Deloitte and the Center for Audit Quality released their inaugural "Audit Committee Practices Report," based on an August/September 2021 survey of 246 US-based public (86%) and private company audit committee members across industries (24% in the financial services industry).
Among the key takeaways:
Cybersecurity - More than half of respondents (53%) said that the audit committee oversees cybersecurity. Of those, 60% include cybersecurity on their agendas quarterly; 35% say their committee includes cybersecurity expertise; and 62% identified this topic as a top priority for committee focus this year. Nearly half of respondents (48%) said the audit committee is responsible for data privacy oversight.
Ethics & Compliance - Almost half (48%) of audit committees are responsible for ethics & compliance oversight. Of those, nearly 75% include this topic on their agenda quarterly.
Third-Party Risk - 47% of respondents said the audit committee is responsible for third-party risk oversight. Of those, less than 25% include this topic on the committee’s agenda quarterly.
Enterprise Risk Management - ERM oversight is most commonly allocated to the audit committee (42%), followed by the board (33%), risk committee (20%), or other (5%).
ESG Reporting - Audit committees are not commonly responsible for oversight of the company’s ESG reporting, with just 10% identifying this as within the audit committee’s remit. The report identifies the areas of ESG reporting that should commonly fall within the committee’s purview including DC&P; alignment of ESG strategy and goals/metrics; and assurance-related activities.
As shown above, oversight of digital transformation, ESG reporting, corporate culture, and DE&I, is most commonly retained at the full board level.
Based on the data, the frequency of particular topics on the audit committee agenda for those committees with oversight responsibility is generally as follows based on the majority or plurality (if no majority) of responses:
- On the agenda quarterly: financial reporting & internal controls, ethics & compliance, cybersecurity, fraud risk, ERM, and data privacy & security
- On the agenda semi-annually: supply chain risk
- On the agenda on an as-needed basis: digital transformation, ESG reporting, corporate culture, and third-party risk
DE&I’s coverage on the audit committee's agenda is evenly divided (25% each) among annually, semi-annually, quarterly, and as-needed.
See the CAQ’s release and additional resources on our Audit Committees, Board Practices/Governance Practices, Board Committees and Board Meetings pages.
This post first appeared in the weekly Society Alert!