In our seventh year of analyzing disclosures of audit committee oversight in proxy statements of companies in the S&P Composite 1500 (S&P 1500), the 2020 Barometer shows encouraging long-term trends across topics such as Audit Firm Evaluation and Supervision. We also see positive trends in disclosure of risk oversight in emerging areas such as Cybersecurity, COVID-19 and the discussion of Critical Audit Matters (CAMs). We are pleased to highlight numerous examples from this year’s population of proxy statements.
Increasing disclosures build investor confidence in capital markets, and companies can take action to accelerate the trend. The information in disclosures is particularly helpful to investors now as they seek additional information about audit committee oversight of public company financials during the uncertainty of the pandemic.
Our 2019 Audit Committee Transparency Barometer identified certain areas of concern and opportunities to enhance transparency. In particular, discussion of audit fees and its connection to audit quality (Question 3), how the audit committee considers auditor compensation (Question 4), and disclosure of significant areas of discussion with the auditor (Question 10) remain low in 2020 and we call on audit committees to consider ways to increase such disclosure.
The information in disclosures is particularly helpful to investors now as they seek additional information about audit committee oversight of public company financials during the uncertainty of the pandemic.
Highlights of the 2020 Barometer
S&P 1500 Long-term Trends
Since the inception of the annual Audit Committee Transparency Barometer in 2014, the CAQ and Audit Analytics have tracked 12 key disclosure areas. It is encouraging to see the progress that has been made in transparency of audit committee oversight over the past seven years.
Across the S&P 1500, many disclosures have increased significantly over time; however, one area that is stagnant relates to auditor compensation (Questions 3-7). For example, disclosure of explanations for changes in fees paid to the external auditor (Question 7) have dipped in recent years. Unlike many of the disclosures tracked within the annual Audit Committee Transparency Barometer, changes in audit fees may be dependent on the occurrence of specific events or transactions.
The COVID-19 pandemic and the related market conditions created many new uncertainties for public companies, auditors, investors and audit committees. As SEC Chair Jay Clayton recognized, the continuing operation of the US capital markets is an essential component of our national response to, and recovery from, COVID-19.
With the global pandemic reaching the US in earnest in March 2020, some companies provided transparency into the Board’s approach to navigating the virus and its impact.
Read Covid-19 examples:
Electronic Arts Inc.
Board of Directors
Our Board of Directors oversees our risk management. The Board of Directors exercises this oversight responsibility directly and through its committees. The oversight responsibility of the Board of Directors and its committees is informed by reports from our management team that are designed to provide visibility into our key risks and our risk mitigation strategies. Material business and strategic risks are reviewed by the full Board of Directors. While the Board of Directors has ultimate risk oversight with respect to risks related to privacy and cybersecurity and receives periodic updates on these risks and mitigation strategies, the Audit Committee also receives quarterly updates from EA’s information security team that review the steps taken by management to monitor and control these risks. In addition, the Board of Directors has oversight with respect to risks related to the COVID-19 pandemic. While its committees are addressing COVID-19 risks specific to their delegated duties, the Board of Directors has reviewed, overseen and continues to monitor the identification of COVID-19 risks and mitigation strategies related to the Company’s return-to-work procedures, business strategy, business continuity, and the impact on the Company’s financial planning.
Risks related to financial reporting, internal controls and procedures, investments, tax and treasury matters and compliance issues are reviewed regularly by the Audit Committee, which oversees the financial reporting, global audit and legal compliance functions. The Audit Committee has overseen risks from the COVID-19 pandemic to the Company’s internal controls over financial reporting, disclosure controls and procedures and independent audit, as well as the way in which business risks related to COVID-19 are communicated in the Company’s SEC filings. The Audit Committee also oversees our enterprise risk management program, which identifies and prioritizes material risks for the Company, including, if material, risks related to corporate responsibility matters, and the mitigation steps needed to address them. The Nominating and Governance Committee reviews risks related to director and CEO succession and monitors the effectiveness of our corporate governance policies. The Compensation Committee oversees risks related to our people practices, including employee engagement, retention and pay equity. It also reviews compensation-related risks with members of management that are responsible for structuring the Company’s compensation programs, including compensation-related risks resulting from the short-term and long-term uncertainties to the Company’s financial planning as a result of the COVID-19 pandemic. Each of the committees regularly report to the full Board of Directors on matters relating to the specific areas of risk that each committee oversees.
Momenta Pharmaceuticals, Inc.
The audit committee’s role in the risk oversight process includes receiving regular reports from our compliance officer, who oversees our compliance program, members of senior management on our compliance committee who have functional compliance responsibility, and other members of senior management on areas of material risk to us, including operational, financial, legal, regulatory, strategic, cyber and reputational risks, as well as, more recently, the risk exposures related to the coronavirus (COVID-19) pandemic. The audit committee receives these reports from the appropriate compliance “risk owner” within the Company to enable the audit committee to understand our risk identification, risk management and risk mitigation strategies. The chair of the audit committee reports on these discussions to the full board during each regularly‑scheduled board meeting. Management is actively assessing the impact of the COVID-19 pandemic and reporting to the board on an as needed basis.
