In May,  SEC Chief Accountant Paul Munter, quoted here,  cautioned his conference audience about the potential for audit committee overload. “More demands are being put on audit committees, sometimes on topics outside their core responsibility,” he said. “Audit committees need to be continually vigilant that they have enough time to focus on their core mission—protecting investors—and don’t let other topics cloud that out.” While the AC’s primary responsibilities are generally thought to be oversight of financial reporting, including the audit of a company’s financial statements and internal control over financial reporting, these days, the AC often becomes the default committee of choice for oversight of other emerging risks, such as cybersecurity and even ESG. With ACs now perhaps the “kitchen sink of the board,” are its members stretched too thin to carry out fundamental responsibilities? Are members being asked to operate outside of their core skillsets? What is the impact? These concerns appear to have prompted the panel at last week’s meeting of the SEC’s Investor Advisory Committee discussing AC workload and transparency.

[Based on my notes, so standard caveats apply.]

The moderator of the panel observed that, in a  statement in October last year, Munter reported that the Association of Certified Fraud Examiners “estimates that organizations lose 5% of revenue to fraud each year, an estimated loss of $4.7 trillion on a global scale.”  In addition, the moderator noted, based on a recent study, 10% to 15% of companies annually experience some type of accounting misconduct.  This data highlights the question: do the burdens on the AC impair its ability to perform its main function related to audits, financial reporting and internal controls? 

According to the first speaker on the panel, an academic from the University of Tennessee, a survey from the Center for Audit Quality and Deloitte of 164 AC members in 2022 showed that the responsibilities of the AC have certainly stretched to encompass a variety of topics outside the ambit of financial reporting: for example, 43% of those surveyed said their ACs were also responsible for enterprise risk management and third-party risk; 53% oversaw cybersecurity risk and ethics and compliance; 40% had responsibility for privacy and 34% for ESG reporting and disclosure.

How did that happen?   Generally, the speaker said, if responsibility for an area is not taken on by the whole board, it often devolves to the AC.  In the speaker’s study of AC members as well as preparers and other professionals, 40% of participants described the AC as the default choice—the kitchen sink—with most participants describing “how these evolving oversight issues relate to disclosures, quantifiable metrics, and internal controls, which are closely related to their core traditional responsibilities.” But that default choice may have these unintended consequences: the AC may not have the proper skills for the oversight role, may view the assignment as short-term with a check-the-box mentality and may not have enough time for its fundamental financial reporting and fraud detection oversight role.  On the other hand, 30% of interviewees said they were given the additional responsibility as a result of their own personal interests or continuing education with the potential consequence that the committee may not have an appropriate succession plan in the event the member leaves the committee, as well as possible “overconfidence bias” in the absence of other skilled members to provide challenges.

Why do some boards decide not to make the AC primarily responsible for additional risk areas? Of the study participants, 30% indicated workload concerns as the reason; 25% reported that they believed the risk area involved a broader strategy or big-picture approach that required the attention of the full board or the skill set of other board members.

How can investors assess the efficacy of the work allocation across the board and “whether board members have sufficient time and expertise”? One way is by examining proxy statement disclosure about the audit committee.  In assessing that disclosure, the speaker categorized companies in three groups: those that provide only boilerplate disclosure; those that follow best practices, such as illustrated in the CAQ’s Audit Committee Transparency Barometer (see this PubCo post), but do not really provide individualized disclosure; and a group of leaders that provide more specific disclosure tailored to the particular company. Generally, the speaker indicated that investors want to see five issues addressed in the proxy statement:

  • “Clearly define the allocation of risk oversight for the overall board and the committees [currently required by regulation]
  • Explain why the AC members, individually and as a whole, are appropriate for this specific company
  • Highlight details about continuing education
  • Describe how the AC addresses key risks
  • Discuss more that just external audit oversight if the AC has a broader set of oversight responsibilities.”

The speaker concluded that companies might voluntarily expand AC disclosures if they heard more from investors and related service providers. Study participants, the speaker observed, did not think there was much investor interest in this area of proxy disclosure or concern that the disclosure was inadequate. 

The Committee also heard from a speaker from the CAQ, discussing the CAQ Audit Committee Transparency Barometer, which, since 2013, has surveyed AC proxy disclosures from the S&P 1500 with the goal of encouraging voluntary disclosure about factors such as oversight, selection of the auditor and engagement partner, and factors affecting compensation.  The Barometer includes examples and questions to consider.  To some extent, the Barometer for 2022 illustrated the dearth of tailoring discussed by the prior speaker. For example, while a healthy majority of companies surveyed discussed auditor tenure, a very small percentage discussed how the AC considered the length of time—i.e., pros and cons—that the auditor has served in that capacity. Similarly, many proxy statements will disclose that the AC has a role in selection of the engagement partner, but very few discussed the process for AC involvement in that selection—e.g., is the entire AC involved or just the chair? do they interview multiple candidates? In response to a question from a committee member, the speaker observed that there was typically no discussion of auditor staff turnover. But one committee member noted that too much staff turnover could be a potential problem at companies of which he is a board member.   Generally, the speaker said that the disclosure trends were positive over time.  For example, the proportion of companies disclosing whether the AC is responsible for cybersecurity oversight has increased.    The speaker found that most ACs were willing to expand disclosure, but the challenge was where to expand and how to avoid disclosure overload.

In the broader panel discussion, panelists expressed concerns about AC bandwidth and workload, but seemed more concerned about director skillsets—issues such as cyber, AI or privacy require quite different skills than financial reporting oversight. For example, cybersecurity oversight appears to comprise issues similar to internal controls and ESG involves various metrics— both of which seem to be in the same neighborhood of AC financial oversight responsibilities—but the AC would still need to have or add the right expertise, for example, to have the knowledge to delve into these nonfinancial topics or to challenge management when appropriate. These concerns can be addressed to some extent through experts, continuing education or AC refreshment.  But this issue requires careful navigation. Good ACs know their limitations, commented one panelist. Different committees have different remits, depending on the complexity of the business.  For example, in some cases, risk oversight may be an issue for the whole board. In other cases, such as large financial services companies, there may be a special risk oversight committee. In smaller companies, the remit of the AC may depend on the skills of the members or the company’s business model.  But none of the panelists had seen questions from investors about these issues or feedback related to a lack of understanding of what the AC does. What do investors want to see in AC disclosure? Perhaps the AC needs to engage more with investors to understand what they want to see to facilitate their assessment of the AC. None of the panelists advocated more SEC regulation beyond the current Reg  S-K Item 407, but some of the speakers thought that some guidance from Corp Fin might be useful at this point. The most important element, one speaker ventured, is to tell the company’s story, and regulation can’t really address that. To be sure, one panelist noted, most companies are looking for continuous improvement.

One of the speakers reported that there was one published study that showed some correlation between AC disclosure and audit quality, but the other speaker observed that, in her study, participants indicated that they would not draw any conclusions about audit quality from the nature and extent of the disclosure.  When asked how best to indicate in the proxy statement that risk oversight is adequate, one panelist reported that one board on which he served showed how risk oversight was distributed among committees and the board in a way that tells a story. Others mentioned disclosure regarding talent, the tone at the top and a culture of transparency that the AC would like to foster as well as the connection to strategy and purpose and value creation drivers. 

Posted by Cydney Posner