Audit Committee Practices Report

Introduction

The scope of audit committee oversight continues to creep. Given the rapid rate at which risks are emerging and evolving, many boards are taking a fresh look at committee structures and practices to determine whether they are keeping pace with shifting responsibilities and priorities. For audit committees, this can mean expanded responsibilities that go beyond overseeing financial reporting and internal controls, ethics and compliance programs, and external and internal audit. Today, many audit committees are charged with overseeing additional areas of emerging and intensifying risk, such as cybersecurity; enterprise risk management (ERM); and environmental, social, and governance (ESG) reporting. 

The expansion of the audit committee’s role has in turn raised questions about audit committee composition, prompting us to examine it more closely in this year’s survey. Audit committees may need more expertise in certain areas, but they are simultaneously wary of bringing on narrowly-focused subject matter specialists. Despite having more topics on their agendas, audit committees still must perform their core oversight duties as well as understand the interrelationships among the various areas of risk. For these reasons, boards often prefer to compose their committees with strategic thinkers, who may or may not have deep expertise in a particular area. 

Against this backdrop, audit committee members often want to understand what their peers are focusing on in terms of priorities, how they are adjusting the composition of their committees, and if there are leading practices they should employ within their own organizations. The second edition of the Audit Committee Practices Report, a collaborative effort between Deloitte’s Center for Board Effectiveness (Deloitte) and the Center for Audit Quality (CAQ), includes the results of a survey in which a total of 164 individuals participated, from predominantly large (80% >$700 million), U.S.-based public companies. Conducted by the CAQ and Deloitte, the survey inquired about: 

• Audit committee composition
• Areas of oversight
• Key risks
• Audit committee practices

This report provides insight into shifting priorities as well as trends and practices related to audit committee composition. The survey results and related analysis can also serve as a benchmarking resource for gauging your own committee’s development.

Select findings are included below; download the full PDF for complete findings.

  Select key insights

What’s the audit committee composition?

Size

An overwhelming 92% of respondents deem their audit committees to have the appropriate collective experience needed. Despite having confidence in their skill sets, many audit committees are still planning to expand and/or change their committee composition. In the next 12 months, one-quarter of respondents anticipate making changes to the composition of the audit committee, including increasing its size.

When respondents were asked how they plan to change their audit committee composition, 28% anticipate replacing the current audit committee chair in the next 12 months. Furthermore, a portion of those expecting to change the chair (19%) plan to do so with a current audit committee member and 3% with a current director who is not an audit committee member. 

Beyond the chair, an even greater percentage of respondents (42%) anticipate replacing one or more members of the audit committee in the next 12 months. Of these, about 24% expect to do so with current board members, while 18% plan to do so with new directors who are not presently on the board.

Expertise

Considering 74% of respondents do not have a policy (formal or informal) to rotate the chair and/or members of their audit committees, and only 4% require new directors to serve on their audit committees (17% recommend it), much of the anticipated composition change appears to be driven by necessity. It may stem from the need to keep pace with expanding responsibilities and to combat fatigue and attrition, in addition to filling specific experience and knowledge gaps.

What’s on the audit committee agenda?

Outside of financial reporting and internal controls, respondents anticipate the following areas as being among their top three areas of focus in the next 12 months: 

• Cybersecurity – 63% 
• Enterprise risk management – 45% 
• ESG disclosure and reporting – 39%

Cybersecurity

Beyond the audit committee’s core remit of overseeing financial reporting and internal controls, ethics and compliance programs, and external and internal audit, cybersecurity ranked high on the audit committee agenda. Fifty-three percent of respondents said their companies delegate cybersecurity oversight to the audit committee, 26% to the board, and 11% to the risk committee.

Enterprise risk management

When asked who was responsible for oversight of ERM within their organizations, 43% of respondents indicated the audit committee, 28% said the board, and 21% said the risk committee. About three-quarters (75%) of respondents believe their audit committee members have appropriate experience/expertise in enterprise risk, indicating a high level of confidence in their committees’ ability to oversee this area.

ESG disclosure and reporting

In this year’s survey, ESG disclosure and reporting increased in importance, commonly coming into the purview of the audit committee’s oversight responsibilities. When asked who was responsible for oversight of ESG disclosure and reporting, 34% of respondents said the audit committee, while 27% indicated the board, and 16% pointed to the nominating/governance committee. In contrast, only 10% of audit committees had oversight responsibility for ESG disclosure and reporting in last year’s survey.