ASIC sets out focus areas for FY23 reporting

On 6 June 2023, ASIC issued a media release setting out its key areas of focus for the reporting period ending 30 June 2023. Climate, cyber security and inflationary impacts were singled out as specific risks for directors to consider when reporting on organisations’ financial position, performance and future prospects.

ASIC highlighted that directors are primarily responsible for the quality of the financial report and noted that this requires directors to interrogate management to ensure that appropriate processes, records and analysis are available to support the information set out in the financial report.

ASIC Commissioner Danielle Press referred to the need to ensure that changing circumstances, uncertainties and risks, including climate change, cyber security risks, skills shortages and inflationary impacts (among others) are adequately reflected in the financials. In particular, ASIC highlighted the need to clearly set out the circumstances in which judgements on accounting estimates and forward-looking information have been made, and the basis for those judgements.

Cyber security

This was the first year in which ASIC specifically named cyber risk as an area of financial reporting focus. This comes off the back of a financial year dominated by high profile cyber security incidents, involving Optus, Medibank and Latitude Financial, with the government seeking to lift national resilience through a revised Cyber Security Strategy, which was the subject of a recent consultation (see the AICD submission here).

ASIC notes that when drafting the Operating and Financial Review (OFR), companies may need to have regard to the impact of cyber security on the financial performance, financial position and future prospects of the company. Considerations may include the revenue impacts arising from a cyber security attack leading to a loss of personal data.

Earlier in the year, ASIC Deputy Chair Sarah Court issued a warning to listed companies which fail to immediately disclose a cyber security incident or data breach to the ASX. She said when a reasonable person would expect it to have a material effect on the price or value of the company’s securities, this could be in breach of continuous disclosure laws. This warning came off the back of a report which found that only 11 of the 36 cyber-attacks against ASX-listed companies reported by media were first reported to investors.

For further guidance on cyber security governance see the AICD-Cyber Security Cooperative Research Centre principles here.

Climate change

Whilst climate change has been an ASIC priority area for a number of years, with International Sustainability Standards Board (ISSB)-based mandatory climate reporting approaching, companies are facing growing investor pressure to provide more granular and quantifiable climate disclosures in their financial statements. In particular, those companies that are likely to be captured by mandatory reporting requirements initially (at least ASX200 and large financial institutions) will need to think carefully about maintaining consistency between disclosures in their financial statements, and their sustainability reporting, as any inconsistency may give rise to allegations of greenwashing.

Keeping silent is no alternative – at the recent Australian Financial Review (AFR) ESG Summit and Committee for Economic Development of Australia (CEDA) State of the Nation Conference, ASIC Chair Joe Longo warned that ceasing all climate or ESG disclosure on climate risk, sometimes referred to as “greenhushing” will be interpreted by ASIC as another form of greenwashing.

For guidance on preparing for mandatory climate reporting, see the free AICD webinar here, and primer from CGI Australia partners, Deloitte and Minter Ellison, here.

What specifically is ASIC focusing on?

ASIC stated it will focus on:

• Reporting of asset values, including the impairment of non-financial assets, values of property assets, expected credit losses on loans and receivables, financial asset classification and value of other assets;
• Appropriate classification of assets and liabilities between current and non-current categories, with regard to matters such as maturity dates, payment terms and compliance with debt covenants;
• Provisions such as onerous contracts, leased property made good, mine site restoration, financial guarantees given and restructuring;
• Solvency and going concern assessments in light of changing economic and geopolitical conditions and pervasive risks;
• Events occurring after year end and before completing the financial report should be viewed as to whether they affect assets, liabilities, income or expenses at year-end or relate to new conditions requiring disclosure;
• Disclosures in the financial report and Operating and Financial Review (OFR) should provide a clear and well-supported explanation of underlying drivers of the company’s financial performance, risks, and future prospects. ESG risks, including climate change and cyber security, should be disclosed if they have a material impact on future prospects; and
• The impact of a new accounting standard for insurers should be disclosed in notes to financial statements.

In respect of audit, ASIC reinforced that auditors need to comply with new AUASB standards on risk identification and assessment, firm quality management, engagement quality reviews, and quality control for financial report audits. Notably, ASIC stated that auditors may need to report a suspected contravention of the Corporations Act to ASIC where, for example, disclosures are materially inadequate or misleading, including where there is possible ‘greenwashing.’