top of page
  • Writer's pictureDaniel Goelzer

KPMG-U.K. Has Audit Committee Agenda Suggestions

Updated: Jun 12

The Harvard Law School Forum on Corporate Governance has published The 2024 Audit Committee agenda and the questions investors should be asking.   The blog post is based on a paper with the same title issued by KPMG-U.K.  The paper discusses nine matters audit committees should have on their 2024 agendas and suggests questions that investors may wish to ask the committee about each.  While prepared for a U.K. audience, the paper is also relevant to U.S. audit committees.  The nine agenda topics and related investor questions are:


1. Financial reporting and related internal control risks.


  • Forecasting and disclosures.  Matters likely to require the audit committee’s attention include disclosures regarding the impact of the wars in Ukraine and the Middle East, government sanctions, supply chain disruptions, heightened cybersecurity risk, climate change, inflation, interest rates, market volatility, and the risk of a global recession; forward-looking cash-flow estimates and impairment of non-financial assets; and use of non-GAAP metrics.


Investor question:  Ask for details about the significant issues the audit committee considered in relation to the financial statements, what makes an issue “significant” and how have those significant issues been addressed.


  • Internal control over financial reporting (ICOFR) and probing control deficiencies.  “[T]he current geopolitical, macroeconomic, and risk environment, as well as changes in the business (such as acquisitions, new lines of business, digital transformations, etc.) . . . will continue to put ICOFR to the test.”


Investor question:  Ask about the committee’s role with regards to monitoring the effectiveness of internal controls, how the current environment and regulatory mandates (including new climate rules) affect controls and if there have been any significant issues raised by internal or external audits and (if so, how has the committee addressed them).


  • Importance of a comprehensive risk assessment.  “Audit committees help ensure that management and auditors are not too narrowly focused on information and risks that directly impact financial reporting while disregarding broader entity-level issues that may also impact financial reporting and internal controls.”


Investor question:  Ask about the committee’s role in the oversight of management’s principal risk disclosures in the annual report and how does the committee take into account other, emerging areas of risk – such as supply chain resilience and geopolitical risks?


  • Committee bandwidth and skillsets.  ESG reporting requirements further expand audit committee responsibilities beyond core financial reporting and audit oversight functions.  Committees may wish to reassess whether it has “the time and expertise to oversee the major risks on its plate.”


Investor question:  Ask about the committee’s workload, the measures taken to ensure that committee members have the skillset to oversee emerging risks and how the committee evaluates its own effectiveness.


2. Audit and governance reform agenda.  The issues KPMG cites under this heading relate to U.K. regulatory developments.  However, comparable issues exist in the U.S.  For example, audit committees might want to consider and discuss with their auditor how adoption of the PCAOB’s NOCLAR proposal would affect the company’s audit and what steps the company should take in anticipation of NOCLAR.  See Audit Committee Members Weigh in on NOCLAR Proposal, August-September 2023 Update.


Investor question:  Ask about what actions are being taken to ensure a smooth transition to [new regulatory] . . . expectations, how will the committee oversee any necessary cultural shift and how will technology be leveraged.


3. Cybersecurity and data privacy.  Cyber threat issues which the audit committee should explore include whether the company has:


  • Identified the critical information assets which it wishes to protect against cyber attack – the crown jewels of the firm – whether financial data, operational data, employee data, customer data or intellectual property.

  •  Intelligence processes in place to understand the threat to the company’s assets, including their overseas operations.

  • Controls in place to detect and respond to a cyber attack – including the management of the consequences of a cyber security incident.

  • A means of monitoring the effectiveness of their cyber security controls, including where appropriate, independently testing, reviewing, and assuring such controls.


Investor question:  Ask about the role the committee plays in relation to the company's disclosures about cyber-related risks, do they adequately reflect the company's preparedness and its understanding of the full threat landscape, company vulnerabilities, mitigating actions and their effectiveness.


4. New climate, sustainability, and other ESG disclosures – and the quality and reliability of the underlying data.  A key area audit committee focus should be the company’s preparedness for new ESG reporting requirements.  Among other things, KPMG suggests -- 


  • Ensuring management has processes in place to review ESG disclosures, including for consistency with the annual report and accounts.

