On the 2024 Audit Committee agenda

Focusing on the financial reporting, accounting and disclosure obligations posed by the current geopolitical, macroeconomic and risk landscape will be a top priority and major undertaking for Audit Committees in 2024.

Key areas of focus should include:

Forecasting and disclosures

Many forecasting and disclosures require the Audit Committee’s attention:

• Impact of the wars in Ukraine and the Middle East, government sanctions, supply chain disruptions, heightened cybersecurity risk, climate change, inflation, interest rates, market volatility and the risk of a global recession; 
• Preparation of forward-looking cash-flow estimates; impairment of non-financial assets (including goodwill and other intangible assets);
• Impact of events and trends on liquidity; 
• Accounting for financial assets (fair value); and
• Going concern.

With companies making tougher calls in the current environment, regulators are emphasizing the importance of well-reasoned judgments and transparency, including contemporaneous documentation to demonstrate that the company applied a rigorous process. Given the fluid nature of the long-term environment, disclosure of changes in judgments, estimates and controls may be required more frequently.

Internal control over financial reporting (ICOFR) and probing control deficiencies

The current geopolitical, macroeconomic and risk environment, as well as changes in the business including acquisitions, new lines of business, digital transformations, etc., will continue to put ICOFR to the test. The current environment and regulatory mandates affect management’s disclosure controls and procedures and ICOFR, as well as management’s assessment of the effectiveness of ICOFR.

Multiple regulatory bodies including CBUAE, ADAA and SCA through its Board of Directors Decision no. (2/RM) of 2024, which officially came into effect on January 16th, require entities to implement internal controls, and further require the external auditor to provide an opinion on the effectiveness of its internal control systems.

Where any control deficiencies are identified, provide a balanced evaluation of the deficiency’s severity and cause. Consider whether:

• A regular assessment of the company’s control environment is performed by the Audit Committee with management;
• Controls have kept up with the company’s operations, business model and changing risk profile, including cybersecurity risks; and
• Management’s culture is conducive to effective enforcement of the existing control environment.

Importance of a comprehensive risk assessment

The importance of comprehensive risk assessment should not be underestimated. The Audit Committee should ensure that management and auditors are not too narrowly focused on information and risks that directly impact financial reporting while disregarding broader, entity-level issues that may also impact financial reporting and internal controls.

Committee bandwidth and skillsets

The Audit Committee’s role in overseeing management’s preparations for new climate and sustainability reporting requirements further expands its responsibilities beyond its core oversight responsibilities (financial reporting and related internal controls and internal and external auditors). This expansion should heighten concerns about Audit Committee bandwidth and ‘agenda overload.’

Reassess whether the committee has the time and expertise to oversee the major risks of the company, which can be performed in collaboration with the board standing committee.
For example, do cybersecurity, climate, ESG, or ‘mission-critical’ risks such as safety, as well as artificial intelligence (AI) (including generative AI) require more attention at the full-board level, or perhaps the focus of a separate board committee?

The pros and cons of creating an additional committee should be weighed carefully, but considering whether a finance, technology, risk, climate/sustainability, or other committee – and perhaps the need for directors with new skill sets – would improve the board’s effectiveness, can be a healthy part of the risk oversight discussion.

Cybersecurity risk continues to intensify, with the acceleration of AI, increasing sophistication of attacks, ongoing wars in Ukraine and the Middle East and ill-defined lines of responsibility among users, companies, vendors and government agencies.

The growing sophistication of cyber threats points to the continued cybersecurity challenge and the need for management teams and boards to continue to focus on resilience. Breaches and cyber incidents are going to occur and organizations must be prepared to respond appropriately.

Regulators and investors are demanding transparency into how companies are assessing and managing cyber risk and building and maintaining resilience. For example, in the UAE, government entities and organizations operating within critical national infrastructure sectors are required to adhere to the UAE Information Assurance Standards set by the National Electronic Security Authority (NESA), which include prompt reporting of significant cybersecurity incidents to ensure transparency and resilience.

