The Center for Audit Quality and Deloitte’s Center for Board Effectiveness have published the results of their survey of the oversight practices and current concerns of U.S. public company audit committees. Audit Committee Practices Report: Common Threads Across Audit Committees (Common Threads) reports on a 30-questions survey conducted during August and September of 246 audit committee members, mostly from large (i.e., greater than $700 million in market cap) public companies in the U.S. The survey focused on areas of audit committee oversight, key risks, and audit committee practices. Common Threads provides insight into changes in audit committee responsibilities, issues currently facing audit committees and how committees are responding.
While financial reporting and internal controls -- including fraud risk – are the most-cited audit committee priorities, many committee members also see cybersecurity (53 percent), data privacy security (48 percent), ethics and compliance (48 percent), third-party risk (47 percent) and enterprise risk management (42 percent) as top areas of focus. More than two-thirds of audit committee members (69 percent) anticipate spending more time on cybersecurity in 2022 than in 2021, and nearly three-quarters believe that ESG reporting will consume more of the committee’s time this year. Forty-two percent of respondents believe that fraud risk has increased as a result of the impact of COVID-19 on the business environment.
Some of the key finds reported in Common Threads include:
Audit Quality. Thirty-two percent of respondents said that audit quality increased last year, while 66 percent thought it remained the same; just 2 percent believe quality declined. As to what contributes to audit quality, 85 percent of respondents cited the competence of the engagement team and strong communication between the engagement partner and the audit committee as the most important factors. Only 37 percent identified engagement team independence.
Financial Reporting and Internal Controls. Ninety-six percent of respondents said that the audit committee has responsibility for financial reporting and internal controls; 86 percent have fraud risk responsibility. Nearly a quarter (24 percent) of respondents believe they will spend more time on financial reporting and internal controls in 2022 than in 2021,while approximately three-quarters (73 percent) expect they will spend about the same amount of time. Just two percent predicted that the time devoted to reporting and controls will decline.
Fraud Risk. As noted above, 42 percent of respondents think that fraud risk has increased because of covid-related changes in the business environment. Seventy-four percent said their company had updated internal controls to increase fraud deterrence and detection over the last 12 months, while 61 percent reported increasing internal audit’s focus. Fifty-six percent said that the audit committee’s focus on fraud deterrence and detection had increased.
Enterprise Risk Management. When asked who was responsible for oversight of enterprise risk management (ERM) within their organizations, 42 percent of respondents said the audit committee, 33 percent said the board, and 20 percent said the risk committee. Thirty-two percent expect to spend more time on ERM oversight in 2022 compared to last year.
Cybersecurity and Data Privacy Security. Fifty-three percent and 48 percent of respondents respectively said that the audit committee is responsible for overseeing cybersecurity and data privacy security. Sixty-nine percent of those with cybersecurity oversight responsibility anticipate spending more time on it in the coming year compared with the past year, and 16 percent see cybersecurity as the top risk their committee will focus on in 2022. Sixty percent of audit committees include cybersecurity on their agendas quarterly. Thirty-five percent of respondents stated their audit committee has cybersecurity expertise, but 41 percent thought that additional cybersecurity expertise would enhance the committee’s effectiveness.
Ethics and Compliance; Third-party Risk. About half of respondents said their audit committee is responsible for the oversight of ethics and compliance (48 percent), and 47 percent said they had responsibility for third-party risk. Seventy-four percent of audit committees include ethics and compliance on their agenda quarterly, second only to financial reporting and internal controls (89 percent) as a quarterly agenda topic. (Third-party risk was reported to be on quarterly agendas for 22 percent of respondents.)
Audit Committee Engagement. Twenty-seven percent of respondents reported spending more than 250 hours on board or audit committee activities during the year. Almost as many – 24 percent -- spend between 50 and 100 hours. The remaining 49 percent said they devote between 101 and 250 hours to their board and committee duties.
Comments: The Common Threads survey results can serve as a benchmarking resource to aid audit committee members in understanding what their peers are doing and whether there are practices other audit committees employ that they may wish to copy. In addition, audit committees should be alert to the Common Threads finding that many audit committee members believe that fraud risk has increased – driven in large part by the impact of COVID-19 on the operation of controls and on the prevalence of remote work. A recent KPMG survey has a similar finding. Audit committees may want to consider KPMG’s high-level recommendations as to how audit committees should respond to this elevated risk. See KPMG Survey Finds that Fraud, Cyber, and Compliance Threats are High and that Many Companies are Ill-Prepared, in this Update.
Comments