Print
E-MailLeeann Arthur is a senior manager, Krista Parsons is a managing director, and Robert Lamm is an independent senior advisor, all at the Center for Board Effectiveness, Deloitte LLP. This post is based on their Deloitte memorandum.
In recent years, the role of the audit committee—and, in particular, its oversight of the independent auditor—has been subject to increased scrutiny from regulators, investors, and other stakeholders. The independent auditor is critical to maintaining confidence in the reliability of financial information and, ultimately, in the proper functioning of the capital markets. Increasingly, investors also look to the independent auditor to provide insights that support sound, well-informed financial decisions. With changes to the auditor’s reporting model that went into effect this year, and the imminent requirement to identify critical audit matters (CAMs), transparency around the audit committee’s interactions with the independent auditor is even more essential.
Now in its fifth year, Deloitte’s observations and analysis of trends in audit committee disclosures in the proxy statements of S&P 100 [1] companies reflect moderate increases in disclosure in certain areas of frequent focus by regulators and investors.
In 2019, certain disclosures relating to the independent auditor increased. A greater percentage of S&P 100 companies disclosed that the audit committee evaluates the independent auditor, the reasons why the committee decided to reappoint the independent auditor, and the tenure of the independent auditor. More audit committees also disclosed that they discussed the scope and plan for the audit with the independent auditor. While some other voluntary disclosures appear to have plateaued, these modest increases may have been in preparation for the new and upcoming regulatory requirements previously discussed.
Perhaps driven at least in part by guidance issued by the SEC in February 2018, [2] the audit committee’s role in the oversight of cyber risk has been the subject of increasing interest and increasing disclosure. Such disclosures saw the most significant increase in this year’s study, with more than 50 percent of the S&P 100 companies disclosing the role of the audit committee in overseeing cyber risk, a double digit increase from 43 percent in 2018 to 58 percent in 2019.
With the proxy statement providing a valuable communication conduit to investors, key observations presented on the following pages amplify how companies may enhance their proxy statements and increase their strategic value.
Areas with notable growth
The data points below represent areas where there was notable growth in audit committee disclosures in the proxy statements of S&P 100 companies.
Areas with little to no change
Since the beginning of this study in 2015, disclosure of discussion of issues encountered in performing the audit has only increased 2%.
-
- More disclosure in these areas may have been expected due to the imminent new requirement for the independent auditor to identify CAMs.
- Disclosure of significant issues encountered in performing the audit may increase when the first set of CAMs are included in auditor’s reports for June 30, 2019, year-end public companies. [4]
- For more information on the impact of CAMs, refer to the April 2019 On the board’s agenda: What to expect from auditor reporting of critical audit matters.
Trends in cyber risk disclosures
The role of the board in overseeing cyber risk is evolving. Boards are working to determine if oversight should be the responsibility of the full board, shared with a committee, or delegated to a committee.
“The days of wondering if you’re going to be the next victim are gone. Now it’s a matter of how often you’ll get hit, and how bad it’ll be. And we’re not talking just about defense contractors or critical infrastructure. Every company is a target. Every single bit of information, every system, and every network is a target.
Every link in the chain is a potential vulnerability.”
—Christopher Wray, Director of the Federal Bureau of Investigation [5]
Who oversees cyber risk?
Some companies have moved oversight of cyber risk from the audit committee to another committee or designated it as a shared responsibility with the full board or other committee, perhaps in recognition of the importance and pervasiveness of this issue. Below are examples of ways in which boards have assigned responsibility for the oversight of cyber risk:
Cyber risk oversight is often delegated to the audit committee
“Board’s role in risk oversight (Audit Committee): Cybersecurity, including protection of customer and employee data, trade secrets, and other proprietary “crown jewel” information, ensuring the security of data on the cloud, persistent threats, and cyber risks associated with our own software products.” —Honeywell International, Inc., 2019 Proxy Statement and Notice of Annual Meeting of Shareholders [6]
In some cases, it is shared between the audit committee and full board
“Cybersecurity oversight consists of the Board and Audit Committee each receiving regular updates from senior management, including the CISO, as well as from cybersecurity experts in areas such as rapidly evolving cybersecurity threats, cybersecurity technologies and solutions deployed internally and with IBM clients, major cyber risks areas and policies and procedures to addresses those risks, and cybersecurity incidents.” —IBM, 2019 Notice of Annual Meeting & Proxy Statement [7]
Some companies have decided to transition cyber risk oversight from the audit committee to a different committee
“In 2019 responsibility for oversight of risks related to cybersecurity and data and information security governance was transferred from the Audit Committee to the Nominating and Corporate Governance Committee, whose members possess expertise regarding those subjects.” —CVS Health, Notice of 2019 Annual Meeting of Stockholders and Proxy Statement [8]
Suggestions for audit committees
Deloitte’s interactions with audit committees demonstrate that the oversight work of the committee usually goes beyond satisfaction of minimum requirements. A compelling proxy statement—one that goes beyond minimum required disclosure—can educate investors and other stakeholders, providing a more holistic view of the work of the board of directors and each committee. To enhance the transparency and usefulness of the proxy, consider the following:
1. Provide more granular information on key topics on the audit committee agenda
Suggestion in practice: “Meeting agendas are established by the Audit Committee Chair and the Chief of Internal Audit. During 2018 . . . the Audit Committee . . .
held separate private sessions . . . with each of the Company’s General Counsel, the Independent Auditors and the Chief of Internal Audit, at which candid discussions regarding financial management, legal, accounting, auditing, and internal control issues took place…
reviewed with management . . . significant risks and exposures . . . the overall adequacy and effectiveness of the Company’s legal, regulatory and ethical compliance programs, including the Company’s Codes of Business Conduct, and the Company’s quality and food safety programs, workplace and distribution safety programs, and information technology security programs . . .
participated, in educational sessions about topics requested by the Audit Committee.”
