Disclosure Trends From the 2024 Reporting Season
Background
The global business environment continues to undergo rapid transformation. In
addition to regulatory changes, shifts in the macroeconomic and global trade
landscape, and geopolitical tensions, generative artificial intelligence (AI) is
continuing to transform the ways companies operate. In this complex and
uncertain environment, clear financial reporting remains crucial in conveying to
investors how companies navigate and are affected by broader global events and
trends.
We have examined how Fortune 500 companies have addressed
various disclosures in their latest annual reports
in light of these evolving themes. This Financial Reporting Spotlight
offers insights into how companies have approached those disclosures and
examines the new segment disclosures required this
year. While disclosures are most meaningful when tailored to a company’s
specific facts and circumstances, understanding broader trends may be
informative.
New Disclosure Requirements
Reportable Segment Disclosures
ASU
2023-071 added the requirement for public entities to disclose, in the segment
footnote, the expense categories and amounts of significant segment expenses
that are regularly provided to the chief operating decision maker (CODM) and
included in the segment measure(s) of profit and loss and certain other
additional disclosures. The ASU became effective for all public entities for
fiscal years beginning after December 15, 2023, and was adopted by
calendar-year-end companies in their 2024 Form 10-K.2
Segment disclosures, including those on significant segment expenses, reflect
how management views the business. Such disclosures are therefore based on a
company’s unique facts and circumstances and will vary widely among
registrants, even those in similar industries. Not surprisingly, companies
have differed in both the number of significant segment expenses identified
and the nature of those expenses.
The CODM’s title and position now must be disclosed, along with an
explanation of how the CODM uses the reported segment measure(s). About 86
percent of Fortune 500 filers disclosed that the CODM is the chief executive
officer. Companies most frequently cited “budget to actual variance
analyses” when describing how the CODM uses the measure of performance to
allocate resources and make decisions. Disclosures also noted the CODM’s use
of the measure of performance in forecasting, developing the annual plan,
and determining management’s compensation and incentives.
ASU 2023-07 also permits, but does not require, companies to
disclose more than one measure of segment profit or loss used by the CODM,
provided that at least one of the reported measures includes the segment
profit or loss measure that is most consistent with GAAP measurement
principles. About 7 percent of Fortune 500 filers disclosed a voluntary
additional measure of segment performance that was also consistent with GAAP
(e.g., segment operating income and segment net income), with 1 percent
disclosing a voluntary additional measure of performance that was a non-GAAP
measure (e.g., segment-adjusted operating income and segment EBITDA3).
Cybersecurity (Form 10-K, Item 1C)
The SEC’s final rule4 on cybersecurity disclosures became effective in December 2023; thus,
for the second year, public companies were required to disclose in their
annual reports material information regarding their cybersecurity risk
management, strategy, and governance. Since the release of the final rule,
the SEC has emphasized that disclosures should (1) represent processes
registrants have in place and are not aspirational; (2) contain
sufficient detail for a reasonable investor to understand those processes,
including oversight of third-party service providers; (3) take into account
the expertise of all management personnel responsible for managing
cybersecurity risk; and (4) not be hypothetical if such cybersecurity risks
have already materialized. While the details of the disclosures varied, in
2024 most companies expanded their cybersecurity disclosures from the prior
year, as shown in the following chart:
5
These percentages reflect a comparison of a
population of Fortune 500 companies’ Form 10-K filings
between (1) March 1, 2024, to March 3, 2025 (“2024”), and
(2) December 15, 2023 (the date on which the final rule
became effective), to February 29, 2024 (“2023”).
6
National Institute of Standards and
Technology.
7
International Organization for
Standardization.
The chief information security officer continues to be the position that
registrants most frequently mention (72 percent in 2024 compared with 69
percent in 2023) as being primarily responsible for assessing and managing
cybersecurity risks. Regarding board oversight, 81 percent of registrants
indicated that the audit committee is responsible or partially responsible
for managing cybersecurity (76 percent in 2023), while nearly half of
registrants disclosed that they reported on cybersecurity risks on at least
a quarterly basis to those responsible for overseeing such risks. A recent
survey of audit committees discussed in a joint report8 by Deloitte and the Center for Audit Quality (CAQ) highlighted that
cybersecurity continues to be ranked first among audit committee priorities
and that it regularly appears, along with AI governance and sustainability
reporting, on audit committee agendas.
Executive Compensation Clawback
In 2023, the SEC mandated that all listed registrants use two new
checkboxes on the cover page of Form 10-K to address executive compensation
“clawback” policies.9 In the 2024 reporting period:
- Fifteen Fortune 500 registrants10 marked Box 1 (up from thirteen in 2023), indicating that they were correcting an error in previous financial statements. Among these, eleven companies reported changes to the statements of financial position, income, or cash flows, while four companies noted adjustments solely in the footnotes.
