Krista Parsons is Managing Director and Audit Committee Programs Leader at the Center for Board Effectiveness, Deloitte & Touche LLP, and Vanessa Teitelbaum is Senior Director of Professional Practice at the Center for Audit Quality. This post is based on their Deloitte/Center for Audit Quality report.
Audit committee oversight is an important job that just keeps getting more complex. Since the Sarbanes-Oxley Act (SOX) came into play in 2002, audit committees have evolved and adapted to fulfill their unique and expanding role. Audit committees are charged with helping oversee financial reporting, audit processes, internal controls, ethics and compliance programs, and external and internal audit. Increasingly, such duties also include oversight of key risks, including cybersecurity and environmental, social and governance (ESG) reporting. Audit committees are being challenged by increased complexity in their core responsibilities, as well as scope creep across other areas within their organizations.
Against this backdrop, audit committee members often want to understand what their peers are doing to address this complexity and if there are leading practices they can employ within their own organizations. To this end, we are pleased to provide you with the inaugural edition of the Audit Committee Practices Report, a collaborative effort between Deloitte’s Center for Board Effectiveness (Deloitte) and the Center for Audit Quality (CAQ). The report is based on a survey of 246 audit committee members from predominantly large (greater than $700 million market cap), U.S.-based public companies. Conducted by Deloitte and the CAQ, the survey inquired about:
- Areas of oversight
- Key risks
- Audit committee practices
This post provides information related to certain issues facing audit committees today and how peers may be responding. The survey results and related analysis can also serve as a benchmarking resource for gauging your own committee’s practices.
Key findings
Effective oversight by strong, active, knowledgeable and independent audit committees significantly furthers the collective goal of providing high-quality, reliable financial information to investors.
—Paul Munter, Acting Chief Accountant, Securities and Exchange Commission [1]
Audit Quality
Nearly every respondent said audit quality either increased (32%) or remained the same (66%) over the last year. Despite concerns about the impact of working remotely, respondents noted that auditors pivoted to embrace the use of technology to execute smart and efficient audits—without sacrificing audit quality. Fortunately, audit firms and public companies have invested in technologies to enable audits to be performed remotely. For many auditors, the pandemic accelerated the adoption of such tools. While fully remote audits—similar to board meetings—are not expected to be the norm in the future, companies and audit committees experienced some benefits from working remotely. While the “new normal,” which will likely be a hybrid of remote work and on-site interaction, is still evolving, the focus on audit quality must continue.
When asked what contributes to audit quality, 85% of respondents cited the competence of the engagement team and strong communication between the engagement partner and the audit committee as the most important factors.
The quality of firm resources and innovations in technology followed closely behind. These responses underscore what many believe to be a fundamental tenet of audit quality—the relationship and communication with the auditor.
Key Insights
The SEC and listing agencies require the audit committee to discuss certain topics with the independent auditor throughout the year. While most audit committees formally evaluate the auditor at least annually, consider if there are opportunities to have more robust and frequent communication with the engagement partner. To go further, enhance disclosure of such discussions in the proxy statement. Such transparency signals higher levels of audit committee involvement to stakeholders. [2]
Financial Reporting and Internal Controls
It is not surprising that financial reporting and internal controls, including fraud risk, ranked high on the audit committee’s agenda, considering that this is at the core of the audit committee’s responsibility. Nearly a quarter (24%) of respondents believe they will spend more time, and approximately three-quarters (73%) expect they will spend about the same amount of time, on this critical area compared to last year.
Despite expanding responsibilities, this suggests that audit committees remain focused on their basic charters—as they should be. Audit committees are integral to maintaining trust in the capital markets and play an essential role in upholding the integrity of financial reporting and internal controls.
Key Insights
The SEC has disclosed its regulatory agenda and has included four important areas that fall under the ESG umbrella: climate change, cyber risk governance, board diversity, and human capital management; proposed rules are expected in early 2022. Audit committees should have a voice in this discussion with regulators, stay apprised of these developments, and challenge management to have appropriate processes and controls around disclosures. Audit committees can go a step further by including robust disclosures regarding their oversight activities in the proxy statement. See additional insights on the audit committee’s role in overseeing ESG below.
Fraud Risk
Of note, while audit quality has remained strong or improved, 42% of respondents indicated fraud risk has increased. Seventy-four percent said they updated internal controls to address the remote work environment over the last 12 months. Smaller cap companies appear to be slower to address this risk than their larger counterparts. Audit committees within companies that have a market cap greater than $700 million are one-third more likely than smaller cap companies to have instituted the following fraud-deterrent measures:
- Increased internal audit focus
- Use of technology to manage risks
- Updated internal controls to address remote work
Key Insights
As audit committees grapple with increased fraud risk, they should continue challenging management to have robust anti-fraud programs and ensure that whistleblower hotlines are operating effectively. Additionally, they should continue asking management how internal controls have changed in the remote or hybrid work environment.
