Since 2014, the Center for Audit Quality (CAQ), together with Ideagen Audit Analytics, has analyzed audit committee disclosures of companies in the Standard & Poor’s (S&P) Composite 1500 (S&P 1500), which is composed of the S&P 500 large-cap companies (S&P 500), the S&P MidCap 400 (S&P MidCap), and the S&P SmallCap 600 (S&P SmallCap).
Over the past 10 years, we have observed increases in disclosure rates related to key areas of audit committee oversight, including oversight of the external auditor, which continues to be a core component of the audit committee’s responsibility. In recent years, we have also seen audit committees respond to evolving areas such as cybersecurity risk and ESG. As these topics continue to gain attention, we see significant increases in corresponding audit committee disclosures.
After a decade of analyzing audit committee disclosures, we have seen disclosure rates increase across the majority of the questions and topics being tracked. In the current environment of economic uncertainty, geopolitical crises, and new ways of working, it remains as important as ever for audit committees to tell their story through tailored disclosures in the proxy statement. Investors and other stakeholders use these disclosures to understand how the audit committee is exercising oversight to navigate the challenges of this current environment.
This environment provides an opportunity for audit committees to revisit their disclosures to ensure that they are up to date and tailored to the specific events and circumstances that the audit committee currently faces. Providing detailed and relevant disclosures, instead of relying on boilerplate language, provides investors with useful information about the processes, considerations, and decisions made by the audit committee. Every year, each audit committee has a unique story to tell, and detailed disclosures in the proxy statement relay the extent of engagement of the audit committee, which contributes to audit quality.
The audit committee’s role has evolved over the 10 years we have tracked these disclosures. As audit committees take on new areas of responsibility, further opportunities exist to disclose the allocation of responsibilities among the board committees and the specialized knowledge of committee members. As audit committees think about revamping disclosures, we provide leading disclosure examples and questions for consideration in the appendices.
Oversight of the external auditor continues to be at the core of the audit committee’s responsibilities. The audit committee’s oversight of the external auditor directly contributes to audit quality; therefore, it is important for audit committees to effectively tell their story to demonstrate how they exercise this oversight. As highlighted in prior Barometers, numerous studies have identified a positive correlation between increased communication of audit committee oversight through disclosures in the proxy statement and increased audit quality. Further, in research commissioned by the CAQ, institutional investors expressed interest in learning more about certain matters related to the audit committee’s oversight of the external auditor including, audit strategy, discussions between the auditor and audit committee regarding significant risks identified in the auditor’s risk assessment procedures, and the audit committee’s awareness of certain matters relevant to the audit, such as material violations of laws regulations. For audit committees to enhance their disclosures, they should provide further discussion not just of what they do in their oversight of the external auditor but also how they do it.
For example, as it relates to reappointing the external auditor, it can be helpful for stakeholders to understand how the audit committee considered both positive and negative factors associated with the auditor’s tenure. Similarly, stakeholders will likely be interested in the audit committee’s process and key considerations in selecting a new audit engagement partner (as applicable, based on mandatory audit partner rotation requirements). Auditor tenure and the audit partner leading the engagement impact audit quality. Disclosing how the audit committee carefully considered such matters provides useful information to stakeholders and demonstrates the audit committee’s commitment to promoting audit quality. As the following figures show, audit committees have an opportunity to increase the robustness of their disclosures on these topics.
Another area where we continue to see lower rates of disclosure is the discussion around audit fees, particularly disclosures about the connection between audit fees and audit quality (Q3) and explanation for a change in fees paid to the external auditor (Q6). For audit committees to enhance their disclosures, they should provide more robust disclosures about how the audit committee considers the appropriateness of the audit fee, including key factors affecting changes to the audit fee year over year. For example, it may be helpful for stakeholders to understand efficiencies achieved, such as the auditor’s use of new technologies, or changes in the scope, such as a major transaction during the year, that could lead to changes in the audit fee.