- Six registrants also checked Box 2 (up from two in 2023), indicating that a corrected error prompted a clawback analysis.
Because this rule has been in effect for a year, the SEC
staff has shared some additional
observations regarding its expectation that, for any material
or required immaterial restatement, Box 2 should be checked and disclosures
related to the clawback analysis should be provided. A registrant must
provide such disclosures, including a brief explanation of why the recovery
policy yielded the resulting conclusion, regardless of whether a clawback is
ultimately required (e.g., because the restatement did not affect measures
that drive compensation).
Disclosure Trends
Artificial Intelligence
As AI technologies become
more ubiquitous in the business world, registrants are increasingly
discussing the extent to which they have integrated or will integrate AI
into their operations. References to AI, generative AI, or other AI-related
matters continue to be incorporated heavily into registrants’ risk factors
and business sections. Companies continue to disclose information about how
they are using, or plan to use, generative AI in their businesses as well as
any associated challenges, including risks related to traditional operating
models, operational and market dynamics, data privacy, and labor market
effects.
11
Hereafter, “percentage of companies
disclosing” refers to our comparison of a population of
Fortune 500 companies’ Form 10-K filings between (1) March
1, 2024, to March 3, 2025 (“2024”) and (2) March 2, 2023, to
February 29, 2024 (“2023”).
12
“Percentage of disclosures by section” in
the tables throughout this publication refers to our
comparison of (1) the number of registrants in a population
of Fortune 500 companies that discussed a given topic in a
specific section of their 2024 Form 10-K (i.e., filings
between March 1, 2024, and March 3, 2025) with (2) the total
number of registrants that addressed that topic in their
Form 10-K filings. We based the comparison on a search of
keywords related to the topic being discussed in each
section. If registrants discussed a topic in multiple annual
report sections, the total percentages for that topic may
exceed 100 percent.
Risk factors more frequently include specific legal and compliance
requirements, such as the costs and burdens of complying with international
(e.g., EU
Artificial Intelligence Act), federal, and state
policies; risks of regulatory penalties; and the potential growth of
AI-enabled cyberattacks.
The SEC staff has cautioned against the
potential for “AI washing” (i.e., making unfounded AI-related claims),
emphasizing that companies should have a basis for any claims they disclose
about AI. The staff has also encouraged companies with material AI risks to
consider disclosing information about AI risk management and corporate
governance policies.
Income Taxes — Pillar Two
Many registrants continue to
enhance their tax legislation risk factor disclosures to reflect the
material risk posed by changes in tax laws in relevant jurisdictions,
including the global minimum tax under the “Pillar Two”13 framework, which many jurisdictions have adopted, with changes
beginning in 2024 and other changes expected to take effect in 2025. Most
registrants have noted the uncertainty in the timing, scope, and impact of
the United States’s adoption of the framework. MD&A and financial
statement disclosures often addressed relevant jurisdictions that have
enacted the new tax laws14 related to the global minimum tax for the fiscal year-end and included
a description of the extent of the economic impact. The SEC staff has
encouraged companies to provide an estimate of the impact or a range of
possible impacts.
Global Trade
The macroeconomic landscape
has been changing rapidly in response to increased global trade tensions
associated with the implementation of new tariffs, affecting various
industries and market dynamics. Registrants have disclosed, primarily within
the risk factors section, that these tariffs are likely to affect their cost
structures, profitability of their companies, and consumer demand and that
they may need to make strategic adjustments to avoid potential issues with
global supply chains. Further, many registrants have disclosed that these
tariffs, along with retaliatory tariffs and related regulations and
restrictions, may lead to increased volatility in operating costs and sales
margins. We expect companies’ disclosures related to this topic will
continue to evolve throughout 2025.
Sustainability
While regulatory
requirements for sustainability disclosures are evolving, highlighted by the
SEC’s recent withdrawal of its legal defense for its
currently stayed climate disclosure final rule15 and the European Commission’s proposed omnibus initiative, most registrants
have continued to disclose sustainability matters in their annual reports
under existing disclosure requirements, including the SEC’s 2010
interpretive guidance on climate-change
disclosures. Business section disclosures primarily addressed a registrant’s
sustainability activities, including net zero or carbon neutral commitments
(such disclosures were provided by approximately a quarter of the Fortune
500 companies). On the other hand, in MD&A, registrants discussed how
climate matters might affect their financial condition, results of
operations, and growth prospects. Given the evolving regulatory landscape,
climate-related disclosures are becoming more granular and contain more
specific risk factors that address a variety of impacts, such as physical
impacts; reputational risk; and regulatory risk, including the effects of
the E.U.’s Corporate Sustainability Reporting Directive (CSRD),16 International Sustainability Standards Board (ISSB) IFRS S2,17 and California’s Climate Corporate Data Accountability Act and
Climate-Related Financial Risk Act.18
Conclusion
The SEC encourages registrants to clearly disclose material risks, trends, and
uncertainties related to the current environment. As the business landscape
evolves, registrants should continue to assess their disclosures and consider
whether they still reflect their current circumstances.