Enterprise Risk Management
When asked who was responsible for oversight of enterprise risk management (ERM) within their organizations, 42% of respondents said the audit committee, 33% said the board, and 20% said the risk committee. It’s noteworthy that 24% of survey respondents primarily operate in the financial services industry. The regulatory requirement for certain publicly traded financial services companies to have a separate risk committee may be driving this result.
Of those respondents indicating that their audit committee was responsible for overseeing ERM, 32% expect to spend more time on ERM oversight compared to last year, possibly as a means of managing the growing number of emerging risks.
The list of external factors impacting organizations’ risk profiles continues to expand and includes risks related to the geopolitical arena; the regulatory environment; supply chain; climate change; and diversity, equity, and inclusion; among others.
Key Insights
Between the board and its committees, clarifying who is responsible for overseeing the enterprise risk process, as well as the key risks identified as part of that process, is crucial to effective corporate governance. To the extent the audit committee oversees the enterprise risk process, it should consider receiving regular updates on how management is sensing and managing rapidly evolving or emerging key risks.
Cybersecurity and Data Privacy Security
Fifty-three percent and 48% of respondents said that the audit committee is responsible for overseeing cybersecurity and data privacy security, respectively. Not surprisingly, 69% of those with cybersecurity oversight responsibility anticipate spending more time on it in the coming year compared with the past year, and 62% see cybersecurity as one of the top risks to focus on in the coming year. The majority (60%) of audit committees are including cybersecurity on their agendas quarterly. Thirty-five percent of respondents stated their audit committee has cybersecurity expertise, with 41% acknowledging a need for additional expertise is this area.
Outside of management, cybersecurity subject matter specialists consulted with audit committees more than any other type of advisor in the last 12 months. Also of note, audit committees for companies with primary operations within the U.S. expect to focus on cybersecurity more next year than those with primary operations outside the U.S.
Key Insights
If your audit committee oversees cybersecurity risk, make sure you’re hearing from the right people in meetings. Consider having the chief information security officer (CISO), or the equivalent, present to the audit committee on a regular basis. Given the pace of developments in the cybersecurity space, it’s also appropriate to get periodically an outside-in perspective during audit committee meetings. Asking your external auditor or other advisors to present with your CISO is a natural option. [3]
Ethics And Compliance And Third-Party Risk
Nearly half of respondents said their audit committees are responsible for the oversight of ethics and compliance (48%) as well as third-party risk (47%). Nearly three-quarters of audit committees include ethics and compliance on their agenda quarterly with third-party risk appearing less frequently – on the agenda quarterly for 22% of respondents. Audit committees for companies with primary operations in the U.S. are three times as likely to prioritize both ethics and compliance and third-party risk compared to audit committees outside the U.S.
Key Insights
Both ethics and compliance and third-party risk are key to overall risk management. While broader than financial reporting and internal control over financial reporting, ethics and compliance programs help the organization adhere not only to laws and regulations but also to the company’s ethical principles. The whistleblower program is an important tool that can help audit committees understand culture and tone within the organization. When receiving updates on what’s reported through the hotline, the audit committee should ask about trends and how issues are being resolved.
Audit Committee Engagement
While there are distinctions based on industry and company market capitalization, the survey results collectively suggest that audit committees of all sizes are rigorous and engaged in fulfilling their responsibilities. However, larger cap companies are generally more complex. Perhaps this is why audit committees at larger cap companies identified more areas of oversight, spend more time on fraud risk, use technology to mitigate risk, and are more likely to report on ESG criteria compared to their counterparts at smaller cap companies. In addition, they generally have longer meetings, offer more comprehensive pre-read materials, and expect more time from their committee members. Indeed, audit committee members for companies with market cap greater than $700 million are 1.5 times more likely than smaller cap companies to spend more than 100 hours per year on board activities.
Key Insights
Slightly more than one quarter (27%) of respondents reported spending more than 250 hours on board or audit committee activities per year. Nearly half — or 49% — said they dedicate 101 to 250 hours to the same. Considering the rapidly expanding range of risks audit committees are expected to cover, growing time commitments may become more common. Acknowledging that the right amount of time varies by company, for the nearly one quarter (24%) of respondents citing their commitment as 50 to 100 hours – this may increase in the long-term.
Where are Audit Committees on ESG?
