Emerging technologies—such as artificial intelligence, robotic process automation, drones, and blockchain—are changing how business gets done. The Center for Audit Quality (CAQ) has developed a tool to help audit committees execute their oversight responsibilities for financial reporting impacted by emerging technologies. Leveraging the work of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), this tool provides a framework for conducting effective oversight of a company’s use of emerging technologies in the financial reporting process.

This framework has five key
components, plus questions within each of the components that audit committees
may ask management and auditors to help inform their oversight. While not a
checklist, these questions should be useful discussion points in audit
committee meetings.

Control
Environment

The control environment is the set
of standards, structures, and processes that provide the foundation for
carrying out internal control across the organization. Audit committees help to
establish the right control environment for the adoption of risk management
practices related to emerging technologies that impact financial reporting.

  1. What
    are the objectives associated with the use of the emerging technology?
  2. How
    does the emerging technology project integrate with management’s existing
    digital and analytics plans?
  3. Does
    use of the emerging technology raise tax, legal, regulatory, or financial
    reporting questions that require external advice?
  4. What
    has the company done to train and maintain its internal resources and
    technological competencies related to emerging technologies?

Risk
Assessment

Audit committees might consider whether management has assessed the risks associated with changes to company processes as a result of emerging technology projects—and whether controls are in place to identify new risks as they arise.

  1. What risks associated with the use of the emerging technology have management considered?
  2. Has management considered the adequacy of the current risk assessment process relative to the risks introduced by the emerging technology?
  3. How has management evaluated the sufficiency of existing policies and procedures related to the safeguarding of assets when implementing the emerging technology?
  4. Has management identified intermediaries or third parties integral to the emerging technology functionality? If so, are current third-party risk management practices sufficient to adequately address the emerging technology?

Control
Activities

Control activities are the specific
actions established to ensure that the risk of failing to meet an objective is
mitigated to an appropriate level.

  1. How
    has management assessed the current control environment to determine whether
    new controls are needed in response to the additional risks introduced by the
    emerging technology?
  2. Are
    controls in place to address the risk that the technology is not operating as
    intended (i.e., to assess the reliability of the outputs from the technology)?
  3. What
    controls are in place to help ensure that those charged with oversight would be
    informed if a cybersecurity breach occurred?
  4. How
    have contingency plans been assessed or updated to help ensure continuity of
    business and management of risks?

Information
and Communication

Audit committees should have
communication protocols for obtaining the information they need to effectively
carry out their responsibilities, which may require the managers of large
technology projects to present their progress on a periodic basis.

  1. How
    will key financial reporting needs be considered to minimize potential
    disruptions when implementing the emerging technology?
  2. How
    will the technology integrate with the current IT systems? Are there any
    integration risks that need to be addressed?
  3. How
    has management evaluated existing IT practices to help ensure they address data
    management and governance for the emerging technology?
  4. Do
    existing communication lines (internal and external) need to be evaluated to
    help ensure continued compliance with financial statement disclosure
    requirements?

Monitoring
Activities

Monitoring represents an ongoing
process to ensure that policies, procedures, and controls are present and
functioning effectively.

  1. What
    monitoring activities have management put in place to validate the operational
    consistency of the emerging technology?
  2. Is
    the frequency of existing monitoring and reporting to the audit committee
    sufficient in light of the pervasiveness of the emerging technology and its
    impact on financial reporting?
  3. What
    monitoring has been established by management to consider the emerging
    technology risks related to recording, processing, summarizing, and reporting
    on financial information—including management’s discussion and analysis—and
    financial statement disclosures?
  4. In
    the event of a failure or deficiency related to management’s obligations, what
    processes and controls are in place to help ensure that appropriate levels of
    management and the audit committee are involved in the review of the related
    disclosures, if applicable?

An understanding of the opportunities and risks that emerging technologies present is essential for audit committees to discharge their oversight responsibilities. I encourage you to consult the full oversight tool, which, like other CAQ resources for audit committees, is available on the CAQ website free of charge.

Cynthia M. Fornelli is a securities lawyer and has served as executive director of the Center for Audit Quality since its establishment in 2007.