Contacts
If you have questions about this
publication, please contact the following Deloitte professionals:
|
Sean May
Audit &
Assurance
Partner
Deloitte &
Touche LLP
+1 415 783
6930
|
|
Christine Mazor
Audit &
Assurance
Partner
Deloitte &
Touche LLP
+1 212 436
6462
|
|
John Wilde
Audit &
Assurance
Partner
Deloitte &
Touche LLP
+1 415 783
6613
|
|
Doug Rand
Audit &
Assurance
Managing
Director
Deloitte &
Touche LLP
+1 202 220
2754
|
|
Samantha Paolini
Audit &
Assurance
Senior Manager
Deloitte &
Touche LLP
+1 215 299
4577
|
|
Cody Yettaw
Audit &
Assurance
Senior Manager
Deloitte &
Touche LLP
+1 313 394
5505
|
|
Megan D’Alessandro
Audit &
Assurance
Manager
Deloitte &
Touche LLP
+1 203 563
2368
|
Footnotes
1
FASB Accounting Standards Update (ASU) No. 2023-07,
Segment Reporting (Topic 280): Improvements to Reportable
Segment Disclosures.
2
We examined the adoption of ASU 2023-07 by Fortune
500 companies that have filed as of March 3, 2025, and whose fiscal
years began on or after December 15, 2023. This represents
approximately 70 percent of the Fortune 500; the remainder consists
of non–calendar-year-end companies. See Deloitte’s November 30, 2023
(last updated September 10, 2024), Heads Up for a
discussion of ASU 2023-07.
3
Earnings before interest, taxes, depreciation, and
amortization.
4
SEC Final Rule Release No. 33-11216,
Cybersecurity Risk Management, Strategy, Governance, and
Incident Disclosure. See Deloitte’s July 30, 2023 (updated
December 19, 2023), Heads Up for a
discussion of the final rule.
5
These percentages reflect a comparison of a
population of Fortune 500 companies’ Form 10-K filings
between (1) March 1, 2024, to March 3, 2025 (“2024”), and
(2) December 15, 2023 (the date on which the final rule
became effective), to February 29, 2024 (“2023”).
6
National Institute of Standards and
Technology.
7
International Organization for
Standardization.
8
The population covered in the Deloitte and CAQ joint
report differs from that used in this publication (see footnote 5); therefore, the
applicable cybersecurity percentages may vary from those shown
herein. However, it is clear from both populations that reporting to
the audit committee and quarterly reporting are key components of
cybersecurity oversight.
9
SEC Final Rule Release No. 33-11126, Listing
Standards for Recovery of Erroneously Awarded Compensation.
For more information about the final rule, see Deloitte’s November
14, 2022, Heads
Up.
10
These amounts refer to our comparison of a population of
Fortune 500 companies’ Form 10-K filings (excluding
amendments) between (1) March 1, 2024, to March 3, 2025
(“2024”), and (2) March 2, 2023, to February 29, 2024
(“2023”). All error corrections were reported as immaterial
restatements and did not result in amendments to prior
filings.
11
Hereafter, “percentage of companies
disclosing” refers to our comparison of a population of
Fortune 500 companies’ Form 10-K filings between (1) March
1, 2024, to March 3, 2025 (“2024”) and (2) March 2, 2023, to
February 29, 2024 (“2023”).
12
“Percentage of disclosures by section” in
the tables throughout this publication refers to our
comparison of (1) the number of registrants in a population
of Fortune 500 companies that discussed a given topic in a
specific section of their 2024 Form 10-K (i.e., filings
between March 1, 2024, and March 3, 2025) with (2) the total
number of registrants that addressed that topic in their
Form 10-K filings. We based the comparison on a search of
keywords related to the topic being discussed in each
section. If registrants discussed a topic in multiple annual
report sections, the total percentages for that topic may
exceed 100 percent.
13
For more information and answers to frequently asked
questions about Pillar Two, see Deloitte’s March 5, 2024 (last
updated November 8, 2024), Financial Reporting
Alert.
14
The Organisation for Economic Co-operation and
Development (OECD) provides jurisdictional legislation updates on
its Web site.
15
SEC Final Rule Release No. 33-11275, The
Enhancement and Standardization of Climate-Related Disclosures
for Investors. See Deloitte’s March 6, 2024 (last updated
April 8, 2024), and March 15, 2024 (last updated
April 8, 2024), Heads Up newsletters for an executive summary
and comprehensive analysis, respectively, of the SEC’s climate
rule.
16
See Deloitte’s August 17, 2023 (updated February 23,
2024), Heads
Up for responses to frequently asked
questions about the CSRD.
17
IFRS S2, Climate-Related Disclosures.