April 27, 2023
April 27, 2023
Is your audit committee increasingly tasked with the oversight of new risk areas, from cybersecurity to environmental, social, and governance (ESG) reporting? If so, it may be time to take a fresh look at your audit committee’s structure and practices, according to a new survey and collaborative report from the Center for Audit Quality (CAQ) and Deloitte’s Center for Board Effectiveness.
There’s no question that audit committees are facing scope creep. The inaugural edition of the Audit Committee Practices Report: Common Threads Among Audit Committeesfound that audit committees of all sizes are facing increased complexity in their core responsibilities and expanding agendas. The latest iteration of the report in this annual series sheds light on how boards are shifting oversight responsibilities and practices to meet new demands.
These insights were recently explored in an event convened by the CAQ, featuring report coauthors Vanessa Teitelbaum, senior director of the Professional Practice at the CAQ, and Krista Parsons, audit and assurance managing director with Deloitte’s Center for Board Effectiveness, along with Sara Grootwassink Lewis, audit committee chair at Weyerhaeuser, and Theo Bunting, audit committee chair at NiSource.
Audit committees remain highly focused on their core responsibility of financial reporting and audit oversight, but new areas of corporate reporting continue to appear on the audit committee agenda.
Of the 164 audit committee members surveyed for the report, 53 percent reported that they have oversight of cybersecurity, 43 percent reported having oversight of enterprise risk management (ERM), and 34 percent of respondents said that audit committees are responsible for the oversight of ESG disclosure and reporting—a significant 24-point increase over the previous year.
The audit committee members on the event panel agreed with these findings.
“At my company, cybersecurity is always top of mind for the audit committee, even when oversight occurs at the board level,” Lewis said during the event. “We generally get frequent updates at the audit committee; we ask more questions about evolving risks and we discuss any specific incidents these risks might incur. We also expect the SEC’s [US Securities and Exchange Commission] new cyber[security] rule to come out this spring.”
“When I started 2023 as audit committee chair, I took a step back and said ‘Hey, how effective is our charter?’ And as part of that process, we set out to benchmark our charter and work with one of our panelists, Krista Parsons at Deloitte, to benchmark our charter and define our areas of focus,” said Bunting. “And as we did that benchmarking, it highlighted certain areas that we felt were important for us to focus on—your charter should drive your agenda—and as we did the benchmarking, we set our agenda for the year and the areas of focus were cybersecurity, ERM, ESG disclosure and reporting, and typical areas of financial reporting.”
Audit committees are taking a variety of actions to address scope creep, primarily by changing board composition. This can be for a variety of reasons, from succession planning to ensuring audit committees have the right expertise and skill set to oversee new areas of corporate reporting.
According to the report, over the next 12 months, one-quarter of respondents expect to make changes to the composition of their audit committees, with 25 percent anticipating increasing the size of their audit committees, 28 percent planning on replacing their audit committee chairs, and 42 percent expecting to replace one or more committee members.
The panel participants shared how they were planning for succession and bringing expertise as needed to the audit committee. “In May of last year, my entire audit committee transitioned off the board,” said Bunting. “I lost my entire audit committee, but it was an opportunity. Because we looked at the board and we were able to identify gaps and enhance our skills matrix.”
“We talk about the skills matrix a lot in the context of boards but thinking about it in the context of the audit committee and making sure the chair is involved in the conversations about succession planning as it relates to the chair themselves and the rest of the committee members is important,” said Parsons. “Especially as you think about evolving risks that the company is facing and if the audit committee has the right skills to be able to address those items going forward. I completely agree with the skills matrix in keeping that fresh.”
Still, more than 90 percent of respondents in the report believed that they had the appropriate mix of expertise and skills on their audit committees. This is an encouraging figure, as are the boards’ ongoing efforts to evaluate their audit committees.
As the SEC’s 2022 proposed climate rule has generated a huge amount of buzz, ESG reporting is top of mind for the report respondents and event participants.
“Regardless of what comes out, investors are continuing to ask for disclosures in this area,” said Parsons. “I see most audit committees are taking this seriously and there’s a lot of work happening in this space.”
A third of survey respondents indicated that they had someone with ESG skills or expertise on their audit committees. Specifically, audit committees are overseeing reporting metrics and controls, comparability, and assurance-related activities.
In addition, the participants discussed the audit committee’s role in mitigating the risk of fraud, particularly considering the heightened fraud risk environment.
“We take fraud risk very seriously and we discuss it every quarter with our external auditors,” said Lewis. “The good news is the technology used by the internal and external audit is allowing for exponential sample sizes to be tested, resulting in fraudulent transactions being identified more quickly than before. The bad news is that when someone deliberately sets out to commit fraud, it’s still very hard to find.”
Bunting added, “I think the conversations we have are more around the changing environment—the virtual work environment today, high inflation, high interest rates. Are these increasing fraud? And how is management handling these?”
The results of the report make clear that today, corporations are facing more risks than ever. Against this backdrop, audit committees should pay close attention to their agendas to ensure they appropriately reflect their organizations’ top risks.
All the panelists stressed that in this environment, it’s more important now than ever for audit committees to have open and transparent communication with management and close collaboration with the external auditor will be required to have an effective audit committee. In addition, the participants recommended that audit committees should continue to take advantage of the numerous resources available to them, including analyst reports, business news, and publications offered by audit firms and stakeholder organizations.
Julie Bell Lindsay is CEO of the Center for Audit Quality.
NACD: Tools and resources to help guide you in unpredictable times.