Slight Increases, Some Stagnation: CAQ and EY Report Cards on Audit Committee Transparency
On November 10, the Center for Audit Quality (CAQ) and research firm Audit Analytics released2021 Audit Committee Transparency Barometer, an annual assessment of S&P Composite 1500 proxy statement disclosures related to the work of the audit committee. Several weeks earlier, on October 26, the EY Center for Board Matters (EY Center) published its annual review of Fortune 100 audit committee-related proxy disclosures, Audit committee reporting to shareholders in 2021. Together, these reports reflect modest, but steady, increases in voluntary disclosures about the audit committee and its work, continuing a decade-long trend toward more openness. While transparency has increased substantially over the eight years it has published the Barometer, the CAQ summed up this year’s report as reflecting “slight increases with some stagnation among disclosures that have been tracked over the years.”
One exception to the incremental level of change in 2021 was cybersecurity oversight disclosure, which the CAQ finds has increased by five to seven percent each year since 2016. The CAQ notes that “COVID-19 has changed how we work, with some companies opting to go permanently remote, resulting in an increased dependence on technology. Audit committees have reacted positively by increasing disclosure of how they oversee the company’s cybersecurity risks.” EY also reports additional disclosure regarding audit committee oversight of risks not directly related to financial reporting, such as cybersecurity and ESG.
CAQ/AA: 2021 Transparency Barometer
The 2021 report is the CAQ’s eighth annual Transparency Barometer. (For a summary of the 2020 Barometer, see As Transparency Inches Forward, Audit Committees are Disclosing More About Cyber Risk Oversight, But Less About Audit Fees, October-November 2020 Update.) The CAQ’s report breaks down S&P 1500 disclosures between the S&P 500 large-cap companies, the S&P MidCap 400, and the S&P SmallCap 600. Highlights of the 2021 Transparency Barometer include:
The highest rates of disclosure related to non-audit services and their potential impact on independence, auditor tenure, criteria considered to evaluate the audit firm, and audit committee involvement in engagement partner selection. For example--
o Eighty-three percent of the S&P 500 discussed how non-audit services may impact auditor independence. Eighty percent of the S&P MidCap and 76 percent of the SmallCap companies made such disclosure.
o Half of the S&P 500 stated that the audit committee is involved in engagement partner selection, while 22 percent of MidCaps and 12 percent of SmallCaps made such a statement.
Topics as to which the CAQ found “moderate” rates of disclosure included engagement partner rotation, considerations when appointing the external auditor, and a statement that the committee evaluates the external auditor at least annually. For example, the percentage of S&P 500, S&P MidCap, and S&P SmallCap companies that disclosed that the engagement partner rotates every five years were 49, 24, and 16 percent, respectively. The comparable percentages for discussion of audit committee considerations in appointing the auditor were 44, 31, and 24 percent.
Areas in which there were relatively low levels of disclosure included audit committee responsibility for audit fee negotiations, explanation of a change in audit fees, and discussion of how the audit committee considers auditor compensation and its connection to audit quality. For example, only 17 percent of the S&P 500 disclosed an explanation for a change in audit fees. However, unlike most other topics, disclosure of reasons for fee changes was more frequent among smaller companies – 24 percent of SmallCaps and 20 percent of MidCaps discussed such changes.
The least popular disclosure tracked by the Barometer is significant areas discussed with the auditor. None of the S&P 1500 companies made such a disclosure in 2021. By comparison, in 2014, three percent of the S&P 500, two percent of the MidCaps, and one percent of the SmallCaps disclosed significant areas addressed with the auditor.
As noted above, disclosure related to audit committee responsibility for oversight of cybersecurity risk has increased sharply during the last five years. In 2021, 46 percent of the S&P 500 disclosed that the audit committee is responsible for cybersecurity (compared to 39 percent last year); 34 percent of S&P MidCaps (28 percent last year) and 24 percent of S&P SmallCaps (18 percent last year) made such a statement. In contrast, only eleven percent of the S&P 500 (and five percent of Mid-Caps and four percent of SmallCaps) discussed audit committee responsibility for cybersecurity risk oversight in 2016.
For many of the disclosure areas the Barometer tracks, the CAQ discusses why the disclosure matters to investors. For example, as to the impact of non-audit services on independence, the CAQ states: “Disclosure describing the oversight by the audit committee in reviewing any permitted non-audit services provided by the independent auditor to the company helps stakeholders understand how non-audit services are reviewed and factors considered by the audit committee. Such disclosure reinforces the oversight of the auditor’s independence, a foundation of audit quality.” In addition, the Barometer includes examples from audit committee reports or other proxy statement discussions of each type of disclosure tracked.
