June 27, 2023

SEC’s Investor Advisory Committee discusses audit committee overload and disclosure

Cooley LLP

+ Follow Contact

Send

Embed

Cooley LLP

In May, SEC Chief Accountant Paul Munter, quoted here, cautioned his conference audience about the potential for audit committee overload. “More demands are being put on audit committees, sometimes on topics outside their core responsibility,” he said. “Audit committees need to be continually vigilant that they have enough time to focus on their core mission—protecting investors—and don’t let other topics cloud that out.” While the AC’s primary responsibilities are generally thought to be oversight of financial reporting, including the audit of a company’s financial statements and internal control over financial reporting, these days, the AC often becomes the default committee of choice for oversight of other emerging risks, such as cybersecurity and even ESG. With ACs now perhaps the “kitchen sink of the board,” are its members stretched too thin to carry out fundamental responsibilities? Are members being asked to operate outside of their core skillsets? What is the impact? These concerns appear to have prompted the panel at last week’s meeting of the SEC’s Investor Advisory Committee discussing AC workload and transparency.

The moderator of the panel observed that, in a statement in October last year, Munter reported that the Association of Certified Fraud Examiners “estimates that organizations lose 5% of revenue to fraud each year, an estimated loss of $4.7 trillion on a global scale.” In addition, the moderator noted, based on a recent study, 10% to 15% of companies annually experience some type of accounting misconduct. This data highlights the question: do the burdens on the AC impair its ability to perform its main function related to audits, financial reporting and internal controls?

According to the first speaker on the panel, an academic from the University of Tennessee, a survey from the Center for Audit Quality and Deloitte of 164 AC members in 2022 showed that the responsibilities of the AC have certainly stretched to encompass a variety of topics outside the ambit of financial reporting: for example, 43% of those surveyed said their ACs were also responsible for enterprise risk management and third-party risk; 53% oversaw cybersecurity risk and ethics and compliance; 40% had responsibility for privacy and 34% for ESG reporting and disclosure.

How did that happen? Generally, the speaker said, if responsibility for an area is not taken on by the whole board, it often devolves to the AC. In the speaker’s study of AC members as well as preparers and other professionals, 40% of participants described the AC as the default choice—the kitchen sink—with most participants describing “how these evolving oversight issues relate to disclosures, quantifiable metrics, and internal controls, which are closely related to their core traditional responsibilities.” But that default choice may have these unintended consequences: the AC may not have the proper skills for the oversight role, may view the assignment as short-term with a check-the-box mentality and may not have enough time for its fundamental financial reporting and fraud detection oversight role. On the other hand, 30% of interviewees said they were given the additional responsibility as a result of their own personal interests or continuing education with the potential consequence that the committee may not have an appropriate succession plan in the event the member leaves the committee, as well as possible “overconfidence bias” in the absence of other skilled members to provide challenges.

Why do some boards decide not to make the AC primarily responsible for additional risk areas? Of the study participants, 30% indicated workload concerns as the reason; 25% reported that they believed the risk area involved a broader strategy or big-picture approach that required the attention of the full board or the skill set of other board members.

How can investors assess the efficacy of the work allocation across the board and “whether board members have sufficient time and expertise”? One way is by examining proxy statement disclosure about the audit committee. In assessing that disclosure, the speaker categorized companies in three groups: those that provide only boilerplate disclosure; those that follow best practices, such as illustrated in the CAQ’s Audit Committee Transparency Barometer (see this PubCo post), but do not really provide individualized disclosure; and a group of leaders that provide more specific disclosure tailored to the particular company. Generally, the speaker indicated that investors want to see five issues addressed in the proxy statement:

“Clearly define the allocation of risk oversight for the overall board and the committees [currently required by regulation]

Explain why the AC members, individually and as a whole, are appropriate for this specific company

Highlight details about continuing education

Describe how the AC addresses key risks

Discuss more that just external audit oversight if the AC has a broader set of oversight responsibilities.”

The speaker concluded that companies might voluntarily expand AC disclosures if they heard more from investors and related service providers. Study participants, the speaker observed, did not think there was much investor interest in this area of proxy disclosure or concern that the disclosure was inadequate.

SideBar

In “Audit Committee: The Kitchen Sink of the Board,” from the CAQ and co-authored by the first speaker, the authors discuss how ACs “can manage their evolving responsibilities and polish their proxy disclosures,” focusing on three central questions.

With regard to the first question, “How can boards effectively allocate oversight responsibilities to the audit committee?” the key findings were:

“Perpetually assigning emerging risks to the AC (i.e., the ‘kitchen sink’ approach) can lead to suboptimal oversight due to overworked ACs and a ‘check the box’ mentality.

Traditional AC skill sets relate to financial reporting and internal controls. As AC responsibilities evolve, it is important that AC skill sets evolve as well.

Some AC members individually advocate for the AC to oversee these emerging risks because of their personal skills and interests. In these cases, AC members should be careful not to succumb to overconfidence bias and ensure that a clear succession plan is in place without them.