Audit fees can be an indicator of audit quality for stakeholders because abnormally low fees may indicate that not enough time or resources are spent on the audit engagement, which could contribute to low audit quality. On the other hand, abnormally high audit fees could indicate inefficiencies, which may also be a red flag for stakeholders. In selecting, retaining, and evaluating the independent auditor, the audit committee should always be focused, in the first instance, on audit quality. Describing the audit committee’s views on the audit fee’s appropriateness can help stakeholders understand what contributes to the audit fee and can provide stakeholders further insights into how the audit committee considers audit quality throughout its engagement with the external auditor.
In recent years, the audit committee’s role has expanded beyond typical areas, such as oversight of financial reporting and related controls and oversight of the external auditor, to include emerging risks. Many audit committees are now responsible for oversight of emerging areas like cybersecurity and ESG, and in 2023, we have seen increased disclosures about the audit committee’s responsibility for oversight of these areas. The percentage of S&P 500 companies disclosing that the audit committee is responsible for oversight of cybersecurity risk increased from 54% in 2022 to 59% in 2023 (Q10). Similarly, the percentage of S&P 500 companies disclosing that the audit committee is responsible for oversight of ESG increased from 18% in 2022 to 29% in 2023 (Q12).
These new responsibilities require expanded skill sets from audit committee members. Notably, we have seen changes in the audit committee’s composition, in terms of members and expertise, and responsibilities. For example, more than half of S&P 500 companies disclose that the board of directors has a cybersecurity expert (Q9, 51%) and an ESG or sustainability expert (Q11, 54%). As the audit committee’s role continues to expand, it is increasingly important for boards to monitor the skill set and composition of committee members to ensure that audit committee members have appropriate expertise to exercise their oversight. Beyond disclosing the expertise of certain committee members, audit committees may also consider disclosing how all members of the committee stay abreast of emerging areas. In the 2022 Audit Committee: The Kitchen Sink of the Board report, researchers interviewed audit committee members and found that more than half of them consider their continuing education to be a critical part of their ability to manage evolving responsibilities, and they often strategically select continuing education that focuses on emerging risk areas, such as cybersecurity, ESG, and risk management. Telling this story to stakeholders demonstrates the audit committee’s commitment to the oversight role.
The same study also found that investors want to understand the roles and responsibilities assigned to the audit committee, why audit committee members are appropriate for the specific company, examples of continuing education for audit committee members, how audit committees address key risks, and details that reflect broader audit committee responsibilities.
As the SEC has recently adopted its Cybersecurity Disclosure rule and is continuing to work on its Climate Disclosure rule, we expect that these topics will continue to be relevant for audit committees, particularly as this information is included in SEC filings. Audit committees play an important role in the oversight of these areas given their expertise and experience in oversight of financial reporting and internal controls. Further, research by Spencer Stuart on the Board committees of S&P 500 companies found that only 15% of Boards have a specific cyber committee. For the remaining 85% of Boards, the responsibility for cybersecurity risk oversight has fallen to existing committees of the Board. Understanding how the Board determines which committee has appropriate expertise and will be responsible for oversight of these multifaceted and evolving topics is useful information for stakeholders.
Cybersecurity Governance and Board Oversight
The new SEC Cybersecurity Disclosure rule includes disclosure requirements about the board’s oversight of cybersecurity risk. As part of their oversight, the board may evaluate whether the company’s cybersecurity risk management program is sufficiently robust, or if there are gaps that should be filled. Specifically, the rule requires disclosure in the Form 10-K:
Audit committees play a vital role in investor protection, particularly through their oversight of the external auditor and emerging risks, such as cybersecurity and ESG. They are instrumental in setting the tone at the top for the quality of financial reporting to investors. Robust disclosures provide important information to investors about how the audit committee fulfills its responsibility to investors and promotes trust. This year, we identified an opportunity for audit committees to enhance disclosures regarding audit fees, particularly the audit committee’s responsibility for fee negotiations and importantly, how the audit committee considers audit fees in connection with audit quality and changes in fees paid to the external auditor. We applaud audit committees for their efforts to increase disclosures over the past 10 years and continue to encourage audit committees to consider how their disclosures can be enhanced to provide further transparency for investors regarding the critical oversight work that audit committees perform.
Download the full report PDF for resources audit committees may find useful when drafting their disclosures, including examples of effective disclosure, a sample leading practice audit committee matters and report, and questions to consider when preparing disclosures.