Emerging Technologies and Financial Reporting: Key Questions to Ask

This post originally appeared on the NACD BoardTalk blog.

Emerging technologies—such as artificial intelligence, robotic process automation, drones, and blockchain—are changing how business gets done. The Center for Audit Quality (CAQ) has developed a tool to help audit committees execute their oversight responsibilities for financial reporting impacted by emerging technologies. Leveraging the work of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), this tool provides a framework for conducting effective oversight of a company’s use of emerging technologies in the financial reporting process.

This framework has five key components, plus questions within each of the components that audit committees may ask management and auditors to help inform their oversight. While not a checklist, these questions should be useful discussion points in audit committee meetings.

Control Environment

The control environment is the set of standards, structures, and processes that provide the foundation for carrying out internal control across the organization. Audit committees help to establish the right control environment for the adoption of risk management practices related to emerging technologies that impact financial reporting.

1. What are the objectives associated with the use of the emerging technology?
2. How does the emerging technology project integrate with management’s existing digital and analytics plans?
3. Does use of the emerging technology raise tax, legal, regulatory, or financial reporting questions that require external advice?
4. What has the company done to train and maintain its internal resources and technological competencies related to emerging technologies?

Risk Assessment

Audit committees might consider whether management has assessed the risks associated with changes to company processes as a result of emerging technology projects—and whether controls are in place to identify new risks as they arise.

1. What risks associated with the use of the emerging technology have management considered?
2. Has management considered the adequacy of the current risk assessment process relative to the risks introduced by the emerging technology?
3. How has management evaluated the sufficiency of existing policies and procedures related to the safeguarding of assets when implementing the emerging technology?
4. Has management identified intermediaries or third parties integral to the emerging technology functionality? If so, are current third-party risk management practices sufficient to adequately address the emerging technology?

Control Activities

Control activities are the specific actions established to ensure that the risk of failing to meet an objective is mitigated to an appropriate level.

1. How has management assessed the current control environment to determine whether new controls are needed in response to the additional risks introduced by the emerging technology?
2. Are controls in place to address the risk that the technology is not operating as intended (i.e., to assess the reliability of the outputs from the technology)?
3. What controls are in place to help ensure that those charged with oversight would be informed if a cybersecurity breach occurred?
4. How have contingency plans been assessed or updated to help ensure continuity of business and management of risks?

Information and Communication

Audit committees should have communication protocols for obtaining the information they need to effectively carry out their responsibilities, which may require the managers of large technology projects to present their progress on a periodic basis.

1. How will key financial reporting needs be considered to minimize potential disruptions when implementing the emerging technology?
2. How will the technology integrate with the current IT systems? Are there any integration risks that need to be addressed?
3. How has management evaluated existing IT practices to help ensure they address data management and governance for the emerging technology?
4. Do existing communication lines (internal and external) need to be evaluated to help ensure continued compliance with financial statement disclosure requirements?

Monitoring Activities

Monitoring represents an ongoing process to ensure that policies, procedures, and controls are present and functioning effectively.

1. What monitoring activities have management put in place to validate the operational consistency of the emerging technology?
2. Is the frequency of existing monitoring and reporting to the audit committee sufficient in light of the pervasiveness of the emerging technology and its impact on financial reporting?
3. What monitoring has been established by management to consider the emerging technology risks related to recording, processing, summarizing, and reporting on financial information—including management’s discussion and analysis—and financial statement disclosures?
4. In the event of a failure or deficiency related to management’s obligations, what processes and controls are in place to help ensure that appropriate levels of management and the audit committee are involved in the review of the related disclosures, if applicable?

An understanding of the opportunities and risks that emerging technologies present is essential for audit committees to discharge their oversight responsibilities. I encourage you to consult the full oversight tool, which, like other CAQ resources for audit committees, is available on the CAQ website free of charge.

Cindy Fornelli is a securities lawyer and has served as executive director of the Center for Audit Quality since its establishment in 2007.