In May, SEC Chief Accountant Paul Munter, quoted here, cautioned his conference audience about the potential for audit committee overload. "More demands are being put on audit committees, sometimes on topics outside their core responsibility," he said. "Audit committees need to be continually vigilant that they have enough time to focus on their core mission—protecting investors—and don't let other topics cloud that out." While the AC's primary responsibilities are generally thought to be oversight of financial reporting, including the audit of a company's financial statements and internal control over financial reporting, these days, the AC often becomes the default committee of choice for oversight of other emerging risks, such as cybersecurity and even ESG. With ACs now perhaps the "kitchen sink of the board," are its members stretched too thin to carry out fundamental responsibilities? Are members being asked to operate outside of their core skillsets? What is the impact? These concerns appear to have prompted the panel at last week's meeting of the SEC's Investor Advisory Committee discussing AC workload and transparency.

The moderator of the panel observed that, in a statement in October last year, Munter reported that the Association of Certified Fraud Examiners "estimates that organizations lose 5% of revenue to fraud each year, an estimated loss of $4.7 trillion on a global scale." In addition, the moderator noted, based on a recent study, 10% to 15% of companies annually experience some type of accounting misconduct. This data highlights the question: do the burdens on the AC impair its ability to perform its main function related to audits, financial reporting and internal controls?

According to the first speaker on the panel, an academic from the University of Tennessee, a survey from the Center for Audit Quality and Deloitte of 164 AC members in 2022 showed that the responsibilities of the AC have certainly stretched to encompass a variety of topics outside the ambit of financial reporting: for example, 43% of those surveyed said their ACs were also responsible for enterprise risk management and third-party risk; 53% oversaw cybersecurity risk and ethics and compliance; 40% had responsibility for privacy and 34% for ESG reporting and disclosure.

How did that happen? Generally, the speaker said, if responsibility for an area is not taken on by the whole board, it often devolves to the AC. In the speaker's study of AC members as well as preparers and other professionals, 40% of participants described the AC as the default choice—the kitchen sink—with most participants describing "how these evolving oversight issues relate to disclosures, quantifiable metrics, and internal controls, which are closely related to their core traditional responsibilities." But that default choice may have these unintended consequences: the AC may not have the proper skills for the oversight role, may view the assignment as short-term with a check-the-box mentality and may not have enough time for its fundamental financial reporting and fraud detection oversight role. On the other hand, 30% of interviewees said they were given the additional responsibility as a result of their own personal interests or continuing education with the potential consequence that the committee may not have an appropriate succession plan in the event the member leaves the committee, as well as possible "overconfidence bias" in the absence of other skilled members to provide challenges.

Why do some boards decide not to make the AC primarily responsible for additional risk areas? Of the study participants, 30% indicated workload concerns as the reason; 25% reported that they believed the risk area involved a broader strategy or big-picture approach that required the attention of the full board or the skill set of other board members.

How can investors assess the efficacy of the work allocation across the board and "whether board members have sufficient time and expertise"? One way is by examining proxy statement disclosure about the audit committee. In assessing that disclosure, the speaker categorized companies in three groups: those that provide only boilerplate disclosure; those that follow best practices, such as illustrated in the CAQ's Audit Committee Transparency Barometer (see this PubCo post), but do not really provide individualized disclosure; and a group of leaders that provide more specific disclosure tailored to the particular company. Generally, the speaker indicated that investors want to see five issues addressed in the proxy statement:

"Clearly define the allocation of risk oversight for the overall board and the committees [currently required by regulation]

Explain why the AC members, individually and as a whole, are appropriate for this specific company

Highlight details about continuing education

Describe how the AC addresses key risks

Discuss more that just external audit oversight if the AC has a broader set of oversight responsibilities."

The speaker concluded that companies might voluntarily expand AC disclosures if they heard more from investors and related service providers. Study participants, the speaker observed, did not think there was much investor interest in this area of proxy disclosure or concern that the disclosure was inadequate.

SideBar

In "Audit Committee: The Kitchen Sink of the Board," from the CAQ and co-authored by the first speaker, the authors discuss how ACs "can manage their evolving responsibilities and polish their proxy disclosures," focusing on three central questions.

With regard to the first question, "How can boards effectively allocate oversight responsibilities to the audit committee?" the key findings were: