By a divided vote at its open meeting yesterday, the SEC approved the PCAOB’s new quality control standard, QC 1000 – A Firm’s System of Quality Control – and related amendments. Here’s the 85-page adopting release – and here’s an overview of what the new standard will require, from the SEC’s press release:
QC 1000, A Firm’s System of Quality Control, establishes an integrated, risk-based quality control standard that will require all registered public accounting firms to identify specific risks to their practice and design a quality control system that includes appropriate responses to guard against those risks. Registered firms that perform engagements under PCAOB standards will be required to implement and operate the QC system. The new quality control standard focuses on an audit firm’s accountability and continuous improvement of its audit practice and will require an annual evaluation of the firm’s QC system and related reporting to the PCAOB, certified by key firm personnel.
In addition, firms that annually issue audit reports for more than 100 issuers will be required to establish an external quality control function (EQCF) composed of one or more persons who can exercise independent judgment related to the firm’s QC system.
These new requirements will go into effect in December 2025. As Dave noted last week, QC 1000 replaces the existing AICPA standard that pre-dated the creation of the PCAOB.
The U.S. Chamber of Commerce had urged the SEC to reject QC 100, saying that the proposed requirement for an External Quality Control Function was “fundamentally flawed” and that the Standard would face “legal peril” in the absence of a full cost-benefit analysis. So, even though the adopting release does provide an economic analysis, we may see this standard challenged in court.
In his dissenting statement, Commissioner Uyeda took issue with the SEC’s process for approving the new standard, noting that the PCAOB had elaborated on the EQCF aspect of the standard in mid-August, which led to the SEC receiving new feedback within the past month. Meanwhile, the adopting release – and Commissioner Crenshaw’s supporting statement – position the rule as the culmination of a years-long initiative, which included a 2019 concept release and 2022 proposal. Whichever view you share, public companies are likely to experience both costs & benefits from the enhanced quality procedures that the standard will require.
The SEC has been busy with audit rules – in late August, it approved 3 important rule changes about auditors’ responsibilities, use of technology assisted data analysis in audits, and auditor liability.
Wow. As reported last week by Reuters, the SEC has moved to dismiss all active misconduct proceedings against accountants that had been pending before administrative law judges – 8 in total. This Jones Day memo gives more detail:
The Supreme Court recently held in SEC v. Jarkesy that the SEC’s in-house administrative proceedings violate the Seventh Amendment’s right to jury trial to the extent they adjudicate claims that are “legal in nature,” such as fraud charges and civil penalties. Jarkesy did not directly address, however, other kinds of enforcement actions the SEC historically adjudicates in-house, including proceedings under Rule 102(e) of the SEC Rules of Practice, which is the SEC’s primary tool for regulating the professionals appearing before it. Among other things, Rule 102(e) empowers the SEC to censure or bar professionals found to have engaged in “improper professional conduct,” which, for accountants, can include repeated violations of applicable professional standards. But Rule 102(e) proceedings can only be brought administratively.
The SEC seems now to believe that Jarkesy precludes litigating Rule 102(e) proceedings administratively. In August 2024, the SEC dismissed two contested Rule 102(e) proceedings against accountants who allegedly failed to conduct audits in accordance with professional standards. The SEC previously had moved to stay each case pending a decision in Jarkesy. Notably, while one of the cases involved a claim for civil penalties thus plainly implicating Jarkesy the other sought only remedial and cease-and-desist relief. It may also be significant that each accountant had sued the SEC in federal court to challenge its use of administrative proceedings.
Jones Day goes on to note that the SEC hasn’t publicly announced any policy against using ALJs for disciplinary proceedings. But the dismissal of all pending cases is a pretty big deal! It remains to be seen whether cases pending before the PCAOB will also be dropped. Interestingly, this move by the Enforcement Division came at the same time as the SEC approved PCAOB rule standards that lower the liability standard for individual auditors’ contributory liability (from recklessness to negligence) – which Commissioners Peirce and Uyeda opposed.
All of the recent actions on PCAOB rules had me wondering: what is going on with the NOCLAR proposal? Based on the PCAOB’s rulemaking page – which was last updated when the rule was proposed in June 2023 – the answer appears to be “not much.” At least, not publicly.
For now, a lot of folks are hoping that “no news is good news.” Compliance officers, executives, auditors and other concerned parties submitted nearly 200 unique comment letters – and the PCAOB received additional feedback via a roundtable in April. We’ll continue to watch for updates…
As Dave noted last week, the SEC continues to pay attention to “AI washing” by public companies. Over on “The D&O Diary,” Kevin LaCroix points out that the plaintiffs’ bar has also been watching. A recent complaint shows how they are scrutinizing statements about AI opportunities. If those opportunities are delayed or fail to materialize, they are alleging that the statements were materially misleading. Here’s an excerpt from Kevin’s summary:
The complaint alleges that these statements about the company’s AI-related initiatives “created the false impression that” the company “possessed reliable information pertaining to the Company’s ability to develop and incorporate AI throughout the software development cycle in order to optimize code generation thereby increasing market demand.” In truth, the complaint alleges, there was “weak market demand for the Company’s touted AI features,” and the company was incurring increased expenses involving its China joint venture.
