In this new Bulletin, consultant Protiviti identifies key issues for the 2021 audit committee agenda and-no surprise-at least half reflect the impact of COVID-19. The agenda includes four topics related to enterprise, process and technology risks and four related to financial reporting, with a reminder regarding ESG. Also available is an audit committee self-assessment questionnaire. The topics suggested for the audit committee agenda are summarized below.

Enterprise, process and technology risk issues

  1. "Consider shifts in the risk landscape to establish an appropriate business context." The pandemic and its fallout have presented the most obvious risks of disruption to the context in which businesses operate. For some companies that disruption has been dramatic, including business shutdowns, changing consumer behaviors, changing workplaces (e.g., work from home, health safety compliance), supply chain issues and uncertainties related to the economy. Continued disruption, Protiviti suggests, could impair the ability of the company and its management to maintain the company's culture and "spill over to the internal control environment." Other risks that audit committees should consider include domestic and international politics and regulation, cybersecurity and the digital economy. In addition, the agenda observes, "[n]o discussion of changing risk profiles is complete without reference to the circumstances calling attention to the importance of social equity and equal justice. These circumstances-and what has been, in most cases, a vocal and supportive response by businesses to do more to level the playing field-set a context for the audit committee's role in evaluating the diversity of its composition, the treatment of company management and staff and company engagement with partners and stakeholders consistent with the board's overall focus on the CEO's commitment to social responsibility-including diversity, equity and inclusion issues." Understanding all of these risks can help the committee assess the adequacy of the company risk factor disclosures, inform consideration of financial reporting and "put into proper context" the representations from management, the outside auditors (through CAMs and otherwise), as well as internal control issues and concerns raised by internal audit.
  2. "Work with the CFO to review the finance function's resiliency." The issue of resiliency, the agenda suggests, has risen to the forefront as a result of the pandemic. Audit committees should assess with the CFO how well financial reporting functioned with employees working from home, whether productivity was acceptable, whether improvements are required, whether processes needed to be redesigned, whether employees had the technology and tools they needed and whether improvements can be sustained in 2021. Advanced digital operating capabilities may be a key, the agenda suggests, to achieving an effective remote workplace.
  3. "Encourage the CFO to function as a strategic partner in addressing cybersecurity, privacy and other key priorities." In addition to technology investments to support digital operations, the audit committee is advised to consider whether finance is "sufficiently resourced to focus on such matters as evolving cyber threats, more advanced data analytics, internal customer expectations, financial planning and analysis, regulatory challenges, and internal controls as a strategic partner with the rest of the organization?" Is finance appropriately contributing its expertise to address issues such as cybersecurity? Is finance working with internal customers to address expectations for more insight and analysis? How is the CFO assessing the talent and skills investments necessary to address future disruptions and opportunities?
  4. "Work with the CAE [chief audit executive] to formulate appropriate imperatives for internal audit to ensure the function's continued relevance." A recent Protiviti survey found that audit committees have demonstrated increased interest in internal audit "transformation and innovation." The key question is whether the CAE is "effective in achieving appropriate risk coverage, agile responses to new and emerging risks, and efficient delivery of value-added insights regarding risk culture, risk management capabilities and the internal control environment?" The "transformation process" for internal audit should make its way onto the committee's agenda for an appropriate length of time: acccording to Protiviti, the "opportunity before the audit committee is for internal audit to enhance its value proposition by becoming a problem-solver, rather than a mere problem-finder."

Financial Reporting Issues

  1. "Address accounting and reporting implications of operational adjustments during the pandemic and recession." Given that many companies were compelled to make significant changes to their operations as a result of the pandemic, the audit committee will need to discuss with management and the outside auditor whether these changes have been properly accounted for and reported. Changes might include discontinued operations and divestitures, termination benefits, government assistance (such as PPP loans) and the impact of contract modifications, such as debt restructuring or covenant breaches or waivers.


