The role played by public company audit committees in cybersecurity risk oversight continues to increase, while some audit committees are beginning to take on ESG oversight, according to the 2022 Audit Committee Transparency Barometer report issued Wednesday by the Center for Audit Quality (CAQ).
For the first time in the history of the annual report, more than half (54%) of S&P 500 companies disclosed that their audit committees are responsible for cybersecurity risk oversight. When the datapoint was first added in 2016, just 11% of the S&P 500 disclosed the same.
A recent PwC survey found that senior executives around the world viewed "a catastrophic cyberattack" as the risk they most commonly are incorporating into resilience plans.
The Audit Committee Transparency Barometer, in its ninth year, looked at disclosures related to environment, social, and governance (ESG) for the first time. The report — issued in conjunction with Audit Analytics, an Ideagen solution — showed that 18% of S&P 500 proxy statements disclosed that the audit committee was responsible for ESG oversight, and 39% disclosed that the board of directors had an ESG or sustainability expert.
The percentages were lower among the S&P MidCap 400 — with 10% disclosing that the audit committee was responsible for ESG oversight and 26% disclosing the presence of a sustainability expert on the board — and lower still among S&P SmallCap 600 companies (7% and 18%, respectively).
Lower percentages of disclosure among smaller public companies isn't limited to ESG. With a few minor exceptions through the years, the rate of audit committee disclosures is the greatest among the S&P 500 and lowest among the S&P SmallCap.
In the report's conclusion, the CAQ "encourages audit committees to continue to improve disclosures and enhance transparency of the critical oversight work they perform."
To that goal, the report includes examples of effective disclosures related to the report's findings and offers four steps audit committees can take to enhance their disclosures:
- Define your goals;
- Actively seek out disclosure examples;
- Advocate for your disclosures; and
- Regularly revisit disclosures.
While some of the advice may seem common sense in nature, a report issued in conjunction with the annual barometer digs deeper.
The CAQ, which is affiliated with the AICPA, partnered with researchers from the Neel Corporate Governance Center at the University of Tennessee and the Pamplin College of Business at Virginia Tech to produce Audit Committee: The Kitchen Sink of the Board. Based on more than 2,200 hours of interviews with audit committee leaders and other key stakeholders, the report delves into the practice of "perpetually assigning emerging risks to the [audit committee] (i.e., the 'kitchen sink' approach)," and how such an approach can lead to "suboptimal oversight due to overworked [audit committees] and a 'check the box' mentality."
The report offers practical advice on how boards can effectively allocate responsibilities to audit committees and how audit committees can manage their workloads while continuing to improve disclosures related to oversight responsibilities.
— To comment on this article or to suggest an idea for another article, contact Bryan Strickland at Bryan.Strickland@aicpa-cima.com.