted the landscape of federal incentive opportunities and how they apply to the company? What is the applicability, timing and process for disbursements of tax incentives offered under the new law(s)?

Accounting, disclosures and other financial reporting related inquiries

  • What are the nonrecurring events and circumstances that have transpired and what are the related financial reporting and disclosure implications?
  • In light of the current environment (including the macro market conditions), has the company evaluated how current market developments may change the value of assets and whether there are impairment indicators for assets such as property, plant and equipment, definite and indefinite-lived intangibles, inventory, receivables, debt and equity investments? Have the valuation technique(s), inputs and assumptions been appropriately revisited and updated?
  • Does the company have sufficient controls and procedures over nonfinancial data? Is internal audit providing any type of audit coverage on ESG-related data, or is the company obtaining any external assurance?
  • How is the organization proactively assessing the opportunity to enhance stakeholder communications, including corporate reporting to address changes in operations and strategies as well as changing stakeholder expectations?
  • Have there been any material changes to internal controls over financial reporting or disclosure controls and procedures to address the changing operating environment? Have any cost-saving initiatives and related efforts impacted resources and/or processes that are key in internal controls over financial reporting? If so, has management identified mitigating controls to address any potential gaps?

Inquiries to auditors

  • Can financial reporting, compliance and auditing procedures (internal and external) continue to be adequately performed through a combination of physical and remote working procedures? What options are there to perform alternative procedures to facilitate timely collection, processing and reporting of information for internal use and to prepare regulatory filings?
  • External auditors: What changes are expected with materiality, scope and additional procedures in light of changes in the current business environment? What are the potential impacts on the audit arising from the complete or partial transition back to the office? Has the engagement team identified any incremental risks and/or adjusted its audit response in light of the war in Ukraine? If so, what are the impacts to the engagement’s audit strategy and overall approach to the interim reviews? How has the engagement team considered changes to the incentive, opportunity and rationalization of the fraud triangle?
  • If the company will be subject to the CAMT, what processes and controls will it need to adequately capture the data needed to calculate the taxes under the new regime?  
  • Internal auditors: How should audit plans be adjusted to address changes in risk appetite and tolerances as identified from the company’s ERM program? Are there any audit plans that are not being executed, or has the scope of the work been changed?

Summary

Heading into the final quarter of the year, there are many actions audit committees may want to take as they monitor SEC rulemaking and other reporting developments. Find out what they should consider in the areas of risk management, disclosures and more — and what questions audit committees should be asking in conversations with management, compliance personnel and auditors.

About this article

Authors
Pat Niemann

EY Americas Audit Committee Forum Leader

Community champion. Family man. USC Trojan alum.

Jennifer Lee

EY Americas Center for Board Matters Audit and Risk Specialist

Provider of board and audit committee insights. Conversent on financial reporting, risk and regulatory issues. Dedicated to family, team and client.