Best Practices

Audit Committees Need New Blood and New Skills

by Krista Parsons

Financial executives at many publicly traded companies may need to onboard new audit committee members to oversee cybersecurity, ESG, and other emerging reporting areas.

©metamorworks/iStock/Getty Images Plus

Over the past two years, the Securities and Exchange Commission (SEC), under Chair Gary Gensler, has maintained publicly traded companies need to provide investors with more transparent information on the impact of emerging risks like cybersecurity and a changing climate.  

As the SEC’s proposed disclosure and reporting rules governing these risks near finalization, many boards are reexamining the composition of their audit committee to more effectively provide related oversight, according to Audit Committee Practices Report: Priorities & Committee Composition, released earlier this year by Deloitte’s Center for Board Effectiveness and the Center for Audit Quality.  

Over the next 12 months, one-quarter of the 164 audit committee members surveyed said they expect to make changes to the audit committee’s composition, including increasing its size; 42 percent expect to replace one or more committee members; and 28 percent plan to replace the audit committee chair. 

Assuming these expectations are realized financial executives at publicly traded companies should prepare to onboard several new audit committee members, acquainting them with areas such as the organization’s financial reporting, controls, internal and external audit, compliance, and risk, which can be time-consuming. New members who have not previously served on an audit committee may require more education on oversight responsibilities, while more experienced members may benefit from a deep dive on company-specific issues they’ll be expected to oversee. 

Some new members may have previous expertise or involvement in the disclosure and reporting of climate-related risks like the Scope 1 and Scope 2 emissions outlined in the SEC’s proposed rules. Other new members may have similar expertise or involvement in the disclosure and reporting of cybersecurity practices, as outlined in the SEC’s proposed rules. In both cases, financial executives should be prepared to answer questions from new members about how they are planning to address the SEC’s proposed rules, including new disclosures and reporting requirements.  

Since some investors are seeking more consistency and increased transparency in disclosures, there may be pressure to nominate new directors with specific expertise in these matters. Financial executives should help ensure the audit committee members have business acumen beyond a narrow proficiency through adequate onboarding.  

Focus on Emerging Risks 

The Audit Committee Practices Report reflects growing concerns by investors and the SEC over areas of disclosure and reporting involving emerging and intensifying risks like cybersecurity and climate change.  

In both our most recent survey and last year’s survey, 53 percent of respondents indicated that the oversight of cybersecurity is delegated to the audit committee. In our most recent survey, 34 percent of respondents said the audit committee is responsible for the oversight of climate/environmental, social, and governance (ESG) disclosure and reporting. In comparison, only 10 percent of respondents indicated that audit committees had oversight responsibility for ESG disclosure and reporting in last year’s survey. Not surprisingly, it appears that the audit committee’s involvement in oversight of ESG disclosure and reporting is becoming more widespread. 

Although audit committee members are not responsible for overseeing all of a company’s key risks, the audit committee is often responsible for the oversight of risk-related policies and processes embedded within the enterprise risk management (ERM) program. More than four in ten (43 percent) survey respondents said their audit committee has primary responsibility for overseeing ERM.  

In situations where the audit committee has primary responsibility for ERM, members oversee that management has developed and implemented a sound ERM program. Audit committee members also oversee how management identifies, assesses and monitors enterprise risks, and ensures that oversight of key risks is allocated across the full board and its committees.  

A Short Time Horizon 

The SEC’s proposed disclosure rules governing climate-related emissions and cybersecurity practices and incidents suggest the scope of knowledge and expertise of new directors require the attention and involvement of financial and other executives. As discussions on ESG continue, support for increased disclosure and transparency can be seen through the number of ESG-related resolutions filed by institutional investors and pension funds during the 2023 proxy season.  

Given expectations for the SEC’s finalization of the new disclosure and reporting rules this year, many boards should consider preparing to provide more thorough and diligent oversight of the proposed new requirements. Financial executives can help new audit committee members hit the ground running in these areas, while also ensuring they are well informed about the business, financial statements and risks.  

Going forward, it’s hard to imagine another standing board committee having more responsibilities than the audit committee. In addition to providing customary oversight of financial reporting, internal controls, external and internal audit, and compliance and risk, committee members will likely be looked upon as the “go to” advisors on emerging risks, such as those noted above, and their disclosure and reporting implications. Thanks to a combination of human ingenuity, the competitive realities of a capitalist economy, and a world in constant flux, such risks undoubtedly will continue to emerge.  

Krista Parsons is a Managing Director in Audit & Assurance at Deloitte & Touche LLP and Audit Committee Program Leader with Deloitte’s Center for Board Effectiveness.