Separately, the CAQ examined publicly available ESG data for S&P 500 companies and found that 95% of S&P 500 companies had detailed ESG information publicly available. [4] This information was primarily outside of an SEC submission in a standalone ESG, sustainability, corporate responsibility, or similar report. Of the remaining 5%, most companies published some high-level policy information on their websites.
Audit committees responded that 66% of their companies issue a sustainability or ESG-related report, and 69% obtain or are actively discussing obtaining third-party assurance on one or more components of ESG or sustainability data. While this speaks to the growing importance of ESG, only 10% of audit committees responded as having oversight responsibility for ESG reporting. In our experience, oversight of the various components of ESG may be distributed across the board and its committees. Given the role audit committees play in overseeing financial reporting and internal controls, there are certain areas that typically fall within their purview:
- Focusing on internal and disclosure controls and procedures related to the metrics being publicly disclosed in a sustainability report or otherwise (e.g., on the website, in filings, etc.). This includes working closely with other committees to understand how ESG risks are identified and prioritized and how materiality is defined. Understanding how ESG-related disclosures compare between sustainability (or similar) reports and filings; management should be prepared to explain any differences.
- Understanding the connection between the ESG strategy and related goals and metrics— and how management considers any impacts it may have on the financial statements. Understanding and coordinating ESG and risk oversight connections between primary committee owners.
- Monitoring assurance-related activities— both understanding why or why not the organization is obtaining assurance, and overseeing the third-party providing that assurance, if applicable. [5]
Audit committee practices report
The following results are for total respondents and exclude questions that pertained to demographics.
Audit committee risk oversight
1. In the list below, indicate which committee has oversight for each topic.
Board | Audit | Comp/ Talent | Nom/Gov | Risk | Other | N/A or don’t know | |
---|---|---|---|---|---|---|---|
Financial reporting and internal
controls |
3% | 96% | 0% | 0% | 1% | 0% | 0% |
Fraud risk | 6% | 86% | 0% | 0% | 6% | 0% | 1% |
Enterprise risk management | 33% | 42% | 0% | 2% | 20% | 0% | 2% |
Third-party risk | 26% | 47% | 0% | 2% | 20% | 2% | 4% |
Digital transformation | 63% | 14% | 1% | 1% | 5% | 7% | 9% |
Cybersecurity | 26% | 53% | 1% | 1% | 14% | 4% | 1% |
Data privacy and security | 26% | 48% | 0% | 3% | 16% | 4% | 2% |
Supply chain risk | 39% | 19% | 0% | 0% | 14% | 7% | 21% |
ESG reporting | 40% | 10% | 2% | 31% | 3% | 11% | 3% |
Culture | 63% | 3% | 15% | 12% | 2% | 3% | 3% |
Diversity, equity, and inclusion | 49% | 2% | 21% | 19% | 1% | 5% | 3% |
Ethics and compliance | 26% | 48% | 3% | 11% | 5% | 6% | 0% |
Survey Q3.1, base 231
2. How often are these areas of oversight on the audit committee agenda?
Annually | Semi-annually | Quarterly | As needed | Other | Total response | |
---|---|---|---|---|---|---|
Financial reporting and internal controls | 2% | 5% | 89% | 3% | 1% | 220 |
Fraud risk | 16% | 13% | 54% | 16% | 2% | 198 |
Enterprise risk management | 18% | 30% | 46% | 6% | 0% | 98 |
Third-party risk | 17% | 27% | 22% | 32% | 2% | 108 |
Digital transformation | 6% | 24% | 30% | 39% | 0% | 33 |
Cybersecurity | 8% | 22% | 60% | 8% | 1% | 121 |
Data privacy and security | 14% | 25% | 41% | 18% | 1% | 111 |
Supply chain risk | 19% | 33% | 16% | 30% | 2% | 43 |
ESG reporting | 9% | 27% | 27% | 36% | 0% | 22 |
Culture | 14% | 29% | 0% | 57% | 0% | 7 |
Diversity, equity, and inclusion | 25% | 25% | 25% | 25% | 0% | 4 |
Ethics and compliance | 9% | 11% | 74% | 6% | 0% | 111 |
Survey Q3.3, *total response comprises those respondents who stated in Question 1 that the audit committees is responsible for the area.
3. Consider the amount of time the audit committee spent in the past year on each area of oversight. How would you compare the amount of time you anticipate spending in the coming year?
4. What 3 risks or topics do you anticipate the audit committee focusing on the most next year? Rank your top 3 choices by assigning values 1-3.