In March, the staff of Corp Fin issued Disclosure Guidance Topic No. 9, which offers the staff's views regarding disclosure considerations and reporting financial results in the context of COVID-19 and related uncertainties. In June, the staff of Corp Fin issued Disclosure Guidance: Topic No. 9A, which supplements Topic No. 9 with additional views of the staff regarding disclosures related to operations, liquidity and capital resources that companies should consider as a consequence of business and market disruptions resulting from COVID-19. The guidance suggests that companies take a harder look at their disclosure obligations in connection with material operational changes made in response to COVID-19, as well as new financing activities to address the adverse financial impact of the pandemic. In each case, the guidance includes a valuable series of questions designed to help companies assess, and to stimulate effective disclosure regarding, the impact of the coronavirus. (See this PubCo post and this PubCo post.)

  1. "Assess COVID-19-related impacts on financial reporting assertions." Financial reporting often involves significant judgments and estimates. The pandemic-and especially the uncertainty it has created-has required companies to reevaluate many of these estimates and judgments. Protiviti recommends that audit committees discuss with management and the outside auditor the impact of the pandemic on these significant accounting estimates to assess whether the accounting and disclosure are understood and addressed. In particular, COVID-19 may have affected estimates regarding asset impairments, goodwill impairment, net realizable value of inventory, costs of significant excess capacity (as a result of work slowdowns or material shortages), fair value measurement, loss contingencies, the impact of variable customer contract consideration (such as discounts and concessions), exposure considerations and impairment of receivables, loans and investments, Significant subsequent events would also need to be considered.


In April, then SEC Chief Accountant Sagar Teotia issued a Statement on the Importance of High-Quality Financial Reporting in Light of the Significant Impacts of COVID-19, which addressed, among other things, the challenge of making significant judgments and estimates in light of the acute uncertainty resulting from COVID-19. Consistent with OCA's historic positions, Teotia confirmed that OCA has "not objected to well-reasoned judgments that entities have made, and we will continue to apply this perspective." Teotia identified the many accounting areas that may involve significant judgments and estimates in light of the evolving status of COVID-19, and stressed the importance of providing the required disclosures for estimates and judgments:

  • Fair value and impairment considerations;
  • Leases;
  • Debt modifications or restructurings;
  • Hedging;
  • Revenue recognition;
  • Income taxes;
  • Going concern;
  • Subsequent events; and
  • Adoption of new accounting standards (e.g., the new credit losses standard).

A key aspect of CECL, according to Bloomberg, is the requirement that businesses "make a 'reasonable and supportable' assessment about the future when they tally expected losses. The uncertainty about the coronavirus could throw what they previously thought of as reasonable out of whack." As noted in this PubCo post, at a meeting of the SEC's Investor Advisory Committee, a Committee member commented that, in light of the economic conditions resulting from COVID-19, determining impairment of accounts receivable under these conditions could be a "total guess." (See this PubCo post.)

In June, Teotia issued another a Statement on the Continued Importance of High-Quality Financial Reporting for Investors in Light of COVID-19, in which he reiterated that, with respect to estimates and judgments, OCA has "consistently not objected to well-reasoned judgments that entities have made," and emphasized that OCA "will continue to apply this perspective." In that regard, companies must provide disclosure about significant judgments and estimates that is "understandable and useful to investors." In addition, the resulting financial reporting must reflect and be "consistent with the company's specific facts and circumstances."

  1. "Evaluate the pandemic's near-term and longer-term impacts on the internal control environment." Notably, the imposition of the work-from-home environment as a result of the pandemic may have affected internal control over financial reporting, cybersecurity and exposure to compliance and fraud risk. In addition, companies may need to reimagine the workplace in planning for a return to the physical office, which could involve more space (for social distancing), work shifts or hybrids, along with technology enhancements and health protocols. Given the audit committee's role in advocating for a strong internal control environment, Protiviti recommends that the audit committee consider making inquiry regarding issues such as legal compliance, changes that may have affected the integrity of the company's internal control structure or key controls, segregation-of duties issues, cybersecurity and fraud risks.
  2. "Consider the nature of critical audit matters raised by the independent auditor." The audit committee should evaluate with management and the auditor any CAMs identified by the auditor to understand the underlying issues and verify that the related disclosures are clear. Protiviti suggests that if "there are significant judgmental issues on which management and the auditor do not agree, or if management is applying aggressive accounting principles, there may be an opportunity for the committee to inquire of management as to whether the company's accounting and reporting processes can be streamlined and improved."


