Krista Parsons is a Managing Director and Audit Committee Programs Leader, Maureen Bujno is a Managing Director, and Kimia Clemente is a Senior Manager at the Center for Board Effectiveness at Deloitte & Touche LLP. This post is based on a Deloitte memorandum by Ms. Parsons, Ms. Bujno, Ms. Clemente, and Nidhi Sheth.
The audit committee’s role in risk oversight
Predicting the future is difficult, particularly in times of change and uncertainty. However, it seems safe to predict that the 2023 agendas of many audit committees will be risk-centric.
Of course, risk oversight is among the most important—if not the most important—of the audit committee’s responsibilities. While the audit committee is not responsible for overseeing all of a company’s risks, it is often responsible for oversight of the company’s risk oversight policies and processes, principally the enterprise risk program. This program, which management leads, entails identifying key risks across the organization, from financial risks to workforce risks and from risks due to raw material shortages to risks arising from natural disasters and other crises. In other words, except in cases where a company has a risk committee,[1] the audit committee oversees the process of evaluating and managing risks that could pose a threat to the company’s viability and success. According to the latest Audit Committee Practices Report published by Deloitte and the Center for Audit Quality, 43% of the total respondents surveyed said that the audit committee has primary oversight responsibility for enterprise risk management.
However, the audit committee’s responsibility for risk oversight goes beyond understanding and advising with regard to the creation and implementation of a sound enterprise risk program. The committee is charged with understanding and advising on how management continuously identifies, monitors, and assesses risks and ensuring that material risks are allocated to the full board or the appropriate committee. And the audit committee is itself responsible for overseeing key areas of risk, such as risks that impact financial reporting and disclosure, including internal controls and fraud.
Areas of risk oversight in 2023
For many, the number and severity of risks seem to increase daily, suggesting that in 2023 the audit committee will increasingly need to focus on its risk oversight responsibilities. A complete list of the risks to be overseen in 2023 might be very lengthy, but a survey reported in the Audit Committee Practices Report suggests that the following areas are most likely to be the subjects of audit committee risk oversight in 2023: disclosure, including financial reporting, internal controls, and fraud; cybersecurity; effectiveness of the enterprise risk management program; environmental, social, and governance (ESG) reporting and disclosure; inflation; and digital transformation.[2] We address some of these, as well as other risks, below.
Financial reporting and disclosure
As noted above, disclosure is one of the risk areas for which the audit committee has primary responsibility. This responsibility stems from a number of legal requirements; for example, the U.S. Securities and Exchange Commission (SEC) rules require disclosure as to whether the audit committee recommends to the full board the inclusion of a company’s financial statements in its annual report on Form 10-K. Another example is the Sarbanes-Oxley Act and related SEC rules, which give the audit committee sole responsibility for hiring, monitoring, compensating, and (where appropriate) firing the independent auditors. The audit committee also has oversight responsibility for the internal audit function. Flowing from these requirements and practices, the audit committee is the repository of the most knowledge of and familiarity with disclosure requirements, including concepts such as materiality.
These and other areas relating to disclosure are likely to be in the spotlight in 2023, in part because of ongoing enforcement efforts by the SEC and other government agencies, investor and media scrutiny, and other factors, including historical evidence that recessionary economies and market volatility tend to increase levels of fraud. In fact, in November 2022, the SEC’s acting chief accountant stated that “[t]he current economic environment is subject to significant uncertainties and, historically, that oftentimes leads to heightened fraud risk.”[3] In an earlier speech, he also said that “auditors … have a responsibility to consider fraud and to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error.”4 Other economic factors that could result in enhanced SEC scrutiny include inflation and fluctuations in foreign exchange rates.
The anticipated focus on disclosure in 2023 is also likely to be affected by new rules that may be adopted by the SEC. Under the leadership of Chair Gensler, the SEC has proposed a number of rules that will, if adopted, expand disclosures in areas such as cybersecurity and climate change. And the SEC is widely expected to propose rules calling for added disclosure in several areas, including human capital, emerging technologies, and cryptocurrencies, among others.
In short, disclosure and financial reporting are likely to be priority items on the 2023 agendas of many audit committees.
Enterprise risk management
Oversight of enterprise risk management (ERM)—the processes used to identify, monitor, and assess risks—has been on the audit committee’s agenda for many years. However, this oversight role may require extra vigilance in 2023, as the pace of change and the challenges faced by companies seem to increase daily. A key component of this oversight is the receipt and review by the committee of a dashboard showing material risks and the degree of risk associated with each (e.g., red, yellow, and green), as well as which risks are trending up and down. In addition, the committee should consider new and emerging risks that have been added to the dashboard or that may be added in the future.
Aside from general oversight, the audit committee needs to assess whether the ERM process is evolving to meet the challenges of the day. An ERM program that has worked well for several years may generate complacency or may fail to identify new risks or to sense emerging risks, both internal and external, or their potential impact on the company. Accordingly, the committee may need to reevaluate the efficacy of the program or some of its components. The committee may also need to consider whether employee departures or other developments have impaired the resources needed to properly execute the ERM program.
Cybersecurity and other technology matters
Cybersecurity has been at the top of many audit committees’ lists of key risks for several years and shows no signs of going away or becoming less significant. In fact, the Audit Committee Practices Report suggests that cybersecurity will be an increasingly important area of focus for audit committees in the future. Moreover, the report indicates that a majority of the companies surveyed allocate oversight responsibility for cybersecurity to their audit committees. Cybersecurity risk is also likely to loom large in 2023 due to the expected adoption of final SEC rules requiring extensive disclosure on the topic, including whether any member of the board of directors has cybersecurity expertise. Given the prominent role that many audit committees have in cybersecurity risk oversight, the adoption of the latter requirement may impact audit committee succession planning in 2023 and beyond.
