2023 Q3 Audit committee newsletter: prepare for your next meeting

Overview

Audit committees have a critical oversight responsibility and committee members must stay up to date about changing regulations, reporting guidelines and dynamic expectations. Our quarterly audit committee special edition offers potential topics for inclusion in your upcoming audit committee meeting.

Each quarter we provide highlights of trending financial reporting topics as well as helpful links guiding you to more information.

As you perform your oversight responsibilities and plan your next audit committee meeting agenda, check in each quarter for our updated summary.

Financial reporting

1. Significant milestones achieved in global sustainability reporting

What the audit committee needs to know

This quarter brought notable developments in global sustainability reporting, with two major milestones reached: adoption of the final sustainability reporting standards in Europe and issuance of the first two standards from the International Sustainability Standards Board (ISSB).

Corporate Sustainability Reporting Directive (CSRD)

In July, the European Commission adopted the final European Sustainability Reporting Standards (ESRS), which detail the reporting requirements under the CSRD, covering environmental, social and governance topics. The 12 final standards will now face scrutiny from the European Parliament and Council of the European Union (for two months with a possible two-month extension) before going into effect. The ESRS will become law shortly after the scrutiny period ends when they are published in the Official Journal of the European Union.

Meanwhile, the European Financial Reporting Advisory Group (EFRAG) continues its work on several items. In August and September, EFRAG discussed its progress on developing implementation guidance, specifically related to the double materiality and value chain assessments, which will be released for public comment in the coming weeks. In addition, EFRAG is working with the Global Reporting Initiative (GRI) and the ISSB to prepare mapping tables depicting the final ESRS’ interoperability with the GRI standards and the IFRS Sustainability Disclosure Standards.

Since the CSRD went into effect in January 2023, EU Member States have begun the process of transposing it into their own national laws. Several countries have held public consultations to seek stakeholder input, and drafts of the legislation have been made available or will be released in the coming months (with final transposition required by July 2024). The extent of any changes that may occur during the transposition process is still unclear. Companies should monitor developments in those EU Member States where they have subsidiaries.

International Sustainability Standards Board (ISSB)

In June, the ISSB issued its first two IFRS Sustainability Disclosure Standards, covering general requirements and climate. The standards are effective for periods beginning on or after January 1, 2024, which could mean reporting as early as 2025. However, the ISSB provided transition relief, requiring only climate-related disclosures in the first year of reporting. Thus, companies will be required to provide disclosures only to the extent they relate to climate risks and opportunities.

Individual jurisdictions will determine whether application of the IFRS Sustainability Disclosure Standards is required or permitted as a basis for sustainability reporting, akin to the process for adopting IFRS Accounting Standards for financial reporting. In July, the International Organization of Securities Commissions (IOSCO) announced that it will endorse the IFRS Sustainability Disclosure Standards. IOSCO has now called on its 130 member jurisdictions, regulating more than 95% of the world's financial markets, to consider ways in which they might adopt, apply or otherwise be informed by the ISSB™ standards in their jurisdictions.

Why is it relevant to the audit committee?

US companies can be subject to European sustainability reporting requirements in multiple ways. For example, the CSRD will impact US companies’ EU subsidiaries and US companies that are subsidiaries of parents headquartered in the EU. The first set of companies in scope will be required to make disclosures in 2025 on 2024 information.

Each jurisdiction will individually decide whether and when to adopt IFRS Sustainability Disclosure Standards, which may impact multinationals operating in those jurisdictions.

The audit committee will want to stay apprised of global rules and standards as they evolve and understand the company’s policies, processes, internal controls and governance for the preparation and disclosure of required information.

What questions should the audit committee ask?

  • How is management monitoring and evaluating the impacts of global ESG reporting developments in territories where the company has subsidiaries?
  • What is management’s process for determining which global jurisdictional requirements will impact the company’s reporting?
  • What processes and controls are in place to support ESG information’s accuracy, completeness and consistency?

