2023 Q3 Audit committee newsletter: prepare for your next meeting

What the audit committee needs to know

In the third quarter, the FASB made final decisions on three major projects. Final standards are expected to be issued on all three before the end of the year.

Segment reporting

The new segment reporting standard will add required disclosures of significant expenses for each reportable segment, as well as certain other disclosures to help investors understand how the chief operating decision-maker evaluates segment expenses and operating results. The new standard will also allow disclosure of multiple measures of segment profitability if a company uses those measures to allocate resources and assess performance.

The guidance will be effective for calendar-year-end public companies in the 2024 annual period and in 2025 for interim periods, with early adoption permitted.

Income tax disclosures

The new income tax standard will require significant additional disclosures, focused on the disclosure of income taxes paid and the rate reconciliation table. At its August 30 meeting, the FASB affirmed many of its previous decisions as reflected in the exposure draft issued earlier this year. Notable changes from the proposal include removing the requirement to disclose a disaggregation of income taxes paid in interim periods and permitting companies to present an aggregate total of changes in unrecognized tax benefits for all jurisdictions within the rate reconciliation table. While the FASB clarified its intent that items within the rate reconciliation should be presented on a gross basis, it decided to allow companies to present certain items within the cross-border tax-effects category net of their foreign tax credits.

The new guidance will be applied prospectively (with retrospective application permitted) and will be effective for calendar-year-end public business entities in the 2025 annual period and in 2026 for interim periods, with early adoption permitted. All other entities will have an additional year to adopt the new guidance.

Accounting for and disclosure of crypto assets

The new standard on crypto assets will provide accounting and disclosure guidance for crypto assets that meet the definition of an intangible asset and certain other criteria, including that the asset does not provide the holder with enforceable rights to, or claims on, underlying goods, services or other assets. In-scope assets will be subsequently measured at fair value, with changes recorded in the income statement. The standard will require separate presentation of (1) in-scope crypto assets from other intangible assets and (2) changes in the fair value of those crypto assets. Disclosure of significant crypto asset holdings and an annual reconciliation of the beginning and ending balances of crypto assets will also be required.

Companies will apply the new guidance by making a cumulative-effect adjustment to the opening balance of retained earnings as of the beginning of the annual period the guidance is adopted. The guidance will be effective for all calendar-year-end companies in 2025, including interim periods, with early adoption permitted.

Why is it relevant to the audit committee?

The audit committee should be aware of accounting standards developments and their potential impacts on the company’s financial reporting. As part of its oversight role, the audit committee should understand management’s processes for monitoring, evaluating and implementing new accounting standards.

What questions should the audit committee ask?

• What is management’s process for monitoring, evaluating and implementing new accounting standards?
• Does management intend to early-adopt any eligible accounting standards for the current year-end period? If so, what are the expected impacts to financial reporting processes and the financial statements?
• What challenges might the company face (e.g., personnel constraints, data quality concerns) as it prepares for the required disclosures?
• If applicable, what is management’s crypto strategy, and what is management’s plan for complying with the anticipated requirements of a final accounting standard?

Where to go for more information:

FASB: Project update - Segment Reporting
FASB: Project update - Improvements to Income Tax Disclosures
FASB: Project update - Accounting for and Disclosure of Crypto Assets
PwC: Crypto assets guide

What the audit committee needs to know

In 2022, the SEC adopted rules directing US securities exchanges to establish standards to require listed issuers to develop and implement a written policy providing for the recovery of incentive-based compensation received by current and former executive officers in the event of required accounting revisions and restatements. The listing standards will take effect on October 2, 2023, and companies will have until December 1, 2023 to adopt a compliant recovery policy; however, the policy must be applied to erroneously awarded compensation received on or after October 2, 2023.

Why is it relevant to the audit committee?

For annual reports filed after adopting a recovery policy, a company is required to file its policy as an exhibit and disclose any actions taken pursuant to the policy. Additionally, a company will indicate on the cover page of Form 10-K (or Form 20-F) whether the financial statements included in the filing reflect the correction of an error and whether the error correction required an incentive-based compensation recovery analysis. The audit committee will want to understand management’s processes and controls for complying with the disclosure requirements.

What questions should the audit committee ask?

• What processes and controls has management put in place to comply with the requirements of the new rules and disclosure requirements?
• What protocols has management established for considering whether a restatement would trigger a recovery under the new rules?
• Has management established guidelines consistent with the new rule for accounting restatements that would not trigger the need for recovery?