Moreover, the UAE Federal Decree-Law No. 45 of 2021 Regarding the Protection of Data Protection outlines provisions relating to the protection of personal data, which includes the processing of personal data, securing personal data and maintaining its confidentiality and privacy, right to request corrections of inaccurate data and the requirements for cross-border transfer and sharing of personal data.

While data governance overlaps with cybersecurity, it is broader and includes compliance with industry-specific laws and regulations, as well as privacy laws and regulations that govern how personal data from customers, employees, or vendors is processed, stored, collected and used. Data governance also includes policies and protocols regarding data ethics in particular, managing the tension between how the company may use customer data in a legally permissible way versus customer expectations as to how their data will be used.

Managing this tension poses significant reputation and trust risks for companies, representing a critical challenge for leadership. It is important to understand how robust and up to date management’s data governance framework is and whether it address third-party cybersecurity and data governance risks.

Cyber threats should be considered as part of the company’s risk management process and the Audit Committee should test whether the company has:

• Identified the critical information assets which it wishes to protect against cyber-attack, whether financial data, operational data, employee data, customer data or intellectual property.
• Intelligence processes in place to understand the threat to the company’s assets, including their overseas operations.
• A way of identifying and agreeing the level of risk the company is prepared to tolerate for a given information asset in the case of a cyber-attack. 
• Controls in place to prepare, protect, detect and respond to a cyber-attack, including the management of the consequences of a cyber security incident.
• A means of monitoring the effectiveness of their cyber security controls, including where appropriate, independently testing, reviewing and assuring such controls.
  A programme of continuous improvement, or where needed, transformation, to match the changing cyber threat, with appropriate performance indicators.

As discussed in On the 2024 board agenda, an important area of board focus and oversight will be management’s efforts to prepare for dramatically increased climate and ESG disclosure requirements in the coming years.

In response to the global demands and as part of its commitment to sustainability, the UAE has taken significant steps, notably hosting the 28th United Nations Conference of the Parties (COP28) Climate Change Conference and launching the Net Zero by 2050 strategy. Additionally, the Abu Dhabi Global Market (ADGM) implemented a sustainable finance regulatory framework in 2023, mandating ESG disclosures to support the UAE's net-zero transition. Following COP 28, The UAE Consensus was set out which includes several actions to be taken:

• First annual Global Stocktake dialogue to be convened at the next United Nations Framework Convention on Climate Change meeting in June 2024;
• Emirates Framework for Global Climate Resilience, a work programme to further strengthen the indicators of the new framework;
• Just Transition Work Programme, requiring at least two dialogues to be convened before COP29 in a hybrid format to ensure inclusivity, and countries to provide further written evidence and inputs for the work programme by March 2024;
• Mitigation Work Programme, requiring two global dialogues to be held through 2024; and
• Appointment of the first official Youth Climate Champions.

Boards in the UAE must therefore focus on overseeing management's preparation for the expected surge in climate and ESG disclosure requirements. This includes adherence to the International Financial Reporting Standards (IFRS) Sustainability Disclosure Standards by the International Sustainability Standards Board (ISSB), which necessitates comprehensive disclosures on sustainability-related risks and opportunities.

A key area of board and Audit Committee focus will be the state of the company’s preparedness, requiring periodic updates on management’s preparations, including gap analyses, materiality assessments, resources, assurance readiness and any new skills needed to meet regulatory deadlines.

In addition to the compliance challenge, companies must also ensure that disclosures are consistent and consider the potential for liability posed by detailed disclosures. This will be a major undertaking, with cross-functional management teams involved and multiple board committees overseeing different aspects of these efforts.