Where to go for more information:

PwC: Final European Sustainability Reporting Standards have been adopted
PwC: Worldwide impact of CSRD - are you ready?
PwC: IFRS Sustainability Disclosure Standards – Guidance, insights, and where to begin
PwC: Navigating the ESG landscape

2. FASB moves toward issuance of three significant new standards

What the audit committee needs to know

In the third quarter, the FASB made final decisions on three major projects. Final standards are expected to be issued on all three before the end of the year.

Segment reporting

The new segment reporting standard will add required disclosures of significant expenses for each reportable segment, as well as certain other disclosures to help investors understand how the chief operating decision-maker evaluates segment expenses and operating results. The new standard will also allow disclosure of multiple measures of segment profitability if a company uses those measures to allocate resources and assess performance.

The guidance will be effective for calendar-year-end public companies in the 2024 annual period and in 2025 for interim periods, with early adoption permitted.

Income tax disclosures

The new income tax standard will require significant additional disclosures, focused on the disclosure of income taxes paid and the rate reconciliation table. At its August 30 meeting, the FASB affirmed many of its previous decisions as reflected in the exposure draft issued earlier this year. Notable changes from the proposal include removing the requirement to disclose a disaggregation of income taxes paid in interim periods and permitting companies to present an aggregate total of changes in unrecognized tax benefits for all jurisdictions within the rate reconciliation table. While the FASB clarified its intent that items within the rate reconciliation should be presented on a gross basis, it decided to allow companies to present certain items within the cross-border tax-effects category net of their foreign tax credits.

The new guidance will be applied prospectively (with retrospective application permitted) and will be effective for calendar-year-end public business entities in the 2025 annual period and in 2026 for interim periods, with early adoption permitted. All other entities will have an additional year to adopt the new guidance.

Accounting for and disclosure of crypto assets

The new standard on crypto assets will provide accounting and disclosure guidance for crypto assets that meet the definition of an intangible asset and certain other criteria, including that the asset does not provide the holder with enforceable rights to, or claims on, underlying goods, services or other assets. In-scope assets will be subsequently measured at fair value, with changes recorded in the income statement. The standard will require separate presentation of (1) in-scope crypto assets from other intangible assets and (2) changes in the fair value of those crypto assets. Disclosure of significant crypto asset holdings and an annual reconciliation of the beginning and ending balances of crypto assets will also be required.

Companies will apply the new guidance by making a cumulative-effect adjustment to the opening balance of retained earnings as of the beginning of the annual period the guidance is adopted. The guidance will be effective for all calendar-year-end companies in 2025, including interim periods, with early adoption permitted.

Why is it relevant to the audit committee?

The audit committee should be aware of accounting standards developments and their potential impacts on the company’s financial reporting. As part of its oversight role, the audit committee should understand management’s processes for monitoring, evaluating and implementing new accounting standards.

What questions should the audit committee ask?

  • What is management’s process for monitoring, evaluating and implementing new accounting standards?
  • Does management intend to early-adopt any eligible accounting standards for the current year-end period? If so, what are the expected impacts to financial reporting processes and the financial statements?
  • What challenges might the company face (e.g., personnel constraints, data quality concerns) as it prepares for the required disclosures?
  • If applicable, what is management’s crypto strategy, and what is management’s plan for complying with the anticipated requirements of a final accounting standard?

Where to go for more information:

FASB: Project update - Segment Reporting
FASB: Project update - Improvements to Income Tax Disclosures
FASB: Project update - Accounting for and Disclosure of Crypto Assets
PwC: Crypto assets guide

3. Clawback of erroneously awarded executive compensation

What the audit committee needs to know

In 2022, the SEC adopted rules directing US securities exchanges to establish standards to require listed issuers to develop and implement a written policy providing for the recovery of incentive-based compensation received by current and former executive officers in the event of required accounting revisions and restatements. The listing standards will take effect on October 2, 2023, and companies will have until December 1, 2023 to adopt a compliant recovery policy; however, the policy must be applied to erroneously awarded compensation received on or after October 2, 2023.

Why is it relevant to the audit committee?

For annual reports filed after adopting a recovery policy, a company is required to file its policy as an exhibit and disclose any actions taken pursuant to the policy. Additionally, a company will indicate on the cover page of Form 10-K (or Form 20-F) whether the financial statements included in the filing reflect the correction of an error and whether the error correction required an incentive-based compensation recovery analysis. The audit committee will want to understand management’s processes and controls for complying with the disclosure requirements.