—The Coca Cola Company, 2019 Proxy Statement: Notice of Annual Meeting of Shareowners [9]
2. Specify independent auditor evaluation criteria
Suggestion in practice: “Each year, the Audit and Compliance Committee considers . . . (1) . . . the quality and efficiency of the services provided and the independent auditor’s communication and interactions with the Company; (2) the auditor’s independence, objectivity, technical experience, and knowledge of our industry and the Company’s operations; (3) whether the auditor has recently been the subject of any administrative, criminal, or civil investigations or been accused of violating Public Company Accounting Oversight Board (‘‘PCAOB’’) policies; and (4) the independent auditor’s fee structure”— Allergan, 2019 Proxy Statement: Notice of Annual General Meeting of Shareholders [10]
3. Discuss issues encountered during the audit and how they were resolved
Suggestion in practice: “Audit Committee: It also has direct responsibility for and sole authority to resolve any disagreements between our management and our external auditors regarding financial reporting, regularly reviews with the external auditors any problems or difficulties the auditors encountered in the course of their audit work . . .” —Kinder Morgan, Inc.—KMI, 2019 Proxy Statement [11]
4. Enhance readability throughout the proxy by utilizing graphics to depict important information or personalize the audit committee with photos or other messages tailored to readers.
Suggestion in practice: For example, the audit and risk committee report from Visa, Inc.’s Notice of 2019 Annual Meeting and Proxy Statement includes a photo of the committee chair and a quote discussing the priorities of the committee over the last year. [12]
Conclusion
The important and complex work of the audit committee may not always be apparent to investors and other governance stakeholders. Though dialogue among companies, investors, and other stakeholders continues to develop, enhancing the proxy statement and expanding disclosures could be a rich opportunity for companies to increase transparency by strengthening descriptions of what the audit committee is to include a deeper discussion on the work the audit committee actually performs.
Endnotes
1The 2019 analysis included all sections of the most recent annual proxy statements filed through May 1, 2019. Because the composition of the S&P 100 changes annually, the companies analyzed in 2019 differed from those covered by the 2018 analysis; three of the companies in the 2019 analysis were not included in the 2018 analysis.(go back)
2Christine Mazor and Sandra Herrygers, “In the spirit of full cybersecurity disclosure,” Deloitte, February 23, 2018, https://www2.deloitte.com/content/dam/Deloitte/us/Documents/audit/ASC/HU/2018/us-aers-hu-in-the-spirit-of-full-cybersecurity-disclosure.pdf(go back)
3 New auditor’s report format, tenure, and other information: audits for fiscal years ending on or after December 15, 2017: https://pcaobus.org/News/Releases/Pages/auditors-report-standard-adoption-6-1-17.aspx(go back)
4https://www2.deloitte.com/content/dam/Deloitte/us/Documents/center-for-board-effectiveness/otba-what-to-expect-from-auditor.pdf(go back)
5The FBI and Corporate Directors: Working Together to Keep Companies Safe from Cyber Crime, https://www.fbi.gov/news/speeches/the-fbi-and-corporate-directors-working-together-to-keep-companies-safe-from-cyber-crime.(go back)
6Honeywell International, Inc., 2019 Proxy Statement and Notice of Annual Meeting of Shareholders: http://investor.honeywell.com/interactive/newlookandfeel/4121346/Proxy-2019/HTML1/tiles.htm(go back)
7IBM, 2019 Notice of Annual Meeting & Proxy Statement: https://www.ibm.com/annualreport/assets/downloads/IBM_Proxy_2019.pdf(go back)
8CVS Health, Notice of 2019 Annual Meeting of Stockholders and Proxy Statement: https://cvshealthannualmeeting.com/media/2445/350873-1-_13_cvs-health_nps_wr.pdf(go back)
9The Coca Cola Company, 2019 Proxy Statement: Notice of Annual Meeting of Shareowners: https://www.coca-colacompany.com/content/dam/journey/us/en/private/fileassets/pdf/2019/annual-shareholders-meeting/2019-Proxy-Statement.pdf(go back)
10Allergan, 2019 Proxy Statement: Notice of Annual General Meeting of Shareholders: https://allergan-web-cdn-prod.azureedge.net/actavis/actavis/media/allergan-pdf-documents/investors/proxy%20materials/allergan-proxy-statement-2019.pdf(go back)
11Kinder Morgan, Inc.—KMI, 2019 Proxy Statement: http://app.quotemedia.com/data/downloadFiling?ref=12809112&type=PDF&symbol=KMI&companyName=Kinder+Morgan+ Inc.&formType=DEF+14A&formDescription=Official+notification+to+shareholders+of+matters+to+be+brought+to+a+vote+%28Proxy%29&dateFiled=2019-03-29(go back)
12Visa, Inc.’s Notice of 2019 Annual Meeting and Proxy Statement: https://s1.q4cdn.com/050606653/files/doc_financials/annual/2018/12/Visa-2019-Proxy-Statement-FINAL.pdf(go back)