  • Helping to ensure that ESG disclosure is subject to the same level of rigor as financial information.

  • Encouraging management to identify any gaps in governance and consider how to gather and maintain quality information. 

  • Understanding whether appropriate systems are in place or under development to ensure the quality of data that must be assured by third parties.


Investor question:  Ask about the committee’s role in relation to the reporting of climate-related risks, to what extent is climate change being incorporated into key accounting assumptions (such as impairments, depreciation, and asset decommissioning) and is the committee satisfied with the level of assurance in the company’s ESG disclosures.


5. Audit quality.  KPMG recommends that audit committees discuss with the auditor how the company’s financial reporting and related internal control risks have changed in light of the geopolitical, macroeconomic, regulatory and risk landscape; set expectations for frequent, open, candid communications between the auditor and the audit committee; probe the audit firm on its quality control systems; and consider the results of auditor regulatory and internal inspections.


Investor question:  Ask how the committee measures the effectiveness of the external audit, their role in the planning of the audit, how they challenge the auditor’s findings, how the auditor challenges management, and the factors most important to them in selecting an auditor.


6. Internal audit focus on key risks.  “As audit committees wrestle with heavy agendas – and risk management is put to the test – internal audit should be a valuable resource for the audit committee and a crucial voice on risk and control matters. This means focusing not just on financial reporting and compliance risks, but also critical operational and technology risks and related controls, as well as ESG risks.”


Investor question:  Ask about the committee’s role with regards to monitoring the effectiveness of internal audit, how does the committee ensure that the internal audit plan is aligned to the key risks of the business, if there has been any significant issues raised by internal audit and the committee’s response, how do they ensure the internal audit function have the right skills and resources to succeed.


7. Leadership and talent in the finance organization.  KPMG expects that audit committees will focus particularly on two finance talent/leadership areas:  (1) Leadership, talent, skill sets, and other resources necessary to address climate and other ESG reporting; and (2) Opportunities for finance to add greater value to the business by combining strong analytics and strategic capabilities with traditional financial reporting skills.


Investor question:  Ask about the committee’s role in overseeing the finance function’s climate/sustainability/ESG strategy and digital transformation strategy, how the function is attracting, developing, and retaining the leadership, talent, skill sets and bench strength to execute those strategies, as well as its existing responsibilities.


8. Ethics, compliance, and culture.  Audit committees should “closely monitor the tone at the top and culture throughout the organization.” with a sharp focus on behaviors (not just results) and yellow flags. Committees should also focus on the effectiveness of the company’s whistleblower reporting channels.


Investor question:  Ask how the committee satisfies itself that management has systems in place to detect fraud, to what extent is the committee involved in the oversight of the company’s whistleblowing procedures and how do they ensure these are appropriate?


9. Oversight of generative AI.  The audit committee may find itself overseeing “compliance with the patchwork of differing laws and regulations governing generative AI, as well as the development and maintenance of related internal controls and disclosure controls and procedures.” Generative AI is rapidly evolving, and the audit committee’s AI oversight responsibilities may need to be revisited during the year.


Investor question:  Ask about the committee’s role with regards to oversight responsibilities for generative AI, including oversight of various aspects of the company’s governance structure for the development and use of the technology.


Comment:  KPMG-U.K.’s paper provides an excellent catalog and discussion of current issues that most audit committees will have to address in 2024.  It has many topics in common with other firms’ suggestions concerning audit committee agenda topics (see What Should be on the Audit Committee’s 2024 Agenda?, January 2024 Update), and a review of KPMG’s paper could be helpful to an audit committee as a check that it is not overlooking topics that should be considering.


8 views0 comments

Recent Posts

See All

PCAOB Reworks the Foundations of Auditing

The Public Company Accounting Oversight Board has adopted a new auditing standard, AS 1000, General Responsibilities of the Auditor in Conducting an Audit, and related amendments to other auditing sta


bottom of page