What questions should the audit committee ask?

  • What processes and controls has management put in place to comply with the requirements of the new rules and disclosure requirements?
  • What protocols has management established for considering whether a restatement would trigger a recovery under the new rules?
  • Has management established guidelines consistent with the new rule for accounting restatements that would not trigger the need for recovery?

Where to go for more information:

PwC: SEC adopts executive incentive compensation clawback rules

4. Proposal would require new disclosures disaggregating income statement expenses

What the audit committee needs to know

In July, the FASB issued a proposal intended to improve the disclosures about a public business entity’s expenses and address requests from investors for more detailed information about the types of expenses in commonly presented income statement expense captions. The proposal would require public companies to provide disclosure in a tabular format that disaggregates income statement expense line items into specified categories of natural expenses, including: (a) employee compensation, (b) inventory and manufacturing expense, (c) depreciation and (d) intangible asset amortization. Other items not covered by these categories would be qualitatively described in the disclosure. Companies would also be required to further disaggregate inventory and manufacturing expenses based on costs incurred during the period. Lastly, the proposal would require separate disclosure of total “selling expenses” for the reporting period.

The proposed amendments would be applied on a prospective basis, with retrospective application permitted. Comments on the proposal are due October 30, and the FASB plans to host a public roundtable on December 13 to obtain additional feedback.

Why is it relevant to the audit committee?

The audit committee will want to understand management’s processes for monitoring and scoping this standard, as the level of detail to be required by a final standard will likely be significant for many companies.

What questions should the audit committee ask?

  • How is management considering the impacts of the proposed standard on the company’s financial statements and footnotes?
  • Has management considered the potential for changes to its processes and systems to meet the proposal’s expanded presentation requirements?
  • What are management’s views on the benefits and costs associated with the proposal? Does management expect to comment on the proposal or participate in the roundtable to express its views?
  • What feedback have investors shared with management about a desire to have greater disaggregation of income statement expenses?

Where to go for more information:

FASB: Project update: Disaggregation – Income Statement Expenses

The audit committee may want to consider discussing the above topics with management to understand how they are being addressed. For an in-depth discussion and more insights on these topics, see PwC’s The quarter close – Third quarter 2023.

Other topics

5. Enterprise risk management (ERM) in focus

What the audit committee needs to know

The impacts of shifting economic conditions and market volatility have left many business leaders across multiple industries concerned about how well their companies are managing risk. This, coupled with other major geopolitical and global events, has increased interest in ERM programs. A company’s ERM program is intended to formalize how risks are identified, assessed, managed, monitored and reported in light of strategic priorities. We’re seeing that some ERM programs are keeping up with the pace of change, while others are either losing momentum or lacking adequate investment or attention.

Having an effective ERM program can help management make more informed decisions in the face of uncertainty — whether that’s specific to a particular company or sector or facing the entire economic landscape. Companies are having to regularly revisit their risk management strategies to keep up. This means that oversight of ERM may include a refresh of the audit committee’s understanding of management’s process and more reporting throughout the year.

Why is it relevant to the audit committee?

Risk oversight is among the audit committee’s most important responsibilities. While the full board is ultimately responsible for overseeing risk, an increasing number of audit committees are assigned overall oversight of management’s ERM process as well as more and more specific risks. Given this, the committee may want to take a closer look at its competencies to oversee risk management, how management is reporting to it on risks and the frequency of updates it receives.

What questions should the audit committee ask?

  • How does the ERM process align with strategic planning and decision-making?
  • What are the risk program’s strategy and objectives?
  • How does management keep abreast of the changing risk environment?
  • How does the ERM program coordinate and collaborate with the various business units and corporate functions?
  • What is the process for categorizing and assessing the company’s risks?
  • How are key risk indicators defined, measured and monitored?
  • What is management’s process for identifying the top risks for reporting to the audit committee?
  • What mechanisms are in place to provide the audit committee with appropriate reporting of management’s risk identification, monitoring, measurement and mitigation efforts (e.g., dashboards, KPIs)?

