Deloitte’s Center for Board Effectiveness and the Center for Audit Quality (CAQ) last month issued a report on audit committee practices and the major issues audit committees face today. The report is based on a survey of 246 audit committee members from predominantly large (more than $700 million market cap) public companies with primary operations in the United States.

Audit quality continues to be a core audit committee responsibility, according to the survey. Despite the pandemic and working remotely, the report noted nearly all respondents thought audit quality remained the same (66 percent) or increased (32 percent) compared to last year. Competent auditors and strong communication between the audit committee and the audit partner were cited by 85 percent of those surveyed as the most important contributing factors.

“Audit quality has improved a lot, and SOX (Sarbanes-Oxley) made a huge difference in establishing quality control systems at audit firms and changing the level of dialogue to be a lot more open and candid,” said Greg Weaver, chairman of the audit committees at Verizon and Goldman Sachs Asset Management. “Use of technology is also starting to contribute to the quality of audit work, but not as quickly as a lot of us thought it might.”

Weaver attributed the effectiveness of Verizon’s audit committee to open dialogue and access to auditors at all levels, along with expertise, curiosity, and willingness to ask both obvious and hard questions.

“We have a good professional relationship, and as a big company we get a lot of attention,” he said. “Our committee includes former Big Six auditors and CFOs who are used to interacting with auditors and have set expectations about preparedness, respectful and candid conversations, vetting of issues, ability to disagree, and no surprises.”

Said Theodore H. Bunting Jr., chairman of the audit committee at NiSource and audit committee member for Hanover Group, “Audit committees play a key role in audit quality, including external auditor oversight and risk management, and it is important this does not get lost in the conversation about audit committee responsibilities.”

Financial reporting and internal controls, including risk of fraud, was noted as another core responsibility and focus of audit committees, with 89 percent of respondents including this topic on their quarterly agendas. The survey found 73 percent of respondents expected to spend the same amount of time on financial reporting and internal controls this year as last year, and 24 percent expected to spend more time.

Although audit quality is strong, 42 percent of those surveyed said fraud risk was up, with 74 percent noting they updated their internal controls in the past year to address and deter potential fraud risks related to working remotely. In addition, 56 percent reported a heightened focus on fraud by the audit committee, along with an increased use of internal audit (61 percent) and technology, including artificial intelligence and machine learning (57 percent).

“There was a higher level of concern about fraud risk and the control environment during the pandemic because of hybrid or remote work,” Weaver said. “… I was surprised at how well remote work has worked out to date at Verizon because management was very responsible in managing the control environment and keeping the lines of communication open.”

Cybersecurity and data privacy issues have been top of mind for companies and audit committees the past few years. Of those audit committees with cybersecurity oversight, 69 percent expected to spend more time on it next year compared with last year, and 62 percent considered cybersecurity to be one of their top risks, according to the survey. Respondents noted they consulted with cybersecurity subject matter specialists more than any other type of adviser in the last year.

Additional survey results

  • Audit committee is responsible for overseeing cybersecurity (53 percent)
  • Audit committee is responsible for overseeing data privacy and security (48 percent)
  • Cybersecurity is included on quarterly meeting agendas (60 percent)
  • Committee members have cybersecurity experience (35 percent)
  • Additional committee expertise needed in this area (41 percent)

“Regulation is clearly driving focus in this area, and audit committee attention is appropriate,” said Bunting. “Cybersecurity is a specific agenda item at NiSource three times a year, and we have a cyber report at every meeting. Cyber reporting requirements are changing, and companies need to ensure they have an appropriate framework in place.”

Bunting noted the cyber risk assessment includes having the right IT people at meetings, getting a third-party perspective about the cyber environment, and ensuring budget and human resources are adequate and allocated appropriately to address risks. “If an incident happens, audit committees need to think about whether it could have happened to them and what they are going to do to protect themselves against similar events,” he said.

“The evolution of key risks in this area and the role of auditors in detecting them takes me back to my days of having conversations about the auditors’ responsibility for detection of fraud, risk of collusion, and joint responsibilities with management,” Weaver said. “I think we are going to have a lot of those conversations around cybersecurity going forward.”

Ethics and compliance programs cover legal and regulatory matters, along with company culture, and can include whistleblower programs. In the survey, 48 percent of respondents said their audit committees have responsibility for overseeing ethics and compliance, and 74 percent included this topic on their quarterly agendas.

“During the pandemic, the level of dialogue with management in this area stayed high, including quarterly discussions about trends and how matters were being addressed,” Weaver said. “There were fewer personal interaction complaints but more anonymous hotline inquiries.”

Although third-party risk appeared less frequently than ethics and compliance on quarterly agendas for those surveyed (22 percent), 47 percent reported they were responsible for oversight in this area.

“Risk management has always been an element of the audit committee agenda, but third-party risk is emerging as one requiring more focus than in the past,” Bunting said. “This is an area where I spent more time and you will see more audit committees spending time, given the virtual environment and the digitalization movement taking place.”

Bunting noted greater use of contractors, outsourced information technology, and use of the cloud as areas of increasing third-party risk.

Enterprise risk management (ERM) and oversight was an area where 32 percent of audit committee members expected to spend more time in the coming year to manage the increasing kinds of risks, including environmental, social, and governance (ESG); regulatory; supply chain; economic; and geopolitical risks. ERM oversight was the responsibility of the audit committee for 42 percent of those surveyed, with other options including the board (33 percent) and risk committee (20 percent).

“At every meeting we have a different business unit report on its high-level business risks and how they impact the control environment and financial risk,” Weaver said. “It is a more holistic approach that hopefully matches up with the bottom-up approach the auditors use.”

“Regulated utilities and financial services have increased compliance risk due to the continuing evolution of rules and regulatory orders,” Bunting said. “There needs to be more focus by audit committees to make sure companies have a framework in place that mitigates the risk of noncompliance.”

Audit committee engagement in performing their responsibilities was high. Despite Covid-19, 86 percent reported the frequency of audit committee meetings had not changed, and 14 percent reported an increase.

Committee members at large cap companies surveyed indicated they are 1.5 times more likely than smaller cap companies to spend more than 100 hours a year on board activities, with 27 percent reporting they spent 250 hours or more per year.

“For audit committees to be effective, along with open communication, they need to use meeting time wisely to focus on core responsibilities and higher risk items,” Bunting said. He recommended use of an annual meeting calendar to translate the audit committee charter into effective meeting agendas with appropriate time allocated.

ESG reporting and audit committee involvement is an area where oversight might be shared across board members. As part of their role in oversight of financial reporting and internal controls, audit committees might supervise information and related risks pertaining to sustainability metrics disclosed in company filings, separate reports, and company websites.

In addition, they need to understand how ESG strategy, goals, and metrics align with amounts and disclosures in financial statements and consider the need for third-party assurance over ESG information. Only 10 percent of audit committee respondents indicated they have oversight for ESG reporting at this time.

“To date, my experience is this area has been more the responsibility of the corporate governance and nominating committees because they are responsible for proxy statements and shareholder questions,” Weaver said. “There is an assumption on the part of many, including asset managers, that because there is reporting of numbers, sustainability reporting becomes an audit committee responsibility. We need to get ourselves aligned around where the responsibility falls, and the sooner we get standardized reporting the better because there are still a number of bodies setting standards around what quality sustainability reporting is.”

As this area continues to evolve and new reporting requirements are expected, it is likely that audit committee involvement will increase in the near term.

“There have been more board-level conversations recently in anticipation of where regulation and disclosure might go in this area, about how the numbers are generated for sustainability reports, and the level of controls that need to be in place if and when they become part of financial reports in order to stand up to external scrutiny over the longer term,” Weaver said.