Given the scope of the effort, Audit Committees should encourage management to prepare now by assessing the path to compliance with applicable reporting standards and requirements – including the plan to develop high quality, reliable climate and sustainability data. Key areas of Audit Committee focus should include:

• Clarifying internal roles and responsibilities in connection with the disclosures in the annual report and accounts, other regulatory reports and those made voluntarily in sustainability reports, websites, etc. including coordination between any cross-functional management ESG team(s) or committee(s).
• Ensuring management have processes in place to review the disclosures, including for consistency with the annual report and accounts. Making sure the teams looking at ESG issues/reporting are properly connected to the core finance function is important.
• Ensuring that ESG information being disclosed is subject to the same level of rigor as financial information, meaning disclosure controls and procedures. Given the nature of the climate, sustainability and ESG reporting requirements and the intense focus on these disclosures generally, companies should consider enhancing management’s disclosure processes to include appropriate climate, sustainability and other ESG functional leaders, such as the ESG controller (if any), chief sustainability officer, chief human resources officer, chief diversity officer, chief supply chain officer and chief information security officer.
• Encouraging management to identify any gaps in governance and consider how to gather and maintain quality information. 
• Understanding whether appropriate systems are in place or are being developed to ensure the quality of data that must be assured by third parties.

Audit quality is enhanced by a fully engaged Audit Committee that sets the tone and clear expectations for the external auditor and monitors auditor performance rigorously through frequent, quality communications and a robust performance assessment.

In setting expectations for 2024, Audit Committees should discuss with the auditor how the company’s financial reporting and related internal control risks have changed in light of the geopolitical, macroeconomic, regulatory and risk landscape, as well as changes in the business. Set clear expectations for frequent, open, candid communications between the auditor and the Audit Committee, beyond what’s required.

The list of required communications is extensive and includes matters about the auditor’s independence as well as matters related to the planning and results of the audit. Audit Committees should also probe the audit firm on its quality control systems that are intended to drive sustainable, improved audit quality, including the firm’s implementation and use of new technologies such as AI to drive audit quality.

In discussions with the external auditor regarding the firm’s internal quality control system, consider the results of recent regulatory inspections and internal inspections and efforts to address deficiencies. Audit quality is a team effort, requiring the commitment and engagement of everyone involved in the process, including the auditor, Audit Committee, internal audit and management.

Consider how the company is perceived by shareholders and other stakeholders. This empowers Audit Committees to extend the independent (external) assurance they receive, whether from the external auditor or other third party assurance providers.

Further, remain cognizant of the capacity constraints within the audit profession. With audit tenders typically being carried out two years ahead of the transition date, the time to plan, build relationships and determine which firms should take part in the tender might need to start much earlier than first thought.

As Audit Committees wrestle with heavy agendas, internal audit should be a valuable resource for the Audit Committee and a crucial voice on risk and control matters. This means focusing not just on financial reporting and compliance risks, but also critical operational and technology risks and related controls as well as ESG risks.

ESG-related risks are rapidly evolving and include human capital management; from diversity, equity and inclusion (DEI) to talent, leadership and corporate culture; as well as climate, cybersecurity, data governance and data privacy and risks associated with ESG disclosures. Disclosure controls and procedures and internal controls should be a key area of internal audit focus. Audit Committees should clarify internal audit’s role in connection with ESG risks and enterprise risk management more generally, which is not to manage risk, but to provide added assurance regarding the adequacy of risk management processes. Consider whether management teams have the necessary resources and skill sets to execute new climate and ESG initiatives.

Reassess whether the internal audit plan is risk-based and flexible enough to adjust to changing business and risk conditions. The Audit Committee should work with the head of internal audit and chief risk officer to help identify the risks that pose the greatest threat to the company’s reputation, strategy and operations and to help ensure that internal audit is focused on these key risks and related controls. These may include industry-specific, mission-critical and regulatory risks, economic and geopolitical risks, the impact of climate change on the business, cybersecurity and data privacy, risks posed by generative AI and digital technologies, talent management and retention, hybrid work and organizational culture, supply chain and third-party risks and the adequacy of business continuity and crisis management plans.