According to a PCAOB Resource for Audit Committees, the information contained in CAMs should not come as a surprise to the committee because matters that will be disclosed as CAMs should have already been discussed with the audit committee. However, the audit committee does not have a role in determining and approving CAM communications-no veto power. Rather, CAMs are "the sole responsibility of the auditor," and the purpose of the CAM requirement is "to elicit more information about the audit directly from the auditor." The auditor is, however, required to share with the audit committee the draft auditor's report, which includes any CAMs, and, if there is any sensitive information that might be included in the CAM communication, the auditor "could discuss with management and the audit committee the treatment of any sensitive information." (See this PubCo post.)

As discussed here, the PCAOB has provided some sample questions for audit committees to consider-in their discretion-asking their auditors about CAM implementation, copied below:

  • "What has the audit firm done to prepare for the identification and communication of CAMs in the auditor's report?
  • Does the audit firm have a methodology, practice aids, or other training available to its auditors?
  • Has the audit firm done any dry runs? If so:
    • What did the audit firm learn as a result of the dry runs?
    • Were there any matters considered to be 'close calls,' but ultimately not identified as a CAM during the firm's dry run? What was the thought process behind the final determination?
  • Were our CAMs similar or different from our industry peers?
    • What is the nature of the differences (or similarities)?
  • Has the audit team discussed with management how and by whom any investor or stakeholder question regarding CAMs will be addressed?"

(See this PubCo post.)

In remarks before the American Institute of CPAs in 2017, then-SEC Chief Accountant Wesley Bricker provided some advice as to what audit committees should expect from their auditors with regard to discussion about CAMs:

"expectations for timely, ongoing communication will continue to be an important element to the auditor-audit committee relationship as the auditors implement this new auditor reporting standard. In that regard, audit committees should have reasonable expectations that auditors prepare to take members through the application of the standard on their engagement. For example, what would the critical audit matters be this year? What would be the close calls? When could those matters have been raised, and which ones could have been identified at the start of the audit cycle? What does the auditor expect to say about those matters? When would we expect to see a draft report or at least a draft of the critical audit matters? These are illustrative examples of the communication planning and expectation setting that audit committee members may wish to consider as part of the transition period."

Additional Considerations

  1. "Assess other matters: Keep an eye on ESG developments." Protiviti observes that "market forces continue to elevate the importance of ESG-related matters. It's a matter of when, not if, the market can expect more rulemaking and standard-setting on ESG-related impacts." That may be especially true with a new administration and new SEC Chair, who may advocate a more prescriptive, less principles-based approach to ESG disclosure, particularly issues such as climate risk and diversity. The agenda also advocates that audit committees make a point of reviewing the company's disclosure in response to the SEC's new human capital disclosure requirement in light of developments occurring at the company.


The topic of human capital has been front-burnered by the impact of COVID-19 on the workforce. The new SEC rule imposes a principles-based requirement to describe "the registrant's human capital resources, including the number of persons employed by the registrant, and any human capital measures or objectives that the registrant focuses on in managing the business (such as, depending on the nature of the registrant's business and workforce, measures or objectives that address the development, attraction and retention of personnel)." The amended rule replaces the existing requirement to disclose only the number of employees with a requirement to disclose, to the extent material, information about human capital resources. In particular, the amended rule identifies as non-exclusive examples of measures or objectives that the company may focus on in managing the business "measures and objectives that address the attraction, development, and retention of personnel." Even these measures, the SEC emphasized, are not a mandate. However, as then-SEC Chair Jay Clayton made clear in his statement at the SEC meeting to consider approval of the rule changes, although, under the principles-based approach, the rules do not articulate specific metrics for human capital resources disclosure, he does "expect to see meaningful qualitative and quantitative disclosure, including, as appropriate, disclosure of metrics that companies actually use in managing their affairs." He noted here that, as with "non-GAAP financial measures, I would also expect companies to maintain metric definitions constant from period to period or to disclose prominently any changes to the metrics used or the definitions of those metrics." Accordingly, companies will need to think hard about what metrics to include in crafting their discussions of the "measures and objectives that address the attraction, development, and retention of personnel." (See this PubCo post and this Cooley Alert.)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.