Scope Creep is Affecting Audit Committee Composition and Focus
The scope of the audit committee’s responsibilities continues to grow, and many committees are responding by expanding or changing their committee composition. That is one of the key findings of Audit Committee Practices Report: Priorities and Committee Composition (Practices Report), the second annual survey conducted by the Center for Audit Quality and Deloitte’s Center for Board Effectiveness on the oversight practices and current concerns of U.S. public company audit committee members. Survey respondents also reported that, outside of financial reporting and internal control, their top three areas of focus in 2023 would be cybersecurity (63 percent), enterprise risk management (45 percent), and ESG disclosure and reporting (39 percent). However, in a reversal of prior survey findings, only 20 percent of respondents ranked fraud risk as one of their top three focus areas in the next 12 months. For the results of the prior annual survey, see Good News and Bad News: Audit Committee Members Think Audit Quality Held Steady During COVID, But Many See Fraud Risk Rising, January-February 2022 Update.
The Center and the CAQ conducted their survey of audit committee members between August and October 2022. A total of 164 individuals participated, predominantly from U.S. public companies with revenue in excess of $500 million. Participants were asked to respond to 17 questions covering audit committee composition and core and emerging priorities and practices. Some highlights of the report’s findings are described below.
Audit Committee Composition
Committee membership turnover. Twenty-five percent of survey participants anticipate making changes to the composition of the audit committee in the next 12 months, including increasing its size. Further, 28 percent anticipate that their audit committee will replace the current chair. Forty-two percent anticipate replacing one or more committee members during the coming year; 24 percent of respondents expect to replace audit committee members with current board members, while 18 percent plan to bring in directors who are not presently on the board.
Committee expertise. The Practices Report opines that much of the anticipated change in audit committee composition is driven by necessity. “It may stem from expanding responsibilities and to combat fatigue and attrition, in addition to filling specific experience and knowledge gaps.” Respondents identified cybersecurity and technology as areas of expertise that could enhance their committees’ effectiveness. Ninety-three percent of respondents said that their audit committees already had finance and accounting expertise.
Committee diversity. Fifty-eight percent of respondents said that audit committee tracks the gender of committee members, while 48 percent track ethnicity/race, and 44 percent track age. Thirty-five percent of respondents said their committee did not track any diversity characteristics.
Audit Committee Agenda Issues
As noted above, the top nonfinancial reporting topics that survey participants thought would be areas of audit committee focus during the coming year were cybersecurity, enterprise risk management, and ESG disclosure and reporting.
Cybersecurity. Fifty-three percent of respondents said their board delegates cybersecurity oversight to the audit committee, while 26 percent said cybersecurity is a full board responsibility, and 11 percent said it is assigned to the risk committee. However, less than half (41 percent) of respondents believe their audit committee members have appropriate cybersecurity expertise, up 6 percent from the 2021 survey. Forty-three percent of respondents met with external cyber-security experts in the last 12 months to gain an outside perspective on the issue. The Practices Report observes, “Regardless of where oversight of cybersecurity risk falls, the escalating threats and attention it demands needs to be overseen with as much discipline as financial risk.”
Enterprise risk management (ERM). Forty-three percent of respondents indicated the audit committee is responsible for oversight of ERM, while 28 percent said ERM oversight was a full board responsibility and 21 percent said responsibility was lodged in the risk committee. Audit committee members have more confidence in their understanding of ERM than in their cybersecurity expertise: 75 percent of respondents believe their audit committee members have appropriate experience/expertise in enterprise risk. Nonetheless, 17 percent met with outside ERM specialists in the last 12 months.
ESG disclosure and reporting. ESG disclosure has rapidly become an important audit committee agenda topic. When asked who was responsible for oversight of ESG disclosure and reporting, 34 percent of respondents said the audit committee, while 27 percent indicated the board, and 16 percent pointed to the nominating/governance committee. In contrast, last year only 10 percent of survey respondents said that the audit committee had oversight responsibility for ESG disclosure. (These figures differ somewhat from those reported in Deloitte’s ESG readiness survey. See Many Large Companies Plan to Invest in ESG Reporting Readiness During 2023 in this Update.) Survey participants have less confidence in their abilities in this area than they do with respect to either cybersecurity or ERM. Just 32 percent of respondents believe their audit committee members have appropriate ESG/sustainability experience and expertise. Approximately 30 percent of respondents said they had met with outside ESG specialists in the last 12 months.
One significant change in audit committee agenda priorities relates to fraud. Only 20 percent of 2022 survey respondents ranked fraud risk as one of their top three focus areas in the next 12 months. Last year, financial reporting and internal controls -- including fraud risk – was the most-cited audit committee priority, and 56 percent said that the audit committee’s focus on fraud deterrence and detection had increased. Further, in 2021, 42 percent of respondents believed that fraud risk rose as a result of the COVID-19 business environment. See Good News and Bad News: Audit Committee Members Think Audit Quality Held Steady During COVID, But Many See Fraud Risk Rising, January-February 2022 Update. It is difficult to believe that the risk of financial reporting fraud has decreased significantly during the past year. Instead, it appears that the need to devote time and attention to new issues like cybersecurity and ESG may have lessened audit committees’ ability to focus on core responsibilities like fraud risk.
Comment: The Practices Report survey results can serve as a benchmarking resource to aid audit committee members in understanding what their peers are doing and whether there are practices other audit committees employ that they may wish to copy. Audit committees may also want to reflect on the risks of scope creep and on the possibility that new responsibilities like cybersecurity oversight, ERM, and ESG disclosure are crowding out the committee’s ability to perform its core mission of overseeing financial reporting. The CAQ’s recent publication, Audit Committee: The Kitchen Sink of the Board offers some suggestions on how audit committees can keep up with an ever-evolving workload. The Kitchen Sink report is described in Audit Committee Transparency Inches Ahead, November-December 2022 Update.