Critical Audit Matters
In 2019, a major change occurred in certain auditor’s reports. As a result, auditors of public companies are now required to communicate CAMs in their auditor’s reports. The Public Company Accounting Oversight Board (PCAOB) defines a CAM as: any matter arising from the audit of the financial statements that was communicated or required to be communicated to the audit committee, and that (1) relates to accounts or disclosures that are material to the financial statements, and (2) involved especially challenging, subjective, or complex auditor judgment. With these new PCAOB requirements, auditors communicate directly to users of the auditor’s report information about those areas of the audit that involved especially challenging, subjective, or complex auditor judgment.
The implementation of the requirements to determine and communicate CAMs has resulted in auditor’s reports that provide more information about the audit. In parallel with increased auditor transparency, the CAQ and Audit Analytics have observed CAM-specific proxy disclosures in the S&P 1500 population tracked for the annual Audit Committee Transparency Barometer.
Over 6% of companies mention CAMs within their audit committee disclosures, stating that the audit committee has discussed CAMs with the auditor. As more auditor reports include CAMs, more audit committee disclosures related to CAMs may begin to appear in proxy statements.
Read CAMs examples:
United Airlines Holdings, Inc.
During the last year, and earlier this year in preparation for the filing with the SEC of the 2019 Form 10-K, the Audit Committee, among other matters:
- reviewed and discussed with the independent auditors: (1) their judgments as to the quality of the accounting principles applied in the Company’s financial reporting; (2) the critical audit matters (“CAMs”) addressed in the audit and the relevant financial statement accounts or disclosures that relate to each CAM; (3) the written disclosures and the letter received from the independent auditors required by applicable requirements of the Public Company Accounting Oversight Board (the “PCAOB”) regarding the independent auditors’ communications with the Audit Committee concerning independence, and the independence of the independent auditors; and (4) the matters required to be discussed with the Audit Committee under the applicable requirements of the PCAOB and the SEC.
Critical Audit Matters
In conformance with Public Company Accounting Oversight Board rules, the Committee reviewed and discussed with [Audit Firm] four critical audit matters arising from the current period audit of Exelon’s financial statements. Critical audit matters (or CAMs) are defined to be any matter arising from the audit of the financial statements that was communicated or required to be communicated to the Audit Committee and that 1) relate to accounts or disclosures that are material to the financial statements and 2) involve especially challenging, subjective, or complex audit judgment. The Committee concurred with [Audit Firm]’s assessment and identification of the CAMs contained in its Audit Report included within Exelon’s 2019 Annual Report on Form 10-K.
Cybersecurity disclosures have increased dramatically over the last five years. Companies are facing not only increasing cyber threats but also new laws and regulations for managing and reporting on data security and cybersecurity risks. Boards of directors face an enormous challenge: to oversee how their companies manage cybersecurity risk. Depending on the discretion of the board and company, this responsibility may be delegated to the Audit Committee.
Read Cybersecurity examples:
MDU Resources Group Inc
Board’s Role in Risk Oversight While the board is ultimately responsible for risk oversight at our company, our standing board committees assist the board in fulfilling its oversight responsibilities in certain areas of risk.
- The audit committee assists the board in fulfilling its oversight responsibilities with respect to risk management in a general manner and specifically in the areas of financial reporting, internal controls, cybersecurity, and compliance with legal and regulatory requirements, and, in accordance with NYSE requirements, discusses with the board policies with respect to risk assessment and risk management and their adequacy and effectiveness. The audit committee receives regular reports on the company’s compliance program, including reports received through our anonymous reporting hot line. It also receives reports and regularly meets with the company’s external and internal auditors. During its quarterly meetings in 2019, the audit committee received presentations or reports from management on cybersecurity and the company’s mitigation of cybersecurity risks. The entire board was present for the presentations and had access to the reports. Risk assessment and mitigation reports are regularly provided by management to the audit committee or the full board. This opens the opportunity for discussions about areas where the company may have material risk exposure, steps taken to manage such exposure, and the company’s risk tolerance in relation to company strategy. The audit committee reports regularly to the board of directors on the company’s management of risks in the audit committee’s areas of responsibility.
Board Meetings and Committees
The audit committee also:
- assists the board’s oversight of management of risk in the audit committee’s areas of responsibility, including cybersecurity, financial reporting, legal and regulatory compliance, and internal controls;
The audit committee receives periodic briefings concerning cybersecurity, information security, technology risks, and risk mitigation programs.
Pitney Bowes Inc
The Audit Committee also has oversight over the information technology function, cybersecurity risks as well as compliance generally. The Audit Committee regularly discusses cybersecurity with leaders of the technology, information security, privacy and audit functions.
Role of the Board of Directors in Risk Oversight
With respect to cybersecurity, management, (comprised of members from multiple disciplines in the company, including Information Technology, Research and Development, Legal, Privacy, and Internal Audit) provides a detailed overview first to the Audit Committee and then again to the full board of the company’s cybersecurity efforts and management of that risk. Under its Charter, the Audit Committee has oversight of the enterprise risks relating to Information Technology function generally, and cybersecurity in particular.
Each enterprise risk and its related mitigation plan is reviewed by either the board of directors or the designated board committee on an annual basis. On an annual basis, the board of directors receives a report on the status of all enterprise risks and their related mitigation plans.
Read the full report
Disclosure is a powerful tool that can be used by audit committees to shine a light on the important oversight activities they perform day in and day out on behalf of investors. Such disclosure can dispel skeptics’ concerns that the audit committee oversight is ceremonial in nature and not serving the role as intended by SOX. The CAQ sees opportunities for audit committees to enhance transparency of the critical work they do and role they fill, and we encourage audit committees to seize the opportunities identified in this report.