Although public company audit committee disclosures on cybersecurity continue to increase significantly, other disclosures by audit committees increased just slightly or stagnated in 2021 compared with 2020, according to a Center for Audit Quality (CAQ) report issued Wednesday.
For the eighth straight year, the CAQ's Audit Committee Transparency Barometer measured disclosures by audit committees of S&P 500, S&P MidCap, and S&P SmallCap companies. The CAQ encourages thorough disclosures by audit committees in proxy statements to promote high-quality performance by auditors and investor trust in the audit committee's oversight role.
This year's study shows that cybersecurity disclosures by audit committees continue to climb and are dramatically more common than they were even just a few years ago. For example, 46% of S&P 500 companies in 2021 disclosed the audit committee's responsibilities for cybersecurity risk oversight. That's up from 39% a year earlier and just 11% as recently as 2016. The results for S&P MidCap and S&P SmallCap companies showed similar trends.
In addition, 34% of S&P 500 companies disclosed in 2021 whether the board included a cybersecurity expert (up from 28% last year and 7% in 2016).
The percentage of audit committees making other disclosures was largely unchanged compared with 2020. The most common disclosures reported in the survey were:
- Discussion of how nonaudit services may affect independence. This disclosure was made by 83% of S&P 500 companies, 80% of S&P MidCap companies, and 76% of S&P SmallCap companies.
- Disclosure of the length of time the auditor has been engaged (70% S&P 500, 59% S&P MidCap, and 54% S&P SmallCap).
- Discussion of criteria considered when evaluating the audit firm (52% S&P 500, 39% S&P MidCap, and 35% S&P SmallCap).
- Explicit statement that the audit committee is involved in the selection of the audit engagement partner (50% S&P 500, 22% S&P MidCap, and 12% S&P SmallCap).
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA's editorial director.