Well over a year ago, Dave asked, “Are robots coming for your auditor?” His blog noted that CAQ’s analysis of 2022 audit quality reports showed that some firms had added a discussion about how they employ AI and data analytics to improve audit quality and highlighted a study that showed AI has been effective at improving audit quality while also displacing junior-level audit professionals. As this July 2024 Spotlight details, the PCAOB has also taken note and is considering action in response to these trends — especially the rapidly developing use of GenAI:
The PCAOB’s standard-setting agenda includes a research project to assess whether there is a need for guidance, changes to PCAOB standards, or other regulatory actions in light of the increased use of technology-based tools in the preparation and subsequent audit of financial statements. [To that end,] we conducted outreach regarding the current state of integration of GenAI tools in audits and financial reporting. We spoke to auditors mainly at larger firms and representatives from several companies (i.e., preparers of the financial statements) about their current use of GenAI and the direction in which they expect GenAI will be integrated in audits and financial reporting.
The survey found that auditors’ current use is focused on administrative and research activities, while financial statement preparers have been more focused on integrating GenAI in operational and customer-facing areas than on accounting and financial reporting. More specifically:
Auditing: Some firms stated that their staff can use GenAI when preparing certain administrative documents or initial drafts of memos and presentations related to the audit. Some firms also indicated that they had developed and deployed GenAI-enabled tools to assist staff in researching internal accounting and auditing guidance. Generally, the global network firms we spoke to are further along in developing and deploying GenAI-enabled tools than non-affiliated firms are.
Financial Reporting: Some preparers noted that their personnel use GenAI in creating initial drafts of internal documents (e.g., summaries of accounting standards and interpretations, presentations, and benchmarking of company information with publicly available information from competitors). In addition, some preparers also use GenAI to assist in the performance of less complex and repetitive processes, such as preparing account reconciliations or to assist with identifying reconciling items.
Most audit firms also reported investing in GenAI-enabled tools to expand their use case but cited data privacy and security, plus the lack of auditability of the underlying source data, as limiting factors for using GenAI for audit or attest procedures. They also indicated that current PCAOB auditing standards are “not currently viewed as impediments to the development and use of GenAI in the audit.”
AI will be a prominent topic at our “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences.” I’m especially excited about the panel “In-House Insights: Governing and Disclosing AI.” Our experienced in-house panel featuring Kate Kelly of Meta, Arden Phillips of Constellation Energy and Erick Rivero of Intuit will discuss how AI has impacted their work in the last 18 months – and what they expect going forward — from creating policies and developing governance practices, considering risks, opportunities & related disclosure, and how they’re utilizing AI to streamline day-to-day legal tasks. Don’t miss it! Our “early bird” rate for individual in-person registrations ($1,750, discounted from the regular $2,195 rate) ends today! You can register by visiting our online store or by calling us at 800-737-1271.
Following the demise of Chevron, there’s been an ongoing debate about the impact the end of this 40-year-old doctrine will really have on the lawmaking process, administrative state, and federal court system. It appears that many Senate Democrats are among those who think the end of Chevron could have disastrous consequences. Earlier this week, numerous Senate Democrats introduced the Stop Corporate Capture Act (SCCA), which had first been introduced in the House in 2021. Touted as a bill to “codify Chevron deference,” this press release from Senator Warren’s team highlights that the bill would do much more:
Protect Chevron Doctrine
– Codify Chevron deference, allowing expert agencies to conduct rulemaking in line with their reasonable interpretation of their authorizing statutes.
Modernize and Reform the Regulatory Process
– Streamline the White House’s review period for regulations, creating a 120-day time limit for review.
– Authorize agencies to reinstate rules that are rescinded by Congress through the Congressional Review Act.
– Reform agencies’ cost-benefit analysis to emphasize public benefits of a rule, including non-quantifiable benefits like promoting human dignity, securing child safety, and preventing discrimination.
Empower and Expand Public Participation in Rulemaking
– Create an Office of the Public Advocate to help members of the public participate more effectively in regulatory proceedings.
– Strengthen agency procedures for notifying the public about pending rulemakings.
– Provide the public with greater authority to hold agencies accountable for unreasonable delays in completing rules.
– Require agencies to respond to citizen petitions for rulemaking that contain 100,000 or more signatures.
Increase Transparency and Protect Independent Expertise in Rulemaking
– Require all rulemaking participants to disclose industry-funded research or other related conflicts of interest.
– Require any submitted scientific or other technical research that raises a specified corporate conflict of interest be made available for independent public review.
– Bring transparency to the White House regulatory review process by requiring disclosure of changes to draft rules during that process and the source of those changes.
– Require agency officials to provide justification when the regulatory review process ends with a rule being withdrawn.
– Establish financial penalties for corporate special interests that knowingly submit false information during the rulemaking process.