Cybersecurity risks are not the only technology-driven risks that may call for greater audit committee oversight in 2023. As the use of artificial intelligence grows—and, with it, concerns about data privacy, ethical implications of artificial intelligence, and other matters—audit committees will be expected to address associated risks, in some cases including areas for which the audit committee may have primary responsibility.
Additional risks associated with technology include the possibility that a line of business—possibly the principal line of business in which the company engages—will be subject to disruption by a new technology and risks that can result from unethical practices in the use of artificial intelligence.
Environmental and climate change
While audit committees may not have primary responsibility for overseeing risks associated with climate change and other environmental matters—the Audit Committee Practices Report indicates that only 34% of the companies surveyed allocate this responsibility to their audit committees—they have significant responsibility for evaluating disclosures and controls relating to ESG issues. The nature and extent of environmental and climate change disclosures may depend upon the proposed rules on the topic in 2022. However, companies have already begun to provide extensive disclosures on their environmental activities, the risks they face from climate change, and a host of related matters, and it seems likely that even if the SEC rules are not adopted as proposed or at all, companies will provide expanded disclosure on the subject. Particularly, the new European Union (EU) rules will require ESG reporting on a broader set of ESG topics than those required under current and proposed SEC rules and will scope in certain companies that previously were not subject to mandatory nonfinancial reporting requirements, including public and private non-EU companies that meet certain EU-presence thresholds. Given the audit committee’s key role in disclosure oversight, discussed above, any increase in environmental and climate change disclosures (or even broader ESG disclosed metrics) will add to the audit committee’s responsibilities. According to the Audit Committee Practices Report, only 6% of the respondents said that audit committees are responsible for the oversight of ESG strategy, including climate and carbon commitments. However, regardless of whether audit committees take on a larger role in these areas, they will be responsible for determining whether their companies’ internal and disclosure controls are adequate to address the matters in question.
Even in the absence of increased requirements, the SEC has commented on some companies’ disclosures of environmental and climate change matters. For example, a number of companies that publish ESG or sustainability reports that are not filed with the SEC have received comments asking why disclosures in such reports differ from those in the companies’ SEC filings.
Another area of audit committee involvement with environmental and climate change matters relates to the inclusion of quantitative environmental or climate change metrics in companies’ executive compensation plans. While these plans are largely within the jurisdiction of the compensation committee, the audit committee may have a role to play in determining which metrics to use, whether and how achievement of the metrics and the precise impact on compensation can be measured, and the disclosures on these areas. Moreover, to the extent that companies provide third-party assurance as to the computation of the metrics and the impact on compensation, the audit committee is likely to have a role in determining the type of assurance that can be provided as well as who should provide it. Such assurance can provide positive signals to investors and others regarding the quality and reliability of disclosures, and audit committees will have a key role in overseeing assurance engagements.
Post-pandemic challenges: Supply chain disruption, workforce shortages, and inflationary pressure
Effects of the economic and other challenges resulting from the pandemic continue to roil companies and their operations. Disruptions in global supply chains continue to plague industries from manufacturing to consumer goods to health care. The audit committee will need to exercise oversight with regard to how management is addressing the risks associated with supply chain disruptions and how the company satisfies the needs of a wide variety of stakeholders despite the inability to provide products or services in a timely manner.
Companies in a wide range of industries, regardless of size or other characteristics, are experiencing workforce shortages, whether due to historically low rates of unemployment, the so-called “great resignation,” or other factors. As with supply chain challenges, audit committees will need to stay on top of how their companies are dealing with such shortages, the extent to which critical functions may not be adequately addressed, and/or how the company is seeking to alleviate workforce shortages or the problems they create, particularly as these shortages impact the finance and audit functions.
For many companies and their employees, the word “inflation” was meaningless, as global inflationary pressures have not been felt for many years. Depending upon the industry, the geographic locations of operations, and other factors, the impact of inflation may have different effects; however, most if not all companies must deal with it in one way or another, and the audit committee will be particularly sensitive to the impact of inflation on financial performance and related disclosures. A related concern, referred to above, is that incidents of accounting fraud tend to increase during times of economic volatility and uncertainty, and audit committees therefore need to be sensitive to that risk, as well.
Wrapping it all up
Of course, the foregoing is a summary of just some of the risk areas that audit committees will likely oversee in 2023. There are many other risk areas, including human capital, geopolitical instability, and energy price volatility, to name just a few, that will almost certainly call for audit committee oversight in the coming year. It is also likely if not certain that new risks will emerge as the year progresses. To the extent that the audit committee’s responsibilities are so broad and that boards and management alike tend to assign new and emerging areas of risk to the audit committee, it is not surprising that the committee has sometimes been referred to as the “kitchen sink” committee. However, given the importance of its responsibilities with regard to risk oversight—among many other areas—that nickname should be regarded as a badge of honor. In any case, audit committees will continue to have vast responsibilities in 2023 and beyond.
Endnotes
1 The Sarbanes-Oxley Act of 2002 mandated the formation of risk committees at certain large financial institutions. However, risk committees have not become prevalent in other companies. According to the 2022 U.S. Spencer Stuart Board Index, only 12% of the S&P 500 had such committees.(go back)
2The survey sought information regarding risks other than those associated with financial reporting and internal controls.(go back)
3 Jean Eaglesham, “SEC accountant warns of heightened fraud risk amid recession fears, market selloff,” Wall Street Journal, November 3, 2022.(go back)
4Paul Munter, “The auditor’s responsibility for fraud detection,” US Securities and Exchange Commission, October 11, 2022.(go back)