Q3 2023 Financial reporting and auditing update

Financial reporting and auditing update

Below we summarize accounting and financial  reporting developments potentially affecting companies in the current period or near term for audit committees to monitor.

ESG reporting update

Standard-setting activity has accelerated with the release of the State of California’s Climate Accountability Package, the IFRS® Sustainability Disclosure Standards issued by the International Sustainability Standards Board (ISSB), and European Sustainability Reporting Standards (ESRSs) in the EU.

California's Climate Accountability Package

California Governor Gavin Newsom signed two landmark bills that will require companies to disclose their greenhouse gas (GHG) emissions and climate risks. The bills—SB‑253 and SB‑261—have national implications, affecting thousands of US companies that operate in California.

SB‑253, the Climate Corporate Data Accountability Act, requires disclosure of GHG emissions data— Scopes 1, 2, and 3—by all US business entities (public or private) with total annual revenues in excess of $1 billion that do business in California. Disclosures will be in accordance with the Greenhouse Gas Protocol, with reporting for Scope 1 and 2 emissions to begin in 2026, and reporting for Scope 3 emissions to begin in 2027. Businesses will also be required to obtain assurance over their Scope 1 and 2 emissions, with Scope 3 potentially being added later.

SB‑261, the Climate-Related Financial Risk Act, requires all US companies—public or private, with total annual revenues in excess of $500 million that do business in California—to disclose their climate-related financial risks and measures taken to reduce or adapt to such risks. The law excludes companies subject to regulation by the California Department of Insurance or that are in the insurance business in another state. Companies’ disclosures will need to be made no later than January 1, 2026, and every two years thereafter, and be prepared in accordance with the Task Force on Climate-related Financial Disclosures (TCFD) or similar reporting standards (e.g., the IFRS® Sustainability Disclosure Standards issued by the ISSB).

In signing the bills, Governor Newsom noted some concerns that would be addressed by the state Administration and the legislature. Also see CA Climate Laws: GHG Emissions and Risk Reporting.

ISSB developments

On June 26, the ISSB issued its first two standards—the general standard (IFRS S1) and the climate standard (IFRS S2). The standards are effective for fiscal years beginning on or after January 1, 2024, but individual jurisdictions will need to decide whether and how to incorporate the standards into local requirements. Companies can also decide to adopt voluntarily.

The International Organization of Securities Commissions endorsed the standards in July 2023 and the list of countries considering adopting or incorporating them is growing. In addition, and notably for US companies, CDP (formerly, Carbon Disclosure Project) announced it will incorporate the climate standard into its disclosure system from 2024.

The ISSB published a comparison of the requirements in the climate standard and the TCFD recommendations, demonstrating that companies that apply the ISSB™ Standards will meet the TCFD recommendations. The TCFD announced that it is winding down operations and, beginning in 2024, the IFRS Foundation will take over monitoring of companies’ progress on climate-related disclosures.

EU developments

On July 31, the European Commission (EC) adopted as a delegated act the first set of ESRSs. Compliance with the ESRSs, under the Corporate Sustainability Reporting Directive (CSRD), will be required as early as 2024 for some companies.

The first set of ESRSs includes two cross-cutting standards (general concepts and overarching disclosures) and ten topical standards (climate change, pollution, water and marine resources, biodiversity and ecosystems, resource use and circular economy, own workforce, workers in the value chain, affected communities, consumers and end-users, business conduct). Companies will need to include information from their value chain and assess which topics (impacts, risks, and opportunities) to report using the double materiality concept, which requires information that is material from either a financial or an impact perspective.

Interoperability between the standards

Consistency in how companies report globally is important to supporting investor decisions and creating a level playing field for companies seeking investment. From a preparer’s perspective, interoperability is important in easing the burden of reporting. Consistency runs deeper than equivalent disclosures—it also requires alignment of the inputs and in the basis of measurement.

The ISSB has been working closely with jurisdictional standard-setters to maximize interoperability between its standards and incoming mandatory reporting frameworks—e.g., the EC and EFRAG in the EU, and the SEC in the US. With the first set of ESRSs now issued, the work to analyze interoperability is underway.

EU supply chain acts

While companies are mostly focused on reporting obligations, more governments are seeking to regulate activities within supply chains with new laws aiming to prevent and mitigate environmental and social risks within company supply chains. Two such instances in the EU are the German Supply Chain Due Diligence Act, which took effect in January 2023, and the EU’s proposed Corporate Sustainability Due Diligence Directive. See Impact of EU supply chain laws on US companies.

