Cybersecurity trends continue in 2021 audit committee transparency report

In its eighth year, the 2021 Audit Committee Transparency Barometer tracked proxy disclosures among the S&P 1500 related to audit committee oversight of auditors and audit-related matters. This year’s report covered proxy disclosures filed from July 1, 2020, through June 30, 2021. The CAQ and Audit Analytics cited specific examples of effective disclosures in each area assessed to assist other audit committees in their future disclosures.

“We are pleased to see that the positive, long-term trend of increased audit committee disclosures in public company proxy statements has continued,” said Julie Bell Lindsay, CEO of the CAQ. “Investors do not always have insight into the oversight activities that audit committees perform, which is why these disclosures are so important.”

Cybersecurity

According to the report, the biggest year-over-year increase in audit committee disclosures concerned cybersecurity. “These disclosures continue to be the biggest mover year-over-year, increasing by 5 to 7 percentage points among S&P 500 companies each year since 2016,” the report said.

Disclosures about audit committee responsibility for cybersecurity risk oversight increased from 11 percent of S&P 500 companies in 2016 to 46 percent in 2021, up from 39 percent in 2020. The report attributed increased disclosure in this area to audit committees’ oversight of cybersecurity risks relating to companies’ greater dependence on technology in line with the trend toward remote work because of COVID-19.

Other disclosures related to cybersecurity include whether the board of directors has a cybersecurity expert (34 percent) and on what board committee that expert serves (32 percent).

The report noted, “As investor and other stakeholder interest in cybersecurity vulnerabilities increases, the CAQ expects that boards and audit committees will continue this upward disclosure trend.”

Non-audit services and independence

In 2021, non-audit services and independence had the highest rate of disclosure among S&P 500 proxy statements at 83 percent. The figure has been historically high, ranging from a low of 78 percent to a high of 84 percent during the eight-year period of the reports. This has been an area of frequent attention from both the Securities and Exchange Commission and the Public Company Accounting Oversight Board, so it is one audit committees spend a significant amount of time reviewing.

Related disclosures with rates above 50 percent include the length of time the auditor had been engaged (70 percent, relatively unchanged since 2018); criteria used to evaluate audit firms (52 percent, up from 51 percent in 2020, with increases every year from 8 percent in 2014 ); and audit committee involvement in selecting the audit engagement partner (50 percent, relatively unchanged since 2017 but significantly higher than 13 percent in 2014).

Audit firm oversight

The report found a moderate rate of disclosure in 2021 relating to mandatory audit partner rotation (49 percent of S&P 500), audit committee considerations in appointing the auditor (44 percent), and evaluation of the external auditor at least annually (32 percent). Each of these areas experienced only a 0-1 percent increase from 2020 but have been trending upwards since 2014.

Areas with opportunities for improvement

The report noted a number of areas where there were not high levels of disclosure and stated this has been the case for some time. Examples include:

• Audit committee responsibility for fee negotiation (18 percent of S&P 500, ranging between 16 percent and 20 percent since 2015);
• Explanation of changes in fees paid to auditors (17 percent, the fifth year in a row this disclosure has declined for the S&P 500 from a high of 34 percent in 2016);
• Discussion of audit fees and connection to audit quality (5 percent, relatively unchanged since 2017, with a high of 13 percent in 2014);
• Discussion of how the audit committee considers auditor compensation (3 percent for the second year in a row and never higher than 1 percent in eight years); and
• Significant areas discussed with the auditor (0 percent, unchanged since 2016 and never higher than 3 percent in 2014).

Critical audit matters

Last year’s Audit Committee Transparency Barometer observed an increase in CAM-specific proxy disclosures by the S&P 1500 after the 2019 change calling for communication of CAMs in public company auditor reports. In 2020, the report found more than 6 percent of companies mentioned CAMs and stated the audit committee had discussed CAMs with the auditor. The report indicated there could be more audit committee disclosures in proxy statements related to CAMs as more audit reports included them.

In 2021, there is no report of the percentage of CAM-specific disclosures. The report mentioned CAMs in its discussion of the low level of disclosure of significant areas discussed with the auditor. It noted although CAMs provide information about significance from the auditor’s point of view, and financial statement disclosures provide what is significant to management, disclosure of the audit committee’s significant discussions with auditors is important so audit committees can indicate what they considered significant and how they addressed those issues with the auditor.