For Audit Committees Facing Scope Creep, New Report Sheds Light on Best Practices

Is your audit committee facing increased scope creep? You’re not alone.

Audit committees are critical to high-quality financial reporting, which is, in turn, critical to functioning capital markets. In addition to scope creep, these committees are being challenged by increased complexity in their core responsibilities, according to a report the Center for Audit Quality (CAQ) recently conducted in partnership with Deloitte.

The inaugural Audit Committee Practices Report: Common Threads Across Audit Committees sheds light on certain issues facing audit committees today and how peers may be responding. The survey results and related analysis can also serve as a benchmarking resource for gauging your own committee’s practices.

Audit Quality

Nearly every respondent said audit quality either increased (32 percent) or remained the same (66 percent) compared to the previous year. Despite concerns about the impact of working remotely, auditors were able to use technology to execute smarter and more efficient audits—without sacrificing audit quality. When asked what contributes to audit quality, 85 percent of respondents cited the competence of the engagement team and strong communication between the engagement partner and the audit committee as the most important factors.

Best Practice: While most audit committees formally evaluate the auditor at least annually, consider if there are opportunities to have more robust and frequent communication with the engagement partner. To go further, enhance disclosure of such discussions in the proxy statement. Such transparency signals higher levels of audit committee involvement to stakeholders.

Cybersecurity

It’s no surprise that the pandemic’s ongoing impacts and the increased adoption of remote work have resulted in elevated cybersecurity threats for companies. According to the report, 53 percent of respondents listed cybersecurity as a top priority on their agendas, while 69 percent of those with cybersecurity oversight responsibility anticipate spending more time on it in the coming year.

Best Practice: If your audit committee is responsible for overseeing cybersecurity, make sure it has the right expertise. Consider having the chief information security officer or an internal team member in an equivalent position, as well as external experts such as cybersecurity subject matter specialists, present to your audit committee on a regular basis. Having an audit committee member with cybersecurity expertise is also beneficial, if possible.

Fraud Risk

Financial reporting and internal controls, including fraud risk, ranked high on the audit committee’s agenda. While audit quality has remained strong or improved, 42 percent of respondents indicated that fraud risk has increased due to shifts in the business environment caused by COVID-19. Seventy-four percent said they had updated internal controls to address the remote work environment over the last 12 months.

Best Practice: As audit committees grapple with increased fraud risk, they should continue challenging company management to have robust anti-fraud programs in place and active whistleblower hotlines. Additionally, they should continue asking management how internal controls have changed in the remote or hybrid work environment.

ESG

We are experiencing a watershed moment for environmental, social, and governance (ESG) issues. According to a CAQ analysis of S&P 500 companies, 95 percent of public companies have some form of detailed ESG information publicly available. Yet our report found that only 10 percent of audit committees had oversight responsibility for ESG reporting.

Best Practice: The audit committee’s responsibility with respect to ESG will likely evolve. For now, focus on internal and disclosure controls related to the ESG metrics being disclosed, understanding the connection between ESG strategy and related goals and also monitoring assurance-related activities.

Other Key Areas

Additional areas that many respondents said the audit committee has oversight on include data privacy and security (48 percent), ethics and compliance (48 percent), third-party risk (47 percent), and enterprise risk management (42 percent).

In this rapidly evolving corporate governance landscape, with their oversight responsibilities ever-changing, audit committees play a critical role in our capital markets through high-quality financial and other reporting.