Given internal audit’s broadening mandate, it will likely require upskilling. Set clear expectations and help ensure that internal audit has the talent, resources, skills and expertise to succeed and support the head of internal audit to address the impact of digital technologies on internal audit.

Finance organizations face a challenging environment today addressing talent shortages, while at the same time managing digital strategies and transformations and developing robust systems and procedures to collect and maintain high-quality ESG data to meet both investor and other stakeholder demands. Many are contending with difficulties in forecasting and planning for an uncertain environment and working with the workforce to ensure they remain motivated and engaged is becoming harder.

As Audit Committees monitor and help guide finance’s progress in these areas, we suggest two areas of focus:

• Many finance functions have been assembling or expanding management teams or committees charged with managing a range of ESG activities, including enhancing controls over the ESG information disclosed in corporate reports. Consider whether the finance function has the leadership, talent, skill sets and other resources necessary to address climate and other ESG reporting and to ensure that quality data is being collected and maintained. Further, consider whether adequate consideration been given to the diversity of the team and the pipeline and how far along the finance function is in its preparations for any new/enhanced ESG disclosures.
• At the same time, the acceleration of digital strategies and transformations presents important opportunities for finance functions to add greater value to the business. The finance function combines strong analytics and strategic capabilities with traditional financial reporting, accounting and auditing skills.

It is essential that the Audit Committee devotes adequate time to understanding finance’s climate/sustainability/ESG strategy and digital transformation strategy and helps ensure that finance is attracting, developing and retaining the leadership, talent, skill sets and bench strength to execute those strategies, as well as its existing responsibilities. Staffing deficiencies in the finance function may pose the risk of internal control deficiencies.

The reputational costs of an ethics or compliance failure are higher than ever, particularly given increased fraud risk, pressures on management to meet financial targets and increased vulnerability to cyberattacks.

Fundamental to an effective compliance program is the right tone at the top and culture throughout the organization, including commitment to its stated values, ethics and legal and regulatory compliance. This is particularly true in a complex business environment, as companies move quickly to innovate and capitalize on opportunities in new markets, leverage new technologies and data, engage with more vendors and third parties across complex supply chains.

Audit Committees must further closely monitor the tone at the top and culture throughout the organization with a sharp focus on behavior (not just results) and yellow flags.

Consider whether senior management is sensitive to ongoing pressures on employees (both in the office and at home), employee health and safety, productivity and employee engagement and morale, noting that leadership, communication, understanding and compassion are essential.

Does the company’s culture make it safe for people to do the right thing and is it helpful for directors to spend time in the field meeting employees to get a better feel for the culture?

Ensure that the company’s regulatory compliance and monitoring programs are up to date, cover all vendors in the global supply chain and communicate the company’s expectations for high ethical standards.

Additionally, maintain focus on the effectiveness of the company’s whistleblower reporting channels (including whether complaints are being submitted) and investigation processes.

Consider whether the Audit Committee reviews all whistle-blower complaints. If this is not the case, understand what process is in place to filter complaints that are ultimately reported to the Audit Committee. With the radical transparency enabled by social media, the company’s culture and values, commitment to integrity and legal compliance and its brand reputation are on full display.

As discussed in ‘On the 2024 board agenda’, oversight of generative AI will be a priority for almost every board in 2024.

Similarly to ESG, the oversight of generative AI may touch multiple committees and the Audit Committee may end up overseeing compliance with the patchwork of differing laws and regulations governing generative AI, as well as the development and maintenance of related internal controls and disclosure controls and procedures.

Some Audit Committees may have broader oversight responsibilities for generative AI, including oversight of various aspects of the company’s governance structure for the development and use of the technology. Consider in the case a generative AI system or model (including a third-party model) is developed and deployed, who is responsible for making that decision. Consider what generative AI risk management framework is used and further, whether the organization has the necessary generative AI-related talent and resources.

Given how fluid the situation is: with generative AI gaining rapid momentum, the allocation of these oversight responsibilities to the Audit Committee may need to be revisited throughout the year.