EY: Fortune 100 Audit Committee Reporting to Shareholders
The EY Center began its annual reviews of Fortune 100 audit committee disclosures in 2012. (For summaries of recent prior EY reports, see Voluntary Audit Committee Disclosures Continue to Increase – But Only Slightly, September 2020 Update, and CAQ and EY Center Audit Committee Transparency Reports: Disclosure Continues to Grow Apace, October-November 2018 Update) This year’s EY report is based on an analysis of the proxy disclosures of the 72 companies on the 2021 Fortune 100 list that filed proxy statements each year since 2012 and that held annual meetings through July 2021.
Like the CAQ, the EY Center finds that disclosure about the work of the audit committee has increased over time, but that the rate of change has slowed: “Voluntary audit committee-related disclosures have grown significantly over the past 10 years that [EY] has been tracking them, although the pace of change has slowed in recent years. While the COVID-19 pandemic has had a great deal of impact on publicly traded companies, it does not appear to have altered the upward trend in voluntary disclosures about audit committees, albeit incremental.” Some new disclosure areas are however appearing: “2021 disclosures also indicate that some audit committees are expanding their remits to include issues increasingly relevant to today’s investors, such as environmental, social and governance (ESG) matters, cybersecurity and more.”
Some other findings of the 2021 EY report include:
Seventy-one percent of Fortune 100 companies reviewed disclosed factors used in the audit committee’s assessment of the external auditor’s qualifications and work quality. Last year, 64 percent made such disclosure, and only 15 percent of these companies did so in 2012.
Ninety-two percent of the reviewed companies disclosed that the audit committee considers non-audit fees and services when assessing auditor independence. Only 16 percent made that disclosure in 2012.
Nearly 70 percent of reviewed companies stated that they consider the impact of changing auditors when assessing whether to retain the current external auditor, compared to three percent in 2012. Seventy-nine percent disclosed the tenure of the current auditor, up from and 23 percent in 2012. (Tenure is required to be disclosed in the auditors’ report.)
Approximately 76 percent of the reviewed companies included additional disclosures around risks beyond financial reporting that were overseen by the audit committee, including cyber-security, data privacy, enterprise risk management and ESG. For example—
o Nearly 70 percent disclosed that the audit committee oversees cybersecurity matters.
o Ten percent of reviewed companies discussed the audit committee’s role in ESG matters, such as oversight of climate change risks as they relate to financial and operational risk exposures and environmental, health and safety related matters.
Sixteen of the 72 reviewed companies’ audit committee disclosures referred to the critical audit matters (CAMs) discussed in the auditor’s report. (CAMs are matters communicated to the audit committee that involved especially challenging, subjective, or complex auditor judgment.) These disclosures noted that the audit committee reviewed and discussed with the external auditor CAMs that arose during the current period audit.
The EY report includes sample language on various types of audit committee disclosures from the proxy statements it reviewed. Also, similar to last year, the EY Center suggests that audit committees consider five questions in evaluating their company’s disclosure:
Does the company’s proxy statement effectively communicate how the audit committee is overseeing and engaging with the independent auditor? Does it address areas of investor interest, such as the independence and performance of the auditor and the audit committee’s key areas of focus?
How has the role of the audit committee evolved in recent years (e.g., oversight of enterprise risk management, cybersecurity risk), and to what extent are these changes being communicated to stakeholders?
In light of the changing environment, what additional voluntary disclosures might be useful to shareholders related to the audit committee’s time spent on certain activities, such as cybersecurity, data privacy, business continuity, corporate culture and financial statement reporting developments?
Has the audit committee considered how changes in the auditor reporting requirements may impact audit committee disclosures?
How do director qualifications and board composition-related disclosures highlight the diversity considerations, expertise, experiences, and backgrounds of audit committee members?
Comment: As the CAQ observes, “disclosure of the multiple additional ways audit committees oversee the external auditor contributes to audit quality. Transparency and disclosure are key elements of trust in the financial reporting system. In line with this, the CAQ continues to encourage robust audit committee disclosures in proxy statements to promote high-quality performance by public company auditors and investor trust in the audit committee’s oversight role.”
Audit committees should be aware of the types of voluntary disclosures their peers are making and consider expanding their disclosures to match. The kinds of voluntary disclosures the Transparency Barometer and the EY Center report identify as common among S&P 1500 and Fortune 100 companies are generally not controversial and would rarely involve disclosing confidential information or exposing the audit committee to increased litigation risk. Both reports include examples from company filings that provide good models for companies that are considering strengthening their disclosures. In addition, the EY Center’s suggested questions provide a framework for audit committee consideration of whether their company’s disclosures should be enhanced.