Ranking | |||
---|---|---|---|
1 | 2 | 3 | |
Financial reporting and internal controls | 62% | 10% | 8% |
Cybersecurity | 16% | 30% | 16% |
Effectiveness of ERM | 6% | 12% | 17% |
ESG reporting | 4% | 10% | 11% |
Ethics and compliance | 0% | 11% | 11% |
Fraud risk | 1% | 8% | 9% |
Digital transformation | 2% | 5% | 8% |
Data privacy and security | 2% | 6% | 5% |
Supply chain risk | 4% | 2% | 5% |
Third-party risk | 0% | 4% | 5% |
Diversity, equity, and inclusion | 0% | 2% | 2% |
Culture | 1% | 1% | 2% |
Survey Q3.6, base 221
5. How have shifts to the business environment resulting from COVID impacted the fraud landscape for the company?
6. What measures have been instituted by management or the board to increase fraud deterrence and detection over the last 12 months? Please select all that apply.
ESG
7. What is the most material environmental and social factor being considered at your company?
8. Does your company issue a sustainability or ESG-related report?
Survey Q5.2, base 225
9. Does the company obtain third-party assurance on one or more components of ESG or sustainability data?
10. Does the audit committee review the assurance(s) of the ESG or sustainability data?
Audit Quality
11. How has audit quality changed over last year?
12. What most contributes to audit quality? Select all that apply.
Critical audit matters
13. For companies subject to PCAOB audits, how much committee time has been spent discussing critical audit matters (CAMs) with the external auditor in the past 12 months?
14. Do CAM discussions provide insights that were not readily available prior to the issuance of the standard?
Survey Q7.2, base 177
Audit committee oversight of external auditor
15. What involvement does the audit committee have in the selection of the lead engagement partner? Select all that apply.
16. When assessing the external audit firm, which 3 considerations are most important to the
audit committee? Please rank your top 3 choices.
Ranking | |||
---|---|---|---|
1 | 2 | 3 | |
Quality of the engagement partner | 41% | 24% | 7% |
Quality of the engagement team | 37% | 31% | 13% |
Industry expertise | 9% | 14% | 13% |
Quality of insights provided in addition to the audit report | 4% | 10% | 18% |
Quality of national office resources | 3% | 3% | 10% |
Fee benchmarking | 2% | 3% | 14% |
Geographical reach of the firm | 1% | 4% | 7% |
Quality of access to specialists | 1% | 5% | 10% |
Auditor tenure | 1% | 1% | 2% |
External and internal inspection results of the firm | 0% | 5% | 4% |
Restatement history | 0% | 1% | 0% |
Other | 0% | 1% | 1% |
Audit committee expertise
17. Do any audit committee members have the following experience/expertise? Please select all that apply.
18. What additional expertise do you believe would enhance your audit committee’s effectiveness? Please select all that apply.
Audit committee meeting practices
19. How is the earnings release discussed?
20. How long is the audit committee meeting related to the earnings release (whether a separate meeting or if part of regular quarterly meeting)?
Survey Q8.4, base 206
21. Including any time spent in executive session, how much time is currently allocated to the average audit committee meeting?
Survey Q8.5, base 222
22. How would you describe the length of audit committee meetings? Please select all that apply.
Survey Q8.6, base 222
23. How has the length of the average audit committee meeting been affected by COVID-related impacts?
24. How has the frequency of audit committee meetings been affected by COVID-related impacts?
25. How do you anticipate audit committee meetings will be structured after the risk of contracting COVID can be mitigated to an acceptable level? Select all that apply.
Audit committee meeting materials
26. How far in advance of audit committee meetings are pre-read meeting materials received?
Survey Q8.10, base 222
27. Which of the following best describes your level of satisfaction with the quality of pre-read materials provided by management and your external auditors?
Survey Q8.11, base 222
28. With regularity, does the audit committee meet immediately before or after committee meetings without non-committee members present?
29. In the past 12 months, has the audit committee met with subject matter specialists outside of management to provide an outside perspective on any of the following topics? Please select all that apply.
30. In a year, approximately how much time do you spend fulfilling your board and audit
committee responsibilities?
Survey Q8.17, base 222
The complete publication, including footnotes, is available here.
Endnotes
1SEC statement by Paul Munter, “The Importance of High Quality Independent Audits and Effective Audit Committee Oversight to High Quality Financial Reporting to Investors” (October 26, 2021).(go back)
2See more on audit committee disclosure trends in the CAQ’s 2021 Audit Committee Transparency Barometer.(go back)
3For more information, see the CAQ’s publication, The Role of Auditors in Company-Prepared Cybersecurity Information: Present and Future.(go back)
4The data reflects the S&P 500 index as of March 12, 2021 and the company’s most recent available ESG information as of June 18, 2021.(go back)
5For more information, see Deloitte’s publications, ‘Navigating the ESG journey in 2022 and beyond’ & ‘’The role of the board in overseeing ESG”.(go back)