Blogs

Deloitte and the Center for Audit Quality released "Audit Committee Practices Report: Common Threads Across Audit Committees," based on an September - November 2023 survey of 266 predominantly US-based, public company (89%) and private company (11%) audit committee chairs (61%) and members (39%) across industries (28% financial services industry).

Among the key takeaways:

Cybersecurity—More than half of respondents (58%) said that the audit committee primarily oversees cybersecurity, which was identified as the top committee priority (other than financial reporting and internal controls) for the committee for next 12 months by a wide margin. One-quarter of respondents identified the board as having primary oversight. Nearly three-quarters of respondents reported that cybersecurity was on the committee’s agenda quarterly in the past 12 months.

Nearly half of respondents (48%) said that their committee membership includes cybersecurity expertise, while 44% said additional cybersecurity expertise would enhance the committee’s effectiveness over the next 12 months. A notable 40% indicated that additional technology expertise other than cybersecurity would enhance the committee’s effectiveness over the next 12 months. The perceived value of other additional areas of expertise (e.g., ERM, climate risk, operations, compliance, human capital) paled in comparison.

Enterprise Risk Management—Primary ERM oversight, which was identified as the #2 priority (other than financial reporting and internal controls), is most commonly allocated to the audit committee (47%), followed by the board (35%), or risk committee (15%). Nearly half of respondents said that ERM was on the committee’s agenda quarterly in the past 12 months.

The vast majority of respondents (85%) said their committee includes enterprise risk expertise. Consistent with that statistic, 20% said additional enterprise risk expertise would enhance the committee’s effectiveness over the next 12 months.

Legal compliance—Primary oversight for compliance with laws and regulations ranked #3 in priority (other than financial reporting and internal controls) among respondents. Three-quarters of respondents indicated that this topic was on the committee’s agenda quarterly in the past 12 months. More than three-quarters of respondents said their committee includes members with expertise in this area.

The table below shows whether the full board or a board committee most commonly primarily oversees other enumerated areas:

Other benchmarking data that is responsive to inquiries raised frequently by Society members include:

• Companies represented by respondents are nearly evenly split in terms of whether they discuss the earnings release as part of the regularly quarterly meeting or as part of a separate (potentially telephonic) meeting, at 51% and 49% respectively.
• Respondents allocate nearly three hours (2.73 hours) to the quarterly audit committee meeting, including executive session(s).
• While ranking second overall, 30% of non-financial services company respondents identified improving the quality of pre-read materials as the action that would likely enhance the audit committee’s effectiveness during meetings, while increasing discussion and/or engagement from members during meetings followed at 26%. Increasing discussion and/or engagement from members during meetings ranked #1 for financial services company respondents at 35%.

Results are shown in the aggregate, as well as broken out by financial services and non-financial services company responses.

See these releases from Deloitte and the CAQ; this article: “Audit committees rank cybersecurity as top priority amid SEC crackdown”  CFO Dive); and additional resources (including prior editions of this collaborative Deloitte/CAQ initiative) on our Audit Committees page.

                        This post first appeared in the weekly Society Alert!