Compliance with such laws requires extensive due diligence and risk management throughout a company’s supply chain. This may require embarking on new due diligence processes with other companies in the supply chain and in some cases parting ways with suppliers.

SEC developments

The SEC issued its final cybersecurity rules in July (see SEC issues final cybersecurity rules, below). Additionally, the SEC’s Spring 2023 Regulatory Agenda targeted a final climate rule and a proposal for human capital management disclosures for October 2023; these targets now seem aggressive. In addition, a proposal for corporate board diversity is slated for April 2024.

SEC issues final cybersecurity rules

In July, the SEC issued its final rules—effective September 5, 2023—that will require several new and enhanced disclosures on cybersecurity risk management, strategy, governance, and incident reporting. Under the final rules, companies must disclose new information based on two broad categories. Public companies subject to the Securities Exchange Act of 1934 are required to disclose material “cybersecurity incidents” on Form 8-K and disclose material information regarding their cybersecurity risk management, strategy, and governance in their annual reports on Form 10-K.

Public companies will be required to report information regarding a material “cybersecurity incident” within four business days after the company determines that the incident was material—not from the time of discovery of the incident. And companies must make materiality determinations “without unreasonable delay” after discovery of the incident. If the US Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety, and notifies the SEC in writing, disclosure may be delayed for a maximum of 60 days (absent extraordinary circumstances). Updated incident disclosures on an amended Form 8-K are required for any new information about a previously disclosed material incident that was unavailable or undetermined at the time of the initial Form 8-K filing.

Companies must describe in Form 10-K their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. While companies will not be required to disclose board-level cybersecurity expertise, they will be required to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.

Companies—other than smaller reporting companies—must begin complying with the incident disclosure requirements on December 18, 2023. Smaller reporting companies must begin complying on June 15, 2024. All public companies will be required to make Form 10-K annual disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.

Other SEC headlines

SEC statement on the importance of comprehensive risk assessment by auditors and management

In a statement from the SEC, Chief Accountant Paul Munter highlighted the critical role of risk assessment—particularly, the SEC’s concerns about auditors and management appearing to be too narrowly focused on information and risks that directly impact financial reporting while disregarding broader, entity-level issues that may also impact financial reporting and internal controls. In view of these concerns, the statement discusses management’s obligations with respect to risk assessments, and addresses auditors’ responsibility as gatekeepers to hold management accountable in the public interest.

SEC staff sample comment letter: China-specific disclosures

The SEC Division of Corporation Finance posted an illustrative letter with examples of comments issued to companies regarding China-specific disclosures. In general, the Division is requesting more prominent, specific, and tailored disclosures about China-specific matters so investors have the material information they need to make informed investment and voting decisions. The sample letter expands on guidance previously issued by the Division on China-specific disclosures and focuses on three key areas: disclosure obligations under the Holding Foreign Companies Accountable Act; specific and more prominent disclosure about material risks related to the role of the government of the People’s Republic of China in the operations of Chinese-based companies; and disclosures related to material impacts of certain statutes.

PCAOB proposal on noncompliance with laws and regulations

The PCAOB has proposed sweeping changes to auditing standards that would heighten auditors’ responsibilities for detecting legal and regulatory noncompliance and alerting appropriate members of management and audit committees when instances of noncompliance with laws and regulations (NOCLAR) are identified. The PCAOB is also proposing to amend other auditing standards to better incorporate consideration of NOCLAR.

In addition to the impact on audits, the proposed amendments would likely also affect the company, its processes and controls and the level of effort required of management by, for example, creating or causing:

• a need to evaluate the design, implementation, and operating effectiveness of controls over compliance in addition to controls over financial reporting;
• increased inquiries of management regarding NOCLAR;
• a need for management to compile complete lists of relevant laws and regulations across the company and its operations, including across multiple jurisdictions, and expand its risk assessment process to consider this population;
• additional process documentation and resources for walkthroughs over identifying and investigating NOCLAR;
• tests over the relevance and reliability of information provided by management regarding NOCLAR; and
• increased costs that could be substantial, including additional resources, legal fees, auditor fees, and other costs.

According to the Center for Audit Quality (CAQ), “this is the most significant PCAOB proposal since their 2011 Concept Release on mandatory firm rotations.” The CAQ is encouraging the PCAOB to further engage with all stakeholders—auditors, management, audit committees—to better understand the implications of the proposal and whether it will meet the PCAOB's objectives.

The comment deadline ended August 7.

For more updates, visit Financial Reporting View.