I’ve been poking around sec.gov to familiarize myself with the new layout and functionality since the upgraded site was unveiled a few weeks ago. I thought I’d share a few useful pages to reference for our blog subscribers who check sec.gov directly. If you don’t, rest assured that we keep combing the website for important updates and sharing them on our blogs!
– One of the changes touted by the SEC in this announcement is easier access to past events, saying, “the site improvements include a new events archive that allows users to quickly locate details about previous Commission meetings or other public events, including Sunshine Act notices and archived webcasts.” The Past Meetings & Events page now clearly lists and links into past meetings, events and public appearances by senior officials, for example, this landing page for the latest Investor Advisory Committee.
– This new & improved What’s New page is a helpful resource to keep at hand to check for website updates that you might otherwise miss (especially since it seems like some email alerts continue to be spotty or delayed) and seems more comprehensive than its predecessors. That page shows, for example, that the SEC updated & expanded its website resources for potential whistleblowers on July 2 — including Information About Submitting a Whistleblower Tip and these FAQs. However, for certain Corp Fin posts — like the recent cyber CDIs — you need to check What’s New in the Division of Corporation Finance.
In mid-July, the Delaware Court of Chancery dismissed Caremark claims alleging board oversight failures related to compliance with Medicaid laws (core to the company’s business of administering Medicaid plans) in Bricklayers Pension Fund of Western Pennsylvania v. Brinkley (Del. Ch. 7/24). In the decision, Vice Chancellor Zurn clarified the circumstances in which a board reasonably relies on management to handle compliance issues and reinforced that there is a high bar to pleading Caremark claims. This Fried Frank alert identifies these key takeaways:
– The decision reaffirms that, generally, directors will not face Caremark liability unless the factual context is extreme. In this case, the Company had a compliance reporting system in place and the system appeared to be functioning at least to some extent. Also, we would note, while the regulatory noncompliance was ongoing over many years and resulted in significant financial losses (and reputational damage) to the Company, there was no loss of life or direct threat to human health. The court stated that the Plaintiff “ha[d] not painted the extreme picture present” in cases where it has found potential Caremark liability.
– The court indicated a high bar for a finding of the required element of bad faith for Caremark liability. The court found that, even if the Plaintiff’s alleged facts supported reasonable inferences that the Board had known about and failed to respond to the Company’s compliance problems, no facts were alleged that supported an inference that the Board failed to respond in bad faith. The Board accepted management’s statements that the compliance risks and issues “were being handled”—it “did not make a conscious decision to violate the law,” the court stated.
– The court found that the Board did not breach its Caremark duties although it had deferred to management to deal with the Company’s serious, longstanding compliance problems. In certain previous Caremark cases, the court has stressed that Caremark requires board-level oversight of compliance risks and that reliance on management alone to deal with critical compliance risks and problems is insufficient. Centene, however, indicates that the extent to which reliance on management may be sufficient for fulfillment of Caremark duties depends on the context. Here, the court found it reasonable to infer, from the facts the Plaintiff alleged, that the Board knew what steps management was taking to address the problems; and the court found the overall context was not so “extreme” that the Board was unreasonable in accepting management’s assurances that the problems “were being handled.”
In concluding, the alert notes that “Centene joins a list of recent cases— including NiSource; LendingClub; and MoneyGram—in which the court has dismissed Caremark claims at the pleading stage notwithstanding that the company had an extensive history of regulatory noncompliance. Successful defenses in these cases (that supported a lack of bad faith by directors) included that: the board was not aware of the regulatory noncompliance; the noncompliance was not sufficiently related to the corporate trauma that occurred; the noncompliance occurred at a different subsidiary of the company; the board had taken steps to remediate the noncompliance; and, now, in Centene, that the board reasonably relied on management’s assurances that it was handling the issues.”
It also makes recommendations to boards and management teams in light of these decisions, including that key risks are delegated to a board committee, that management regularly reports to the board on important developments, including “red flags” or “yellow flags,” and that a thorough record is created of the board’s risk monitoring and oversight efforts.
Yesterday, the SEC posted a notice of a second amendment to NYSE’s proposal to change Section 802.01D of the Listed Company Manual to allow the Exchange to commence immediate suspension and delisting procedures if a company changes its primary business focus. Together, the two amendments to the proposal make the following key changes:
– Add a requirement that any company that undertakes a change in its primary business focus must promptly provide notice of such change in writing;
– Clarify that the delisting procedure applies where the company has changed its primary business focus to a new area of business that is “substantially different” from the business it was engaged in at the time of its original listing or, as provided in the original filing, which was immaterial to its operations at the time of its original listing; and
– Clarify that NYSE would focus its analysis of a company’s suitability for continued listing after a change in operations on whether it would have accepted the listed company for initial listing if it had been engaged in its modified business at the time of original listing and on the qualitative aspects of the company’s suitability — not the quantitative standards for initial listing.
