The Center for Audit Quality, in a joint effort with Deloitte’s Center for Board Effectiveness, has released its 2024 “Audit Committee Practices Report: Common Threads Across Audit Committees.”  The report highlights the top five audit committee priorities identified by committee members in a survey from CAQ and discusses practices to improve effectiveness and other observations. Interspersed throughout the report are recommendations and advice from the CAQ. What was identified by respondents as the “most important topic, risk, or issue” for their audit committees in the next 12 months? Not financial reporting or financial audits—core responsibilities for the audit committee—as you might expect. Nope, it was cybersecurity.  According to the CAQ report, the scope of audit committee responsibilities “continues to expand beyond the traditional remit of financial reporting and internal controls, internal and external audit, and ethics and compliance programs. Topics like cybersecurity, artificial intelligence (AI), and climate are now regularly showing up on many audit committee agendas, especially when it’s a matter of complying with regulatory disclosure requirements.” Audit committee members and their advisors may want to check out the report.

Audit committee priorities

For the report, 266 respondents participated in the survey, 74% of which were at public companies; 81% of those companies had market caps in excess of $700 million. According to the CAQ report, 69% of respondents cited cybersecurity as the top priority in the next 12 months.  Next on the list, enterprise risk management (48%), followed by a cluster of three other topics: finance and internal audit talent (37%); compliance with laws and regulations (36%); and finance transformation (33%).

Cybersecurity.  The CAQ speculated that the SEC’s new cybersecurity rules could well be a factor contributing to the emphasis on cybersecurity among audit committees.  (See this PubCo post.) According to the survey, 58% of audit committees have primary responsibility for oversight of cybersecurity risk, while 25% responded that the full board has oversight responsibility. In some cases, others had primary oversight, such as the risk committee.  Most (73%) respondents indicated that they discussed cybersecurity at least quarterly, while 15% reported discussing it semiannually and 9% annually. About a quarter of respondents (24%) said their audit committees had sufficient expertise, but 44% indicated that cybersecurity expertise would improve overall committee effectiveness.   That was the case even though 48% of respondents indicated that their committees had “some level of cybersecurity expertise.”

The CAQ advised that companies consider providing directors with external advisers or educational programs on this topic. In addition, the CAQ recommended that, in light of the “pervasive nature of cybersecurity risks, the role of the full board in understanding cybersecurity risk should be considered. At a minimum, the full board should determine the appropriate cadence for discussing the threat landscape and critical business risks affecting the organization.”

ERM.  Oversight of ERM—defined by the CAQ as “the processes used to identify, monitor, and assess risks”—has long been within the remit of the audit committee, and 48% of respondents placed ERM among the top three priorities in the next 12 months. In the survey, 47% of respondents indicated that the audit committee was responsible for ERM oversight, while 35% identified the full board, and 15% the risk committee. The vast majority (85%) reported some level of ERM expertise on the committee. One aspect of ERM oversight responsibility involves assessment of “whether the current ERM processes can handle new threats, whether those processes are efficient and effective, and whether they are supported by the proper resources.” The CAQ observes that “extra vigilance may be in order as the global risk landscape evolves and new types of threats emerge.”  

Part of the audit committee’s role, the CAQ highlights, is to advise management “in identifying and monitoring material risks and seeing that they are brought to the attention of the full board and/or appropriate committee. Directors should encourage management to assess risks on a continuous basis, instead of relying on the outdated approach of conducting a risk assessment on an annual basis and setting it aside until the next year.” Given the increased prevalence of black swan events, such as pandemics, climate disasters and global conflict, the CAQ advises that audit committees adapt their models to monitor the emergence of new risks, “starting by considering high-impact, low-likelihood risks alongside high-impact, high-likelihood risks.”

Finance and internal audit talent. Among respondents, 46% stated that their committees discussed this topic quarterly, and 23% reported only annual discussions. Internal audit can play a role both as an assurance provider and in helping anticipate and advise on the risks ahead. The CAQ found that most respondents “view internal audit as both an effective function and one that adds demonstrable value.”The survey found that almost 80% of respondents believed that internal audit could add more value, perhaps “more a reflection of the talent crunch and rapidly changing business environment than of any discontent with the internal audit function itself.”

The CAQ advises that audit committees “should cultivate and promote strong relationships with both the finance and internal audit teams,” and, in particular,  “maintain regular and robust contact with the CFO to understand the ongoing changes in talent needs and roles within finance.” The CAQ recommends that, for both finance and internal audit, the audit committee should oversee succession planning as well as the impact on both teams of new technologies, such as AI; in that regard, management may need to consider “if certain skills will become redundant and whether there are opportunities to upskill talent.” As a “critical resource for the audit committee,” internal audit “should be encouraged to adopt dynamic risk assessments to stay focused on the greatest areas of risk.”

Compliance with laws and regulations.   Interestingly, compliance with laws and regs increased significantly this year as an audit committee priority, with 36% of respondents citing it among the top three. The CAQ attributes the increase to the “heightened complexity of the regulatory environment.” For 45% of respondents, oversight of compliance was allocated to the audit committee, while 37% allocated oversight to the board and 5% to the risk committee. In addition, 75% of respondents indicated that compliance was discussed quarterly.

