In December 2019, as part of its strategy of enhancing transparency and accessibility through proactive stakeholder engagement, the PCAOB conducted conversations with almost 400 audit committee chairs, focused on audit committee perspectives on topics such as audit quality assessment and improvement and auditor communications, and reported on those conversations. (See this PubCo post.) As noted by PCAOB Chair William Duhnke in this PCAOB webinar for audit committees, the PCAOB prioritized this engagement, viewing informed and engaged audit committees as "force multipliers." In addition, he noted, the PCAOB had heard criticism early in the process that the PCAOB did not play well with others and was not receptive to feedback-the conversations also represented an effort to address that problem. The PCAOB has continued this same outreach to audit committee chairs during 2020, focused this time on the unprecedented challenges created by COVID-19 and its effect on the chairs' oversight of financial reporting and the audit. The responses regarding the impact of the pandemic varied widely, depending on the industry and company. The chairs identified a number of new or increased risks, including cybersecurity, employee safety and mental health, going concern, accounting estimates, impairments, international operations and accounting implications of the CARES Act. The PCAOB's recent report summarizes two of the common themes the PCAOB regularly heard from audit committee chairs across industries and highlights some of the helpful questions and considerations that the chairs identified.

Remote work. The most prevalent theme was the shift to remote work. Chairs were initially concerned about the rapidity of the transition to remote, but ultimately indicated that they were surprised by how smoothly the transition had gone under the circumstances. Some of the chairs indicated that the transition may have been eased by storage of much company data in the cloud. The chairs had been particularly concerned about internal control over financial reporting, but concluded that it "was managed, maintained, or adjusted as necessary."

SideBar

Controls assessments, which are often considered to be best performed in person, have been highlighted as potential problems arising out of remote work. The difficulty of simply performing the assessment remotely-how do you conduct a physical observation?-compounded by substantial economic decline, has been identified as a factor that could put stress on the controls (see this PubCo post). In Corp Fin's recently issued Disclosure Guidance Topic No. 9, which offers the staff's views regarding disclosure considerations, the staff offered a series of questions for companies to consider regarding remote work and controls:

"Have COVID-19-related circumstances such as remote work arrangements adversely affected your ability to maintain operations, including financial reporting systems, internal control over financial reporting and disclosure controls and procedures? If so, what changes in your controls have occurred during the current period that materially affect or are reasonably likely to materially affect your internal control over financial reporting? What challenges do you anticipate in your ability to maintain these systems and controls?" (See this PubCo post.)

Cyber-related risks-such as increased phishing attempts and email security-were cited a number of times by chairs as a challenge that was more acute as a result of the move to remote work. The PCAOB observed that the issue of cybersecurity typically arises in the context of identifying and assessing risks of material misstatements in the financial statements and, for integrated audits, in connection with identifying and testing the controls designed to mitigate that risk. The effectiveness of cyber-related controls was often discussed by the chairs with the auditors in connection with the audit.

Below are questions for auditors that audit committee chairs considered helpful in understanding risks related to remote work:

  • "Will additional time be needed to get the audit work done remotely? What complexity does working remotely add to the audit?
  • Will working remotely affect productivity of audit engagement team members? If so, does the audit plan need to be updated, and do fees need to be revisited?
  • Has remote work affected the company's ICFR? If so:
    • Is the auditor including new controls in their assessment, or evaluating changes to existing ones?
    • Has the auditor identified any concerns with respect to segregation of duties?
  • If a review of the issuer's interim financial information has been completed already, are there any lessons learned that can be applied to the year-end audit?
  • Are there any technology enhancements or collaborative tools that should be considered to support longer-term remote work?
  • Has the auditor assessed potential risks of material misstatement related to cybersecurity, and how does the auditor plan to respond to those risks?"

Increased auditor communications. Most of the audit committee chairs reported that the pandemic led to more frequent communication with their auditors, and the chairs were generally satisfied with the extent of these communications. One of the most common discussions related to how to best complete audit work a timely basis. Some chairs also highlighted their expectations of continued frequent communications as new risks and uncertainties emerged as a result of the pandemic.

Audit chairs found the following communication topics to be particularly useful:

  • "Discussions about trends auditors are seeing across their client base, particularly those pertaining to industry peers;
  • Presentations on areas of the audit that may or will warrant increased attention due to the effects of COVID-19, as well as how the auditor plans to approach those areas; and
  • Audit firm resources and webinars with industry-specific content."

The audit chairs offered the following advice regarding auditor communications during the pandemic:

  • "Engage with the auditor and management to discuss potential challenges to a timely completion of the audit. Review and discuss the timeline for the phases of audit work.
  • Determine a good cadence for communications that include both the auditor and management so that the audit committee receives the information it needs in a timely manner, while also considering the additional demands on auditors and management during the pandemic.
  • Discuss any changes to the audit plan with the auditor, including changes to areas of focus and how the auditor plans to address areas of new or modified risk. Discuss if there are changes to how the auditor will identify and test internal controls.
  • Discuss which disclosures may need to change as a result of COVID-19."

As reported in the webinar, two other topics that came up frequently were enterprise risk management and company culture. With regard to ERM, audit committee chairs said that they were devoting more time to this issue, with some indicating that their ERM plans were effective with just a few tweaks and others needing to essentially start over because the plans did not contemplate such an enduring crisis. Related to ERM is an enhanced focus on corporate culture, both with regard to supporting management through the stressful environment and the need for increased attention to issues of culture such as the potential for fraud.

A more general discussion of the messages from PCAOB conversations with audit committee chairs is expected at the end of the year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.