The SEC invites comments here, but also issued an order granting accelerated approval of the proposed listing rule changes, as amended.
The rite of passage to becoming a lawyer — the bar exam, including the Multistate Bar Exam, Multistate Essay Exam and Multistate Performance Test — is soon changing! Last week, the National Conference of Bar Examiners (the nonprofit organization that develops bar exam content for 54 of 56 US states and territories) announced that they are set to launch the “NextGen bar exam” in July 2026. The new exam is “designed to test the knowledge and skills needed by today’s new attorneys” and “the biggest change to the way lawyers are licensed in a generation.”
The NextGen bar exam will test a broad range of foundational lawyering skills, utilizing a focused set of clearly identified fundamental legal concepts and principles needed in today’s practice of law. The skills and concepts to be tested were developed through a multi-year, nationwide legal practice analysis, focused on the most important knowledge and skills for newly licensed lawyers. Designed to balance the skills and knowledge needed in litigation and transactional legal practice, the exam will reflect many of the key changes that law schools are making today.
Twenty states and one territory have already announced plans to use the new exam, with Florida the most recent. Connecticut, Guam, Maryland, Missouri, Oregon, and Washington will begin using the NextGen exam in 2026; Arizona, Iowa, Kentucky, Minnesota, Nebraska, New Mexico, Oklahoma, Tennessee, Vermont, and Wyoming will start in 2027; and Colorado, Florida, Illinois, Kansas, and Utah will make the switch in 2028. And more states and territories are expected to sign on in the next year.
The release touts the process used to develop the NextGen bar, saying NCBE surveyed over 14,000 attorneys and will engage in multiple phases of testing and statistical analysis to ensure the test is accurate and fair. Still, if I were a rising 2L or incoming law student, I’d be a bit nervous about being one of the NextGen bar exam’s early takers. I have to imagine it takes BarBri and the other bar study service providers out there some time to learn and adapt their teaching strategy — which seemed like a time-tested, well-oiled machine when I took the bar. Once rolled out in your state, this might call for some extra empathy for your incoming first-year associates when they’re waiting for bar results — especially in those states that are early adopters!
As this Cooley alert points out, considerations relating to filing an Item 1.05 Form 8-K are just the tip of the iceberg for companies grappling with systemic network failures after the recent CrowdStrike update. The memo raises some of the same issues I discussed in Monday’s blog and then moves on to a host of other disclosure implications. The alert suggests that impacted public companies consider the following actions:
– Ensure compliance with applicable policies and perform assessments to determine whether any impact from the CrowdStrike update is “material,” and whether any reporting is necessary or advisable. … [including] outside the context of Item 1.05 of Form 8-K … giving consideration to potentially providing voluntary disclosure related to the impact of the CrowdStrike update on the company’s operations via Item 8.01 of Form 8-K.
– Perform risk assessments and gap analyses to determine whether there are any shortcomings in systems and systems-related matters, including use of third parties and relevant oversight, monitoring, disaster recovery, and other practices.
– Update risk factors and other disclosures, including regarding systems downtime and/or reliance on third parties to operate critical business systems … [including] to specifically refer to the CrowdStrike update.
– Determine if the CrowdStrike update has had or is expected to have a material impact on the company, then consider if it should be discussed in the management’s discussion and analysis (MD&A) section of SEC filings, including as a known trend for future periods.
– Be mindful of Regulation FD when communicating with analysts and investors regarding the impact of the CrowdStrike update on the company. … Confirming that there was or was not a material impact of an occurrence in one-off communications with analysts/investors could be deemed to be a selective disclosure of material nonpublic information in certain circumstances.
– Evaluate whether the CrowdStrike update has implications for the company’s internal controls and disclosure controls and procedures.
Normally, I would characterize some of these as more long-term considerations than the question of mandatory current reporting, but there are a number of factors at play that make these considerations just as time-sensitive as the 8-K question. First, further data gathering and assessment may be necessary to make an 8-K determination, and the situation is still evolving. For now, it appears that no companies have determined to quickly file an Item 1.05 8-K, and I only see one Item 8.01 8-K related to the incident (filed by CrowdStrike itself on Monday). Second, it’s late July, which means it’s crunch time for second quarter 10-Qs for many companies. We may start to see disclosures related to the CrowdStrike update in 10-Qs before we see them in 8-Ks (like this 10-Q, which notes under Part II, Item 5, “to date, we have experienced no negative impact to our IT systems related to the CrowdStrike software update”).