The complaint alleges that “the truth emerged” on March 4, 2024, when the company released its first fiscal quarter 2024 earnings report. Among other things, the company announced that it needed more time to build its pipeline and close deals on new products. The company also lower its 2025 guidance. The complaint alleges that the company’s share price declined 21% on this news.
This is far from the first AI-related securities lawsuit. Kevin shared another example just a few months ago. He notes that the rise in AI-related litigation – including newer claims based on “AI washing” – is one of the top D&O trends for 2024. Companies should be aware of this risk when making any public statements about their AI opportunities.
As we emerge from “AI summer” – and take stock of the heightened interest of the SEC and the plaintiffs’ bar in corporate AI disclosures – it’s a good time to revisit the Board’s role in overseeing the unique risks that companies may face in this brave new world of artificial intelligence (and the regulations that will apply to its use).
This Skadden memo provides a good starting point for that exercise. It summarizes key risks (based on the NIST framework), how they may vary across different industries, and the current regulatory landscape in the U.S. and Europe (which many U.S.-based companies will have to contend with). The memo offers these “guiding principles” for AI corporate governance:
1. Understand the company’s AI risk profile. Boards should have a solid understanding of how AI is developed and deployed in their companies. Taking stock of a company’s risk profile can help boards identify the unique safety risks that AI tools may pose.
2. Be informed about the company’s risk assessment approach. Boards should ask management whether an AI tool has been tested for safety, accuracy and fairness before deployment, and what role human oversight and human decision-making play in its use. Where the level of risk is high, boards should ask whether an AI system is the best approach, notwithstanding the benefits it may offer.
3. Ensure the company has an AI governance framework. The board should ensure that the company has such a framework to manage AI risk, and then reviews it periodically to make sure it is being properly implemented and monitored, and to determine the role the board should have in this process.
4. Conduct regular reviews. Given the rapid pace of technological and regulatory developments in the AI space, and the ongoing discovery of new risks from deploying AI, the board should consider implementing regular reviews of the company’s approach to AI, including whether new risks have been identified and how they are being addressed.
5. Stay informed about sector-specific risks and regulations. Given how quickly the technology and its uses are evolving, boards should stay informed about sector-specific risks and regulations in their industry.
You can find details on all of the latest AI developments in our “Artificial Intelligence” Practice Area. AI developments will also be on the agenda for our “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences.” For example, we have a panel titled “In-House Insights: Governing and Disclosing AI,” which will feature Kate Kelly of Meta, Erick Rivero of Intuit and Derek Windham of Tesla to discuss how AI is being utilized in the in-house legal functions at public companies. If you can’t make it to the Conferences in person, we also offer a virtual option. Register today by visiting our online store or by calling us at 800-737-1271.
Okay, we’ve established a few guiding principles for board oversight of AI. But how do you actually put those principles into action – for artificial intelligence and technology more generally? This Deloitte memo suggests that, for some boards, it may be helpful to cover some of the issues outside of regular meetings of the full board. For example:
– Audit committee meetings. Given that audit committees are focused on tracking major risks and compliance issues, it’s one place where technology is often discussed. “With the boards I serve on, technology is always in the conversation since there’s so much going on. We’re always discussing technology—if not in the primary board then in the audit committee meetings,” says Wong.
– Board strategy workshops. Smaller, less formal groups may also create opportunities for in-depth technology discussions. “During one of our quarterly board meetings, we had the board spend six hours with the extended senior leadership team in workshopping sessions where each breakout explored a different theme, like technology strategy,” says Burkey. “Being part of that process was great. You weren’t having that 12-minute conversation around the board table; you were really participating in a very meaningful and productive exchange.”
– Compensation committees. Today, compensation committees have responsibilities that extend beyond just overseeing a company’s compensation and benefit policies. They are increasingly focused on the overall talent experience, retention rates, and skills gaps, as well as coordinating succession planning with the nominating committee. One technology executive from a vehicle retailer recommended these committees look at progress against transformation goals when discussing leadership compensation, especially given the technology function’s capacity to transform businesses and corporate strategies: “Besides talent, how boards construct their compensation and reward system for management, and how they hold them accountable, can be tied to overall business transformation goals. Having a business transformation goal could be one of the parameters to determine compensation.”
The memo reports that 38% of surveyed executives say that their company has some form of “technology committee” to oversee tech-related issues. It also suggests questions that board members can ask their CIO or CTO to help ensure they’re getting the right information, including:
– How can our organization mitigate potential technological blind spots?
– What is our technology talent bench strength?
– What incremental, technology “easy wins” are possible if resources are unconstrained?