To effectively allocate oversight responsibilities, ACs may need to consider situations when it makes sense to push back on the board.”

The key findings related to the second question, “How can audit committee members keep up with an ever-evolving workload?” were:

“AC members should be purposeful about developing skill sets that match oversight responsibilities:

Actively assess the committee’s key risks when planning for continuing education opportunities and use specialists where needed.

Regularly evaluate whether AC refreshment is needed to keep up with the necessary skill sets to properly oversee evolving risks.

Carefully manage the AC agenda by mapping out risks to allow for deep dives on a rotation of topics throughout the year.“

ACs can free up time for additional responsibilities by managing the agenda and relationships:

Work with management to fine-tune the types of materials delivered in advance and hold AC members accountable for reading them.

Reflect on whether meetings allowed for sufficient time to evaluate management’s response to key risks, and schedule meetings so that they can go long or continue at an additional time when needed.

Maintain a collaborative relationship with management to foster transparency.

Adopt leading practices to manage shared governance across board committees.”

For the third question, “How can audit committees improve their disclosures related to audit committee oversight responsibilities?,” the key findings were:

“ACs can begin by defining the goal of AC-related disclosures. These disclosures provide an opportunity to be transparent about ACs’ duties and actions and provide confidence that the AC is fulfilling its fiduciary duty.

Rather than start from scratch, AC members can use existing publications from the CAQ, this document, and other sources to reduce the time needed to identify leading examples from peers.

ACs can lead the charge when collaborating with management to commit to enhanced disclosures.

Companies should seek feedback from investors and regularly reevaluate whether disclosures are meeting investors’ expectations.

Investors want to see clearly defined roles and responsibilities assigned to the AC, an explanation for why AC members are appropriate for the specific company, examples of continuing education for AC members, more explanation for how ACs address key risks, and details that reflect broader AC responsibilities.”

The Committee also heard from a speaker from the CAQ, discussing the CAQ Audit Committee Transparency Barometer, which, since 2013, has surveyed AC proxy disclosures from the S&P 1500 with the goal of encouraging voluntary disclosure about factors such as oversight, selection of the auditor and engagement partner, and factors affecting compensation. The Barometer includes examples and questions to consider. To some extent, the Barometer for 2022 illustrated the dearth of tailoring discussed by the prior speaker. For example, while a healthy majority of companies surveyed discussed auditor tenure, a very small percentage discussed how the AC considered the length of time—i.e., pros and cons—that the auditor has served in that capacity. Similarly, many proxy statements will disclose that the AC has a role in selection of the engagement partner, but very few discussed the process for AC involvement in that selection—e.g., is the entire AC involved or just the chair? do they interview multiple candidates? In response to a question from a committee member, the speaker observed that there was typically no discussion of auditor staff turnover. But one committee member noted that too much staff turnover could be a potential problem at companies of which he is a board member. Generally, the speaker said that the disclosure trends were positive over time. For example, the proportion of companies disclosing whether the AC is responsible for cybersecurity oversight has increased. The speaker found that most ACs were willing to expand disclosure, but the challenge was where to expand and how to avoid disclosure overload.

In the broader panel discussion, panelists expressed concerns about AC bandwidth and workload, but seemed more concerned about director skillsets—issues such as cyber, AI or privacy require quite different skills than financial reporting oversight. For example, cybersecurity oversight appears to comprise issues similar to internal controls and ESG involves various metrics— both of which seem to be in the same neighborhood of AC financial oversight responsibilities—but the AC would still need to have or add the right expertise, for example, to have the knowledge to delve into these nonfinancial topics or to challenge management when appropriate. These concerns can be addressed to some extent through experts, continuing education or AC refreshment. But this issue requires careful navigation. Good ACs know their limitations, commented one panelist. Different committees have different remits, depending on the complexity of the business. For example, in some cases, risk oversight may be an issue for the whole board. In other cases, such as large financial services companies, there may be a special risk oversight committee. In smaller companies, the remit of the AC may depend on the skills of the members or the company’s business model. But none of the panelists had seen questions from investors about these issues or feedback related to a lack of understanding of what the AC does. What do investors want to see in AC disclosure? Perhaps the AC needs to engage more with investors to understand what they want to see to facilitate their assessment of the AC. None of the panelists advocated more SEC regulation beyond the current Reg S-K Item 407, but some of the speakers thought that some guidance from Corp Fin might be useful at this point. The most important element, one speaker ventured, is to tell the company’s story, and regulation can’t really address that. To be sure, one panelist noted, most companies are looking for continuous improvement.

One of the speakers reported that there was one published study that showed some correlation between AC disclosure and audit quality, but the other speaker observed that, in her study, participants indicated that they would not draw any conclusions about audit quality from the nature and extent of the disclosure. When asked how best to indicate in the proxy statement that risk oversight is adequate, one panelist reported that one board on which he served showed how risk oversight was distributed among committees and the board in a way that tells a story. Others mentioned disclosure regarding talent, the tone at the top and a culture of transparency that the AC would like to foster as well as the connection to strategy and purpose and value creation drivers.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.