Thanks to John for finding and sharing this LinkedIn post from boardroom speaker and trainer Ralph Ward. In it, he argues that boards should adopt a “culture statement”:
This is a group contract on how the board behaves and its shared expectations. A culture statement goes beyond such items as corporate mission or vision statements. Instead, a board culture statement is a contract on the values your board itself should model. How does it work?
A board culture statement avoids generalities, and is unique to each board. … Hot topics to cover include… directors talking over each other and bullying… going around the CEO to staff… talking with investors… how to respectfully express dissent… adequate meeting preparation and knowledge… pushing personal agendas… confidentiality. Done right, a board culture statement gives clues on your board’s individual flash points, and how you’re fixing them (which is one reason such statements are rarely disclosed to the public).
He distinguishes these culture statements from vision or mission statements and notes that they don’t necessarily need to align with company culture.
Vision and mission statements also tend to address vague qualities like respect, integrity, honesty, and other Boy Scout merit badge matters. A board culture statement “avoids nebulous concepts and translates these into concrete, observable behaviors,” notes Anthony Goodman, head of the board effectiveness practice at Korn Ferry. …
Further, while “tone at the top” matters, realize that a board’s culture can be something quite different from the overall company culture. Brendan Keegan, a noted autosports entrepreneur and long-time director, writes “it’s less important for board members to perfectly align with the organization’s day-to-day culture.” The board is a group of outsiders who meet face-to-face irregularly, the opposite of your employee structure. They have unique chemistry and practical concerns to address.
Going further, he also seems to advocate quantifying directors’ compliance with these culture statements by measuring things like interruptions, rudeness or lack of involvement, saying, “Boards can’t change what isn’t measured.”
Last week, Dave shared his thoughts about how beneficial it is to network with new contacts and meet with old friends at a good old-fashioned in-person conference. This recent Korn Ferry insight points out that, in today’s job market, people are integrating in-person conference networking into their job search process. Apparently, 80% of positions are filled through networking! To that end, they shared these five tips for getting the most out of in-person conferences:
– Define your goals. Set clear objectives for what you hope to get out of attending the conference. – Get the guest list. Check the attendee roster in advance and make a list of your “must-meets.” – Get the word out. Let people know in advance that you’re attending. – Find a hook. “Establish a basis for connecting.” – Get a second meeting at the first. Where appropriate, schedule a follow-up meeting during the first meeting.
Once you do that, please let us know what excites you most about returning to in-person conferences with this anonymous poll. We’ll gather and rank responses by popularity for our “Game Show Lightning Round: All-Star Feud.” Responses will be hidden, so you’ll have to join day 1 of our Conferences (in San Francisco or virtually) to hear whether your response made the “most popular” list — and whether our “SEC All-Stars” guess your response!
Since the EU AI Act was published in the Official Journal of the EU on July 12, it will enter into force on August 1 (20 days after publication). This Wilson Sonsini alert says the Act will not apply immediately but in the phases below. (See the further timeline in the alert.)
Prohibitions of certain AI systems: The first set of rules to kick in will be those prohibiting certain applications of AI (e.g., AI systems that exploit individuals’ vulnerabilities, untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases). These rules will start to apply as of February 2025.
General-purpose AI (GPAI) models: The requirements in relation to new GPAI models will start to apply one year after the entry into force of the AI Act, i.e., by August 2025. There will be an additional two-year grace period for GPAI models that are already on the EU market at that time (i.e., providers of GPAI models placed on the EU market before August 2025 will have an additional two years to comply, until August 2027).
High-risk AI (HRAI) systems: The rules for some HRAI systems and AI systems with specific transparency risk will start to apply by August 2026. If the HRAI system is part of a product that is subject to EU health and safety laws (e.g., toys) the rules will apply a year later (i.e., by August 2027). Operators of HRAI systems that are already offered in the EU before the application of the AI Act will need to comply with the AI Act only in the event of a significant design change (e.g., changes in the AI system’s intended purpose). As an exception to this, if the HRAI system offered in the EU is intended to be used by public authorities, the providers and deployers will need to comply with the rules by August 2030, regardless of whether there has been a significant design change or not.
The alert warns: “Once the AI Act starts to apply, it will introduce a swathe of new obligations for companies providing, distributing, importing, and using AI systems and GPAI models in the EU, subject to hefty fines of up to EUR 35 million or seven percent of the total worldwide annual turnover, whichever is higher.”
These new obligations and fines have gotten the attention of US securities regulators. At SEC Speaks in April, SEC Staff characterized the Act as “a comprehensive risk-based legal regime governing AI across the EU” that “will have implications for public companies that provide or deploy AI systems in the EU” and specifically noted that penalties include “up to 7% of global revenue” and violations can “result in withdrawal of the AI system from the market.” The Staff said that some companies are generally disclosing that they may be impacted by the Act and reminded companies of the need to tailor disclosure to address how the company will be particularly impacted based on its facts and circumstances.