Where to go for more information:

PwC: The director’s guide to ERM fundamentals
PwC: PwC’s 2023 US Risk Perspectives Survey
PwC: Risk oversight and the board: Navigating the evolving terrain

6. SEC adopts cybersecurity disclosure rules

What the audit committee needs to know

In July, the SEC adopted amendments that require timely disclosure of material cybersecurity incidents and annual disclosures related to cybersecurity risk management, strategy and governance. The new rules significantly expand registrants’ annual disclosures, providing investors and other stakeholders with more standardized information about a registrant’s processes to assess, identify and manage material cybersecurity risks.

A US domestic registrant or foreign private issuer will be required to report a material cybersecurity incident on Form 8-K within four business days after the registrant determines that the incident is material. The rules provide for a series of extensions if the US attorney general notifies the SEC in writing that immediate disclosure would pose a substantial risk to national security or public safety. The rules specify that a material incident could include a series of individual occurrences that are each determined to be immaterial.

Annual disclosures of risk management, strategy and governance

The new rules also require a registrant to provide information about their cybersecurity risk management, strategy and governance in their annual report on Form 10-K or Form 20-F. From a risk management perspective, a registrant is required to describe the processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. Annual disclosure is also required detailing management’s and the board’s oversight of cybersecurity risk. The rules also require a description of management’s role in assessing and managing the registrant’s material risks from cybersecurity threats.

Registrants must begin complying with the requirement to report a material cybersecurity incident, as defined, on December 18, 2023. All registrants are required to comply with the annual disclosure requirements for fiscal years ending on or after December 15, 2023.

Why is it relevant to the audit committee?

Many boards delegate substantial oversight of cybersecurity to the audit committee. However, data from recent surveys suggests audit committees can do more to enhance their oversight. More than 90% of directors in PwC’s 2022 Annual Corporate Directors Survey indicated they are comfortable that their companies are staying current on cyber defenses, have identified their most valuable digital assets and done adequate testing of its resistance to attacks. However, only 65% of executives we surveyed rate their boards as having at least fair cybersecurity, data security and data privacy expertise.

With the new SEC rules, the audit committee will want to take a fresh look at its oversight responsibilities, understand management’s ability to meet the new disclosure requirements, and assess the effectiveness of the information it receives from management to monitor cyber incidents.

What questions should the audit committee ask?

  • How has management considered the appropriateness of its plans and resources to manage through a cyberattack?
  • Has management done a gap assessment against the company’s cyber program and the SEC requirements, and if so, what are the areas of focus as a result?
  • What processes does the organization have to detect a cyber incident, and how is materiality determined? What are the appropriate escalation protocols?
  • What is management’s process for evaluating and documenting individually immaterial cyber incidents to determine whether they are related and material in the aggregate?
  • How has management considered its ability to report a cybersecurity incident within four days of determining it is material as outlined in the new rules
  • How has management tested its systems and processes to gain comfort that they will work under real-world scenarios?
  • How has management considered disclosure controls and procedures in relation to the new rules?
  • Has management established relationships with appropriate federal law enforcement and related protocols in the event of an incident?
  • How has management considered the audit committee’s information needs, including frequency of reporting?

Where to go for more information:

PwC: SEC adopts cybersecurity disclosure rules
PwC: Navigating the new SEC rules on cyber disclosures
PwC: Overseeing cyber risk: the board’s role
PwC: Boardroom readiness: Top 5 actions for cyber discussions
SEC: Fact Sheet - Public company cybersecurity disclosures - Final rules

7. PCAOB proposes new rules expanding auditor responsibilities

What the audit committee needs to know 

In June, the PCAOB proposed rule changes related to an auditor’s consideration of a company’s noncompliance with laws and regulations, including fraud. The changes, if adopted, would impact the audit’s scope by significantly expanding the auditor’s objectives related to compliance beyond what a financial statement audit has traditionally addressed. 

The PCAOB sought feedback about, among other matters: whether the proposed requirements are sufficiently clear; whether the expansion of the auditor’s responsibilities is practical and cost-effective to implement; the potential increased need for auditors to use specialists (and whether there are substantial costs associated with the increased need to use such specialists); and whether there are alternatives that better promote investor protection, efficiency, competition and capital formation. The comment period closed on August 7.

