Audit committees in the US, already contending with the ongoing impact of the pandemic, are also being challenged by increased complexity in their core responsibilities across other areas within their organisations, a new Deloitte survey suggests.

Cybersecurity and ESG

The Audit Committee Practices Report: Common Threads Across Audit Committees, a survey of 246 audit committee members of primarily large-cap, public companies in the US, provides an illuminating snapshot about how audit committee responsibilities are expanding.

In particular, the report shows that while nearly all respondents (96%) rank financial reporting and internal controls – including fraud risk – as a top area of focus, audit committees are also focused on cybersecurity (53%), data privacy security (48%), ethics and compliance (48%), third-party risk (47%) and enterprise risk management (ERM) (42%).

Krista Parsons, Audit & Assurance managing director with Deloitte’s Centre for Board Effectiveness, said:

“Audit committee oversight and the corporate governance landscape is evolving rapidly and becoming increasingly demanding, and that’s even before considering the growth around ESG reporting.

“The good news is most audit committee respondents recognise their primary responsibilities, which include oversight of financial reporting, internal controls, and the independent auditor,” Parsons added.

“The challenge in the future is maintaining this focus on their core responsibilities while addressing emerging risks and potential new areas of oversight. At the end of the day, the audit committee doesn’t necessarily need to oversee all new risks. In some instances, the full board or another committee may be better positioned to do so, and the audit committee chair can drive those discussions with the board chair,” Parsons continued.

Indeed, additional responsibilities such as ESG (environmental, social, governance) are increasingly capturing the audit committee’s attention. Two-thirds (66%) of respondents noted that their company issued a sustainability or ESG-related report, and 69% obtained or are actively discussing obtaining third-party assurance on one or more components of ESG or sustainability data. Still, merely 10% of audit committees responded as having oversight responsibility for ESG reporting.

However, given the audit committee’s role, certain ESG-related areas typically fall within their purview, including understanding and oversight of internal controls around ESG metrics, disclosures and reporting requirements, assurance activities, and the connection between ESG strategy and impacts on the financial statements.

The survey respondents suggest that audit quality among public companies remains high – 98% of respondents stated audit quality either increased or remained the same as the previous year – and that competence of the engagement team and strong communication between the engagement partner and the audit committee contribute most to audit quality.

Julie Bell Lindsay, chief executive officer of the Centre for Audit Quality (CAQ), said:

“Audit committees are critical to high-quality financial reporting that is in turn critical to functioning capital markets. This report provides valuable insights for audit committee members seeking more information about their peers’ leading practices.

“As the audit environment continues to evolve, we encourage audit committees to understand their role in overseeing risk areas and emerging issues,” Lindsay added.

Audit committees are increasingly adding cybersecurity experience/expertise, according to the report. More than one-half (53%) of respondents said they have oversight responsibility for cybersecurity, and 69% of those anticipate spending more time on it in the coming year. At the same time, 35% of respondents reported their audit committee members have cybersecurity experience/expertise, with 41% acknowledging they needed additional expertise in this area – more than any other area.

Additional key takeaways

  • Forty-two percent of respondents indicated fraud risk has increased. Additionally, 74% said they updated their internal controls over the last 12 months to address the remote work environment.
  • Oversight of ERM (enterprise risk management) varied, but most of the respondents (42%) indicated the audit committee is responsible for overseeing ERM at their companies. Of those responsible for ERM, 32% indicated that they expect to spend more time on ERM oversight in the next year.