Where to go for more information:

PwC: SEC adopts executive incentive compensation clawback rules

What the audit committee needs to know

In July, the FASB issued a proposal intended to improve the disclosures about a public business entity’s expenses and address requests from investors for more detailed information about the types of expenses in commonly presented income statement expense captions. The proposal would require public companies to provide disclosure in a tabular format that disaggregates income statement expense line items into specified categories of natural expenses, including: (a) employee compensation, (b) inventory and manufacturing expense, (c) depreciation and (d) intangible asset amortization. Other items not covered by these categories would be qualitatively described in the disclosure. Companies would also be required to further disaggregate inventory and manufacturing expenses based on costs incurred during the period. Lastly, the proposal would require separate disclosure of total “selling expenses” for the reporting period.

The proposed amendments would be applied on a prospective basis, with retrospective application permitted. Comments on the proposal are due October 30, and the FASB plans to host a public roundtable on December 13 to obtain additional feedback.

Why is it relevant to the audit committee?

The audit committee will want to understand management’s processes for monitoring and scoping this standard, as the level of detail to be required by a final standard will likely be significant for many companies.

What questions should the audit committee ask?

• How is management considering the impacts of the proposed standard on the company’s financial statements and footnotes?
• Has management considered the potential for changes to its processes and systems to meet the proposal’s expanded presentation requirements?
• What are management’s views on the benefits and costs associated with the proposal? Does management expect to comment on the proposal or participate in the roundtable to express its views?
• What feedback have investors shared with management about a desire to have greater disaggregation of income statement expenses?

Where to go for more information:

FASB: Project update: Disaggregation – Income Statement Expenses

The audit committee may want to consider discussing the above topics with management to understand how they are being addressed. For an in-depth discussion and more insights on these topics, see PwC’s The quarter close – Third quarter 2023.

What the audit committee needs to know

In July, the SEC adopted amendments that require timely disclosure of material cybersecurity incidents and annual disclosures related to cybersecurity risk management, strategy and governance. The new rules significantly expand registrants’ annual disclosures, providing investors and other stakeholders with more standardized information about a registrant’s processes to assess, identify and manage material cybersecurity risks.

A US domestic registrant or foreign private issuer will be required to report a material cybersecurity incident on Form 8-K within four business days after the registrant determines that the incident is material. The rules provide for a series of extensions if the US attorney general notifies the SEC in writing that immediate disclosure would pose a substantial risk to national security or public safety. The rules specify that a material incident could include a series of individual occurrences that are each determined to be immaterial.

Annual disclosures of risk management, strategy and governance

The new rules also require a registrant to provide information about their cybersecurity risk management, strategy and governance in their annual report on Form 10-K or Form 20-F. From a risk management perspective, a registrant is required to describe the processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. Annual disclosure is also required detailing management’s and the board’s oversight of cybersecurity risk. The rules also require a description of management’s role in assessing and managing the registrant’s material risks from cybersecurity threats.

Registrants must begin complying with the requirement to report a material cybersecurity incident, as defined, on December 18, 2023. All registrants are required to comply with the annual disclosure requirements for fiscal years ending on or after December 15, 2023.

Why is it relevant to the audit committee?

Many boards delegate substantial oversight of cybersecurity to the audit committee. However, data from recent surveys suggests audit committees can do more to enhance their oversight. More than 90% of directors in PwC’s 2022 Annual Corporate Directors Survey indicated they are comfortable that their companies are staying current on cyber defenses, have identified their most valuable digital assets and done adequate testing of its resistance to attacks. However, only 65% of executives we surveyed rate their boards as having at least fair cybersecurity, data security and data privacy expertise.

With the new SEC rules, the audit committee will want to take a fresh look at its oversight responsibilities, understand management’s ability to meet the new disclosure requirements, and assess the effectiveness of the information it receives from management to monitor cyber incidents.

What questions should the audit committee ask?

• How has management considered the appropriateness of its plans and resources to manage through a cyberattack?
• Has management done a gap assessment against the company’s cyber program and the SEC requirements, and if so, what are the areas of focus as a result?
• What processes does the organization have to detect a cyber incident, and how is materiality determined? What are the appropriate escalation protocols?
• What is management’s process for evaluating and documenting individually immaterial cyber incidents to determine whether they are related and material in the aggregate?
• How has management considered its ability to report a cybersecurity incident within four days of determining it is material as outlined in the new rules
• How has management tested its systems and processes to gain comfort that they will work under real-world scenarios?
• How has management considered disclosure controls and procedures in relation to the new rules?
• Has management established relationships with appropriate federal law enforcement and related protocols in the event of an incident?
• How has management considered the audit committee’s information needs, including frequency of reporting?

Where to go for more information:

PwC: SEC adopts cybersecurity disclosure rules
PwC: Navigating the new SEC rules on cyber disclosures
PwC: Overseeing cyber risk: the board’s role
PwC: Boardroom readiness: Top 5 actions for cyber discussions
SEC: Fact Sheet - Public company cybersecurity disclosures - Final rules

What the audit committee needs to know 

In June, the PCAOB proposed rule changes related to an auditor’s consideration of a company’s noncompliance with laws and regulations, including fraud. The changes, if adopted, would impact the audit’s scope by significantly expanding the auditor’s objectives related to compliance beyond what a financial statement audit has traditionally addressed. 

The PCAOB sought feedback about, among other matters: whether the proposed requirements are sufficiently clear; whether the expansion of the auditor’s responsibilities is practical and cost-effective to implement; the potential increased need for auditors to use specialists (and whether there are substantial costs associated with the increased need to use such specialists); and whether there are alternatives that better promote investor protection, efficiency, competition and capital formation. The comment period closed on August 7.

Why is it relevant to the audit committee? 

The PCAOB’s proposal, if finalized as drafted, would have a direct impact on the audit committee's responsibility to oversee the independent auditor’s work. While the proposal is in the deliberation stage of the standard-setting process, the audit committee may want to discuss with management, the external auditor, general counsel and/or outside counsel, and others to understand their perspectives on the proposal and its potential impacts. Given the proposal’s focus and the broad stakeholder input sought by the PCAOB, the audit committee may want to revisit its understanding of the company’s compliance functions, the factors that increase financial reporting fraud risk and how management addresses the risk.

What questions should the audit committee ask?

• What procedures will the external auditor perform to identify risks of fraud in this year’s audit?
• How has the external auditor’s initial assessment of fraud risk evolved?
• What are the auditor’s processes for identifying any significant unusual transactions?
• What procedures will the auditor perform to identify potential related-party transactions?
• Does the auditor plan to revise any procedures relating to the identification of illegal acts, such as potential noncompliance with sanctions and other laws or regulations, as part of this year’s audit?

Where to go for more information:

PwC: PCAOB proposes significant expansion of auditor responsibilities
PCAOB: Spotlight: Audit Committee Resource

What the audit committee needs to know

As Q3 comes to a close, audit committees of calendar-year-end companies should be shifting their focus toward the audit and engaging with the external auditor. This is a good time to get a status update. And given the volatile business and regulatory environments, it is important to have ongoing updates from the external auditor to understand the current status of the audit, any changes in audit scope, any challenges related to the audit team, how the auditor is approaching emerging standards and regulations, or other issues that may have been identified.

Discussions could include the results of interim audit work (including focusing on any identified internal control matters), changes in the auditor’s risk assessment, if any, and any one-off transaction/circumstance with which the company or auditor may be dealing. In addition, auditors continue to implement new technologies to enhance the audit’s efficiency and quality, so the committee will want to understand the technology strategy and how innovations may impact the audit’s efficiency and effectiveness.

Why is it relevant to the audit committee?

Investors and other stakeholders look to the audit committee to oversee the company’s accounting and financial reporting processes as well as oversight of the external audit. As part of audit committee oversight, it is important to engage in effective two-way communication with the auditor to understand the audit scoping and risk assessment, get timely status updates and ask relevant questions throughout the audit cycle.

What questions should the audit committee ask?

• Have there been any changes to the auditor’s risk assessment?
• As part of the auditor’s risk assessment procedures, how has it contemplated relevant economic factors, such as inflation, rising interest rates and geopolitical risks?
• How has the audit plan changed in response to the current business environment (e.g., supply chain disruptions, asset valuations, availability of talent)?
• Has the auditor’s assessment of climate risk impacted the audit plan?
• How will the auditor consider potential management bias in developing significant estimates and assumptions?
• Does the auditor utilize any specialized technology-based tools with respect to the audit? If so, what are the risks and opportunities?
• Have there been any changes to the external auditor’s staffing plan?

Where to go for more information:

PwC: Overseeing the external auditors
PwC: Audit committee oversight checklist
PCAOB: Spotlight: Audit committee resource

Every audit committee meeting agenda should include these important items; at the least, they should be discussed at scheduled intervals:

• Hotline complaints and code of conduct violations
• Changes in the regulatory environment
• Private and executive sessions
• Related-party transactions
• Internal and external audit plan reviews
• Discussions with the CIO, CISO and GC as needed