Emerging technologies—such as artificial intelligence, robotic process automation, drones, and blockchain—are changing how business gets done. The Center for Audit Quality (CAQ) has developed a tool to help audit committees execute their oversight responsibilities for financial reporting impacted by emerging technologies. Leveraging the work of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), this tool provides a framework for conducting effective oversight of a company’s use of emerging technologies in the financial reporting process.
This framework has five key
components, plus questions within each of the components that audit committees
may ask management and auditors to help inform their oversight. While not a
checklist, these questions should be useful discussion points in audit
The control environment is the set
of standards, structures, and processes that provide the foundation for
carrying out internal control across the organization. Audit committees help to
establish the right control environment for the adoption of risk management
practices related to emerging technologies that impact financial reporting.
are the objectives associated with the use of the emerging technology?
does the emerging technology project integrate with management’s existing
digital and analytics plans?
use of the emerging technology raise tax, legal, regulatory, or financial
reporting questions that require external advice?
has the company done to train and maintain its internal resources and
technological competencies related to emerging technologies?
Audit committees might consider whether management has assessed the risks associated with changes to company processes as a result of emerging technology projects—and whether controls are in place to identify new risks as they arise.
- What risks associated with the use of the emerging technology have management considered?
- Has management considered the adequacy of the current risk assessment process relative to the risks introduced by the emerging technology?
- How has management evaluated the sufficiency of existing policies and procedures related to the safeguarding of assets when implementing the emerging technology?
- Has management identified intermediaries or third parties integral to the emerging technology functionality? If so, are current third-party risk management practices sufficient to adequately address the emerging technology?
Control activities are the specific
actions established to ensure that the risk of failing to meet an objective is
mitigated to an appropriate level.
has management assessed the current control environment to determine whether
new controls are needed in response to the additional risks introduced by the
controls in place to address the risk that the technology is not operating as
intended (i.e., to assess the reliability of the outputs from the technology)?
controls are in place to help ensure that those charged with oversight would be
informed if a cybersecurity breach occurred?
have contingency plans been assessed or updated to help ensure continuity of
business and management of risks?
Audit committees should have
communication protocols for obtaining the information they need to effectively
carry out their responsibilities, which may require the managers of large
technology projects to present their progress on a periodic basis.
will key financial reporting needs be considered to minimize potential
disruptions when implementing the emerging technology?
will the technology integrate with the current IT systems? Are there any
integration risks that need to be addressed?
has management evaluated existing IT practices to help ensure they address data
management and governance for the emerging technology?
existing communication lines (internal and external) need to be evaluated to
help ensure continued compliance with financial statement disclosure
Monitoring represents an ongoing
process to ensure that policies, procedures, and controls are present and
monitoring activities have management put in place to validate the operational
consistency of the emerging technology?
the frequency of existing monitoring and reporting to the audit committee
sufficient in light of the pervasiveness of the emerging technology and its
impact on financial reporting?
monitoring has been established by management to consider the emerging
technology risks related to recording, processing, summarizing, and reporting
on financial information—including management’s discussion and analysis—and
financial statement disclosures?
the event of a failure or deficiency related to management’s obligations, what
processes and controls are in place to help ensure that appropriate levels of
management and the audit committee are involved in the review of the related
disclosures, if applicable?
An understanding of the opportunities and risks that emerging technologies present is essential for audit committees to discharge their oversight responsibilities. I encourage you to consult the full oversight tool, which, like other CAQ resources for audit committees, is available on the CAQ website free of charge.
Cynthia M. Fornelli is a securities lawyer and has served as executive director of the Center for Audit Quality since its establishment in 2007.