The CAQ recommends that audit committees should “understand the laws and regulations the organization is subject to, management’s efforts to comply, and the risk that noncompliance poses. This can help them better assess which risks have the greatest potential for legal, financial, operational, or reputational damage.” The CAQ also advises that management will need to “update the risk assessment processes and risk methodologies” to address new compliance risks and to maintain open lines of communication with the board and audit and risk committees, especially if the company is heavily regulated. The CAQ recommends that audit committees stay on top of the highly controversial proposed NOCLAR regulations, “Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations,” which, if adopted, would “expand the auditor’s obligation to identify and communicate an entity’s noncompliance with laws and regulations.”

Finance transformation. The report recognizes that finance transformation “is complex given that it can be affected by a number of external forces including market shocks, industry consolidation and convergence, technology acceleration, and new regulatory requirements.” All of those factors make “the audit committee’s role in overseeing finance transformation challenging.” According to the report, 39% of respondents indicated discussing finance transformation on as-needed basis, with 31% discussing it quarterly. The report highlights in particular the emergence of generative AI, a technology for which regulatory frameworks are still in discussion.  Audit committees face questions about how and when to invest in this technology for purposes of the finance function and financial risk.  The CAQ highlights that 66% of respondents indicated their audit committee spent insufficient time in the past 12 months discussing AI governance.

The CAQ advises that audit committees “should understand emerging finance technologies and how they are being considered and implemented within the organization. Absent any immediate adoption of technologies such as generative AI, management should work with the board to outline governance structures and controls for new technologies.”  Notably, finance transformation may require new skills and expertise, and audit committees can play a role “by supporting the finance team and helping to understand the resources needed—both human and technological.”

Audit committee practices and effectiveness

In the survey, the CAQ also asked about audit committee practices—particularly those practices that might improve effectiveness. The vast majority of respondents (89%) believed that they had adequate meeting time to complete the committee’s agenda, but 65% also responded that the committee’s effectiveness might improve if one or more new strategies were implemented. The CAQ highlighted three principal areas identified by respondents for improvement:

Increased engagement. First, 29% of respondents indicated that increased discussion and/or engagement from members during meetings would improve committee effectiveness, including more preparation by reading circulated material; staying informed on emerging risks, regulatory shifts and industry events; conducting open dialogues with candid questions; asking constructive but challenging questions to management and auditors; and following up if answers are unsatisfactory.

Quality of materials. Second, 28% identified the need to improve the quality of pre-read materials, including ensuring that pre-reads are “comprehensive, but not exhaustive, with respect to operational details”; establishing a single point of contact, designated by the committee chair, to “coordinate pre-read materials and address committee members’ questions as they review pre-read materials”; aligning materials with priorities, and including executive summaries “highlighting critical issues and discussion points, key metrics, and decisions needed”; identifying the nature of the information being presented as informational only or decision-needed and indicating expected committee actions; and including in the materials information on past performance as well as insight on future issues of importance.

Quality of presentations. Third, 26% identified quality of presentations during meetings as an area for improvement, including limiting the number of slides or pages to allow more time to focus on key messages and discussion; promoting dialogue by assuming, as a starting point for the presentation, that everyone has read the pre-read materials and that not every slide must be reviewed during the presentation; limiting the presentation to one-third of the allotted time, so that two-thirds of the time remains for discussion; and, for financial information, highlighting “key changes from the prior period, as well as balances involving judgment, to focus the discussion on areas that warrant the audit committee’s attention. They should also identify areas involving close calls or more subjectivity.”

Other observations

ESG. The CAQ noted a significant shift regarding ESG.  This year, 69% of respondents reported that the audit committee devoted adequate time to this topic, and only 14% of respondents said that the audit committee had oversight responsibility for ESG reporting (with 40% indicating the nom/gov committee was responsible and 30% the full board). Eleven percent said the committee spent too much time on it. Last year, respondents identified ESG as the third highest priority, and 34% indicated that oversight of ESG disclosure and reporting was an audit committee responsibility. Notwithstanding the decline in ESG focus, the CAQ advises that, given the number of new climate regulations, “audit committees should keep an eye on this area…. All these developments seem to have prompted a need to reassess ESG strategies and measurement processes, matters that this year appear to be more in the hands of the board than the audit committee.”

Audit quality.  The survey identified as the most important factors affecting audit quality, first, communications (81%), followed by industry experience (59%) and audit firm quality (54%). The CAQ observes that it’s easier to discuss complex issues and resolve disputes when the audit committee “fosters an environment of trust and transparency.”

Audit committee turnover and rotation.  Only about 32% of respondents expect any audit committee members to rotate off and only 16% expect the chair to rotate. While board succession may be the province of the nom/gov committee, the CAQ recommends that “the audit committee chair should provide input into the process, considering the skills and expertise needed on the audit committee to effectively carry out its responsibilities.”

Audit committee expertise. According to the survey, 25% of respondents don’t think they need any additional expertise on the committee. Among those that did think more expertise was needed, 44% identified expertise in cybersecurity, 40% technology, 20% ERM and 19% climate risk. The CAQ recommends that boards “monitor the committee members’ skill sets so that they have appropriate expertise to effectively carry out their oversight responsibilities,” particularly as the remit of the committee expands.

Posted by Cydney Posner