Questions for audit committees to consider

Tax and other policy-related developments

Risk management

How strong are the organization’s capabilities to be highly informed about the internal and external environment, and risks, events and opportunities that may influence or compromise enterprise resilience?

How effective is the board’s oversight of emerging risks and other evolving external risks such as geopolitical developments, uncertain economic conditions, and climate risk? Does it have the information, expertise, and professional skepticism it needs to challenge management in these areas?

Has the board participated with management in one of its cyber breach simulations in the last year? How rigorous was the testing? Has the board had a cybersecurity maturity assessment performed?

Does the board understand management’s strategy for AI, including the process to prioritize investment in AI capabilities, use cases and underlying infrastructure?

How is the company using classical and generative AI to challenge the existing business model and key strategic assumptions?

Does the organization and the board have a complete inventory/database of AI applications, AI models, AI deployments, embedded AI capabilities, use cases, etc. within the organization to better understand the associated risks and related impacts? How does management establish that these applications are performing as intended to mitigate ethical and compliance risks?

How is the company assessing and mitigating the risks of generative AI, including vendor management controls? Is the company using an external framework such as the NIST AI Risk Management Framework to assess the adequacy of their governance and control environment?

Financial reporting

Has management considered which financial reporting issues impacted by the macroeconomic environment and ongoing market uncertainty are relevant to the entity? Have the additional risks identified been disclosed to help users of the financial statements better understand the judgments applied and sources of estimation uncertainty?

Have climate-related risks been considered and addressed in the entity’s financial statements with a view to ensuring consistency with other information communicated to stakeholders?

Has management assessed the application of Pillar Two Global Minimum Tax Model Rules on the entity? Are there new processes and other information to be developed in preparation for year-end and interim financial disclosures?

Tax and other policy-related developments

Has there been an assessment of whether the organization might be in scope of Pillar Two, and if so, have constituent entities been identified in countries that have enacted, or will enact, the Pillar Two rules by year end? Is there a plan in place for determining what may be owed under the new rules in relevant countries?

Has the organization begun making the necessary changes to its data and systems that will be needed to do the Pillar Two computations required to establish its estimated annual effective tax rate for its fiscal year ending in 2024 and its other provision, compliance and reporting obligations?

Has the organization assessed the impact of the significant Canadian legislative developments and how such developments may impact current and deferred tax on a go forward basis, including the ability to continue to recognize the benefit of deferred tax assets?

What resources and processes are in place for monitoring legislative and regulatory developments in relevant jurisdictions (at the national, provincial and international level) and does the audit committee have a line of sight into these activities?

Is management prepared to address any potential financial or reputational risks that may accompany expanded reporting requirements and calls for greater transparency?

Has the organization adopted, or does it plan to adopt, dedicated technology in response to new and evolving data and reporting requirements and to help assess tax risks and manage tax controls?

Regulatory developments

What process does the committee have in place for assessing the impact of regulatory updates and is the committee sufficiently engaged in dialogue providing views and input as needed on the related impacts?

How does management stay informed about regulatory and legislative developments related to AI, machine learning, data privacy, and emerging technologies in relevant jurisdictions? How is it monitoring whether the company is staying in compliance and assessing potential impacts to strategy particularly in relation to the US Executive Order and the EU AI Act pronouncements?

Has management considered which of the various ESG related jurisdictional requirements they may be subject to, including those of the European Union and the ISSB standards? In anticipation of the finalization of SEC rules over sustainability matters (if applicable), as well as any forthcoming CSSB standards, is management monitoring developments in relation to the potential scope and underlying disclosure requirements of these?

Does the company have sufficient controls and procedures over nonfinancial data? Is internal audit providing any type of audit coverage on ESG-related data? Has the company considered doing a pre-assessment on their processes and reporting in advance of obtaining external assurance?

If ESG-related matters are currently being discussed in more than one place (e.g., continuous disclosure filings, earnings releases, analyst communications, annual report, sustainability report, company website), is there consistency in the disclosures? Has the company evaluated controls related to such disclosures?

In light of the changing environment, what additional voluntary proxy disclosures might be useful to shareholders and stakeholders related to the audit committee’s time spent on certain activities, such as cybersecurity, data privacy, business continuity, corporate culture and financial statement reporting developments?