A new report from the Center for Audit Quality highlights the changing priorities for audit committees. The body, which describes itself as “a nonpartisan public policy organization serving as the voice of US public company auditors”, published its conclusions in its Audit Committee Practices Report: Priorities and Committee Composition 2023. It gathered information from 164 audit committee members of large-cap US companies.
Respondents see cybersecurity (63%), enterprise risk management (ERM) (45%) and ESG disclosure and reporting (39%) as the top three areas of focus outside the core remit of financial reporting and internal controls in the next 12 months.
“Audit committees continue to be challenged by ‘scope creep’ — new demands that involve overseeing areas of disclosure and reporting that extend beyond their historical core responsibility of financial reporting and audit oversight. As a result, audit committees are considering if their composition needs to change,” said Krista Parsons, Audit & Assurance managing director with Deloitte’s Center for Board Effectiveness and Audit Committee Program leader.
Expertise
“The good news”, Parsons says, is that audit committees reportedly have the expertise they need. She adds: “It is critically important for audit committees to continuously assess their current composition and skill set to make sure it meets the needs of the organization and the risks it faces”.
“Audit committees continue to be challenged by ‘scope creep’ — new demands that involve overseeing areas of disclosure and reporting that extend beyond their historical core responsibility of financial reporting and audit oversight.”
Krista Parsons, Audit & Assurance managing director, Deloitte Center for Board Effectiveness
Even if audit committees are shifting priorities, almost all of the respondents (92%) believe that their members have the appropriate collective experience needed. But even with the high trust and skill set, many audit committees are also planning to expand and/or change the composition of their committee in the near future – 25% expect to make changes to the composition of their audit committee in the upcoming year, 25% are anticipating an increase in the size of their audit committee, 28% are planning on replacing their audit committee chair, and 42% are expecting to replace one or more committee members.
Cybersecurity threats
With increased cybersecurity threats all around the world, and more attention from regulators, such as the proposed rule from the SEC, cybersecurity has firmly established itself on the audit committee agenda.
The report showed 53% of the total respondents delegate their cybersecurity oversight to the audit committee, 26% to the board, and 11% to the risk committee.
However, most financial services companies are required to have a risk committee, and 24% of the respondents said they delegate the responsibility to it. Even so, 38% of the financial respondents would still prefer to allocate the cybersecurity oversight to the audit committee.
In non-financial-services companies, almost 60% delegated cybersecurity oversight to the audit committee.
“Regardless of where oversight of cybersecurity risk falls, the escalating threats and attention it demands needs to be overseen with as much discipline as financial risk.”
Audit Committee Practices Report
Faith in the audit committee’s knowledge of cybersecurity rose 6% from last year’s survey. Now, 41% of respondents believe their audit committee members have appropriate cybersecurity experience and/or expertise.
Overall, most respondents sought outside viewpoints on finance and accounting (53%) and cybersecurity (43%). Last year, cybersecurity was ranked first (38%) and finance and accounting second (27%).
“Regardless of where oversight of cybersecurity risk falls, the escalating threats and attention it demands needs to be overseen with as much discipline as financial risk,” the report said.
Surprisingly, the survey showed that only 20% of the respondents ranked fraud as a risk among their top three focus areas for the next year. The rate was however slightly higher among audit committees of financial services companies (29%).
ERM risks
Similar to cybersecurity, ERM isn’t seen as an audit committee-only topic. “Due to an increasingly complex risk landscape, audit committees need to stay abreast of new risks and dynamically adapt their models,” the report observes. “They should also understand management’s process to identify emerging risks and focus on risks that matter most to the strategy.
“ERM should be a part of every audit committee meeting in some way in order to understand new risks and any changes in risk-monitoring processes.”
The report indicates a high level of confidence in audit committees’ ability to oversee ERM matters, with 75% of the total respondents believing that their audit committee members have the appropriate experience and/or expertise in this area.
However, many financial services companies (51%) would rather delegate this responsibility to the risk committee. And 17% said they have have met with outside subject matter specialists in the last 12 months.
Subjects advice from outside experts was sought on
ESG on the rise
Another increasing responsibility for the audit committee is ESG disclosure and reporting. This year, 34% of those responding indicated the audit committee has the overall ESG oversight, a big jump from last year’s 10%.
Similar to the rising cybersecurity focus, a reason for the rising ESG attention has likely to do with increased regulation, like the SEC’s proposed rule related to climate disclosures, including more investor focus in this area.
Almost one of three (32%) believes that their audit committee members have appropriate ESG/sustainability experience and/or expertise, and around 30% of the respondents said that they had met with external subject matter specialists to provide an outside-in perspective on ESG matters in the last 12 months.
This is the second Audit Committee Practices Report, which is a survey of 164 audit committee members of primarily large-cap, public companies in the US, is a collaborative between Deloitte’s Center for Board Effectiveness (Deloitte) and the Center for Audit Quality (CAQ). Read it here.