See Meredith’s blog a few weeks ago for even more suggestions…
Over the course of the past weekend, the California legislature passed Senate Bill 219, which contemplates amendments to the Climate Accountability Package, including extending the rulemaking deadline from January 1, 2025, to July 1, 2025. SB 219 differs from Governor Newsom’s proposed amendments to the California climate requirements that John had discussed back in July, which did not go anywhere in the California legislature. This WilmerHale alert notes:
At the close of California’s legislative session, on August 31, 2024, the state legislature passed Senate Bill 219, which proposes several amendments to the Climate Accountability Package, including extending the rulemaking deadline from January 1, 2025, to July 1, 2025. If these amendments are passed, details about disclosure obligations under SB 253 may not become available until July 1, 2025. SB 219 differs from Governor Newsom’s proposed amendments to the Climate Accountability Package, outlined in a budget trailer bill, which did not advance in the legislature. Governor Newsom’s trailer bill would have delayed SB 253’s emissions disclosure requirements by two years. Instead, SB 219 maintains that a reporting entity, starting in 2026, or another set date to be determined by the California Air Resources Board (CARB), as the first year for reporting entities to begin publicly disclosing their scope 1, 2 and 3 emissions.
In addition, SB 219 would require CARB to prepare a schedule for disclosure of scope 3 emissions, rather the current timeline requiring scope 3 emissions disclosure no later than 180 days after scope 1 and 2 emissions disclosure. Finally, SB 219 would expressly allow a covered entity to consolidate emissions disclosure reports at the parent company level, relieving the subsidiaries of any requirement to submit a separate report.
SB 219 would eliminate the filing fee requirements for corporations when filing their GHG emissions disclosure report for SB 253 and SB 261. Finally, SB 219 would authorize, rather than require, CARB to contract with a climate reporting organization to develop a program through which the required disclosures would be made public.
Governor Newsom has until September 30, 2024, to sign or veto SB 219. If signed, the bill will take effect on January 1, 2025
It looks like we might remain in a climate disclosure holding pattern for a little while longer in California.
Recently, PwC published its latest analysis of Staff comment letters for the annual period ended June 30, 2024. The number of comment letters issued by the staff was down slightly overall as compared to the prior period, while the overall themes remained very much on par with years past. The PwC analysis presents sample comments in the following topic areas:
– Non-GAAP measures
– Management’s discussion and analysis
– Segment reporting
– Business combinations
– Revenue recognition
– Inventory and cost of sales
– Goodwill and other intangibles
– Debt, quasi-debt, warrants and equity
– Fair value measurement
– Disclosure controls and ICFR
In my experience, the most difficult comments to resolve with the Staff deal with non-GAAP financial measures that involve individually tailored accounting principles. The Staff has applied the individually tailored accounting principles guidance in an ever-widening range of circumstances, and issuers must often go several rounds with the Staff to address the comments, with the result often being that issuers must eliminate the measure.
The clock is loudly ticking for those issues who are required to disclose resource extraction payments on Form SD by the upcoming September 26, 2024 due date. You can find the latest guidance of the resource extraction disclosure requirements in the July-August 2024 issue of The Corporate Counsel and in our “Resource Extraction” Practice Area. In addition, a number of resource extraction issuers have filed their Form SD early, so there are examples on EDGAR of how issuers have approached the payments disclosure.
One element to not forget when preparing the Form SD filing is that the information presented in Item 2.01 to the Form SD must be tagged using standard XBRL, and not the Inline XBRL that we have all become used to in most other filings. If a resource extraction issuer is submitting an alternative report, that report will also need to be tagged using XBRL. To assist with this task, the SEC published a “Resource Extraction Payments (RXP) Taxonomy Guide” back in June 2023 to facilitate tagging the Item 2.01 exhibit. It includes a number of examples of resource extraction payments disclosure and how it should be tagged.
Given that this is the first go-round for these Form SD reports, filers should build in some extra time to get the XBRL tagging done prior to filing.
SEC Chair Gary Gensler addresses the topic of AI washing by public companies in his latest “Office Hours” video, picking up again on a topic that he discussed in a video back in March. He specifies the ways in which public companies should be addressing AI developments in a manner that provides full, fair and truthful disclosure. He notes:
Well, as we’ve seen an increase in the disclosures around artificial intelligence by SEC registrants, public companies as you know them, it’s important that companies making these disclosures remember that the basics of the securities laws still apply.
You see, any claims about prospects should have a reasonable basis and investors should be told that basis. And when disclosing material risk about artificial intelligence and a company may face multiple risks, including operational, legal, competitive, investors benefit from disclosures that are particular to the company, not just boilerplate language.
Companies should ask themselves some basic questions, such as if we’re discussing artificial intelligence in our earnings calls or having extensive discussions with our board of directors, maybe this information is potentially material to our business and to investors. If so, disclosure may be required under the securities laws.
Further, companies may be required to define for investors what they mean when referring to AI. How and where is it being used at the company? Is it being developed by the company or supplied by others?
Investment advisers, broker dealers also should not mislead the public by saying they’re using AI when they’re not, nor say that they’re using it in a particular way and not do so.
Such AI washing, whether it’s by companies raising money or by financial intermediaries like investment advisers and broker dealers, may violate the securities laws.
Chair Gensler and the SEC Staff have clearly been focused this year on how public companies are addressing AI developments in their public disclosures, and we do not foresee that focus shifting anytime soon.
