According to How Audit Committees Can Prepare for 2023 Q2 Reporting, a new report by the EY Center for Board Matters, when audit committees discuss risk, they are increasingly focusing on AI, the economy and possible upcoming regulation by the SEC. We spoke to Patrick Niemann, EY Americas audit committee forum leader and a coauthor of the report, about the top concerns in those areas as well as questions audit committees should be asking management to ensure they are updated on the top risks facing their companies.
Directors & Boards: According to your report, How Audit Committees Can Prepare for 2023 Q2 Reporting, what are some of audit committees' top concerns as it relates to risk management related to AI?
Patrick Niemann: The audit committee role continues to grow more demanding and complex every day, and AI, and specifically generative AI applications, have certainly added new considerations as it relates to oversight responsibilities and concerns for board audit committees. As the use of generative AI technology accelerates, it is outpacing the organizational governance and controls that guide its use. So, as organizations race to implement the technology and achieve a “first-mover advantage,” premature commercialization can be a worry for audit committees. There needs to be proper governance that takes into account the ethical use of AI, accuracy of outputs, plagiarism, copyright, trademark violations and protections of company IP, to name a few.
To get ahead of the risks, audit committees need to understand how AI is being used in their companies and ensure that there are controls and processes that evolve as quickly as emerging technology. Board audit committees should inquire with management and internal audit about their risk assessments and ask them whether and how AI is used within financial reporting processes, including any related internal control impacts. Companies should also consider a “zero trust attitude,” which places the burden on the machine to prove accuracy of outputs.
DB: What steps should audit committees be taking in preparing for our current economic environment?
PN: The EY Center for Board Matters advises that audit committees continue to evaluate impacts that are evolving as a result of today's uncertain economic environment, especially as it relates to the impacts on businesses' financial reporting processes. Audit committees have the responsibility to oversee their companies' processes and controls that will be helpful to management as they consider how changes in the economic environment affect their accounting and financial reporting.
From there, audit committees ought to assess disclosures included in SEC filings and uncertainties, such as inflation, rising interest rates and supply chain disruptions. The audit committee also needs to revisit other disclosures included in the SEC filings, such as risk factors, critical accounting estimates, liquidity and capital resources to address certain risk concentrations. It is important for audit committees to stay aware of trends and results that are driven by the uncertain economic environment. For instance, companies that have reported significant increases in year-over-year inventory balances may need to consider whether to record a charge for any decline in value of inventory that they cannot sell in the short term.
DB: What possible new SEC rules are on the horizon and what can audit committees do now to get ready for what might come later?
PN: Much uncertainty exists as it relates to when we will see the SEC's new rules this year, but it is critical that audit committees start preparing now based on what we know. There are proposed rules on human capital management and climate and new rules were recently adopted regarding cybersecurity risk governance and disclosures as well as share repurchase disclosures. Whether proposed or finalized, it behooves audit committees to understand the implications of these rules and ensure that management teams are taking appropriate actions to be ready to implement when required.
The SEC also continues to focus on how companies use non-GAAP financial measures in earnings releases and SEC filings and whether such metrics could potentially mislead investors. In December 2022, the SEC updated its Compliance and Disclosure Interpretations to reflect on concerns about potentially misleading investors. Audit committees should understand the use and purpose of non-GAAP financial measures disclosed in filings with the SEC and review related disclosures to ensure clear explanations of these measures are provided.
DB: What are the most important questions for audit committees to ask management, compliance personnel and auditors about risk management?
PN: I think a primary question audit committees should ask other organizational leaders is, “How strong are the organization's capabilities to be highly informed about the internal and external environment, and risks, events and opportunities that may influence or compromise our own enterprise stability?” Getting this pulse check from management, compliance personnel and internal and external auditors will push leaders to factor in the risks that continue to impact organizations, such as geopolitics, macroeconomic conditions, talent and cybersecurity.
Other key questions include:
- Does the board have the information, expertise and professional skepticism it needs to challenge management relating to emerging risks?
- Does the organization perform stress tests to confirm appropriate financial reserves?
- Does the organization deploy future scenario planning to inform its long-term planning process?
These considerations can help the audit committee determine where there are gaps in their organization's risk management plan and where they need to provide additional support.