Why is it relevant to the audit committee? 

The PCAOB’s proposal, if finalized as drafted, would have a direct impact on the audit committee's responsibility to oversee the independent auditor’s work. While the proposal is in the deliberation stage of the standard-setting process, the audit committee may want to discuss with management, the external auditor, general counsel and/or outside counsel, and others to understand their perspectives on the proposal and its potential impacts. Given the proposal’s focus and the broad stakeholder input sought by the PCAOB, the audit committee may want to revisit its understanding of the company’s compliance functions, the factors that increase financial reporting fraud risk and how management addresses the risk.

What questions should the audit committee ask?

  • What procedures will the external auditor perform to identify risks of fraud in this year’s audit?
  • How has the external auditor’s initial assessment of fraud risk evolved?
  • What are the auditor’s processes for identifying any significant unusual transactions?
  • What procedures will the auditor perform to identify potential related-party transactions?
  • Does the auditor plan to revise any procedures relating to the identification of illegal acts, such as potential noncompliance with sanctions and other laws or regulations, as part of this year’s audit?

Where to go for more information:

PwC: PCAOB proposes significant expansion of auditor responsibilities
PCAOB: Spotlight: Audit Committee Resource

8. Communications with the external auditor

What the audit committee needs to know

As Q3 comes to a close, audit committees of calendar-year-end companies should be shifting their focus toward the audit and engaging with the external auditor. This is a good time to get a status update. And given the volatile business and regulatory environments, it is important to have ongoing updates from the external auditor to understand the current status of the audit, any changes in audit scope, any challenges related to the audit team, how the auditor is approaching emerging standards and regulations, or other issues that may have been identified.

Discussions could include the results of interim audit work (including focusing on any identified internal control matters), changes in the auditor’s risk assessment, if any, and any one-off transaction/circumstance with which the company or auditor may be dealing. In addition, auditors continue to implement new technologies to enhance the audit’s efficiency and quality, so the committee will want to understand the technology strategy and how innovations may impact the audit’s efficiency and effectiveness.

Why is it relevant to the audit committee?

Investors and other stakeholders look to the audit committee to oversee the company’s accounting and financial reporting processes as well as oversight of the external audit. As part of audit committee oversight, it is important to engage in effective two-way communication with the auditor to understand the audit scoping and risk assessment, get timely status updates and ask relevant questions throughout the audit cycle.

What questions should the audit committee ask?

  • Have there been any changes to the auditor’s risk assessment?
  • As part of the auditor’s risk assessment procedures, how has it contemplated relevant economic factors, such as inflation, rising interest rates and geopolitical risks?
  • How has the audit plan changed in response to the current business environment (e.g., supply chain disruptions, asset valuations, availability of talent)?
  • Has the auditor’s assessment of climate risk impacted the audit plan?
  • How will the auditor consider potential management bias in developing significant estimates and assumptions?
  • Does the auditor utilize any specialized technology-based tools with respect to the audit? If so, what are the risks and opportunities?
  • Have there been any changes to the external auditor’s staffing plan?

Where to go for more information:

PwC: Overseeing the external auditors
PwC: Audit committee oversight checklist
PCAOB: Spotlight: Audit committee resource

9. Recurring items for the audit committee agenda

Every audit committee meeting agenda should include these important items; at the least, they should be discussed at scheduled intervals:

  • Hotline complaints and code of conduct violations
  • Changes in the regulatory environment
  • Private and executive sessions
  • Related-party transactions
  • Internal and external audit plan reviews
  • Discussions with the CIO, CISO and GC as needed

Contact us

Maria Castañón Moats

Maria Castañón Moats

Leader, Governance Insights Center, PwC US

Stephen G. Parker

Stephen G. Parker

Partner, Governance Insights Center, PwC US

Tracey-Lee Brown

Tracey-Lee Brown

Director, Governance Insights Center, PwC US

Gregory Johnson

Gregory Johnson

Director, Governance Insights Center, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide