The to-do list for corporate audit committees keeps growing, with members taking on new responsibilities in overseeing cybersecurity, ethics and risk management, according to a new survey .
A reportreleased Tuesday by Deloitte’s Center for Board Effectiveness and Center for Audit Quality, based on a survey of 246 members of audit committees, mostly at large public companies, found that while nearly all respondents (96% ) rank financial reporting and internal controls – including fraud risk – as a priority area, audit committees now also deal with cybersecurity (53%), data privacy security (48%) , ethics and compliance (48%), third-party risk (47%) and enterprise risk management (42%).
Auditors and the audit committees overseeing their work need to pay attention to a wider variety of risks during the pandemic at a time of rising inflation and supply chain constraints.
“Audit committees are essential to high-quality financial reporting which is in turn essential to the proper functioning of financial markets,” CAQ CEO Julie Bell Lindsay said in a statement. “This report provides valuable information for audit committee members who want to learn more about best practices from their peers. “As the audit environment continues to evolve, we encourage audit committees to understand their role in overseeing risk areas and emerging issues.”
According to the report, audit committees are increasingly adding cybersecurity experience/expertise. More than half (53%) of respondents said they have responsibility for monitoring cybersecurity, and 69% plan to spend more time on it in the coming year. At the same time, 35% of respondents indicated that their audit committee members had experience/expertise in cybersecurity, with 41% acknowledging that they needed additional expertise in this area – more than in any other area. Forty-two percent of respondents indicated that the risk of fraud had increased. Additionally, 74% said they had updated their internal controls in the past 12 months to deal with the remote work environment.
“Audit committee oversight and the corporate governance landscape are rapidly changing and becoming increasingly demanding, and that’s not even taking into account the growth of ESG reporting,” said Krista Parsons, chief executive of the company. Audit and Assurance at Deloitte’s Center for Board Effectiveness, in a statement. “The good news is that most audit committee respondents recognize their primary responsibilities, which include oversight of financial reporting, internal controls and the independent auditor. The challenge going forward is to maintain this focus on their core responsibilities while addressing emerging risks and potential new areas of oversight. Ultimately, the audit committee does not necessarily need to monitor all new risks. In some cases, the full board or another committee may be better placed to do this, and the chair of the audit committee may lead these discussions with the chair of the board.
Oversight of enterprise risk management differs, but many survey respondents (42%) indicated that the audit committee is responsible for oversight of ERM in their company. Among ERM leaders, 32% said they expect to spend more time on ERM oversight in the next year.
In addition, environmental, social and governance issues hold the attention of audit committees. Two-thirds (66%) of respondents indicated that their company has published a sustainability or ESG report, and 69% have obtained or are actively discussing obtaining third-party assurance on one or more components ESG or sustainability data. Nevertheless, only 10% of the members of the audit committee indicated that they have responsibility for monitoring ESG reporting.