The roles & responsibilities of the audit committee have seen a significant expansion over the last decade. Historically the watchdogs of financial reporting, this committee has been expanding its risk oversight role to account for a range of emerging and long-standing risks (i.e., cyber risk, corporate culture).
The Securities & Exchange Commission (SEC) requires that all U.S. public companies have an audit committee; these requirements were formalized by the 2002 Sarbanes-Oxley Act (SOX), which highlights the committee’s key roles and responsibilities: (1) overseeing the accuracy of the financial reporting process, (2) ensuring external auditor independence, (3) reviewing the company’s system of internal controls, and (4) ensuring compliance with all laws and regulations.
The New York Stock Exchange and Nasdaq have their own audit committee requirements, which are largely based on SEC guidelines; yet, they do make further specifications on matters of independence, disclosure, financial experts, and financial literacy.
In addition to compliance responsibilities, the challenges the audit committee include overseeing risk management across the organization—a function that’s growing extraordinarily complex as items like cyber risk, ESG, and corporate culture oversight are being pushed to this committee’s agendas. This has led many to pose the question: Are today’s audit committees overburdened?
Cyber risk has been one forum for this debate. Roughly half of board members report that their audit committee “owns” cyber risk (via PwC’s Annual Corporate Directors Survey); whereas, the other half say that cyber risk is overseen at the full-board level or by another committee. As cyber risk becomes one of the greatest enterprise risks facing today’s companies, it begs the question: does it deserve more attention than this committee can provide? These are the kinds of questions today’s boards and audit committees are grappling with as they determine the best way to mitigate risk across today’s increasingly digital landscape.
A two-pronged approach can help today’s audit committees to perform better:
- Take a critical eye to committee governance & composition: As today’s risk landscapes continues to grow in size and complexity, the risks themselves will be harder to identify. Each board will need to assess how to best manage these risks, which may require a hard look at audit committee governance and composition. The board may determine that it needs to recruit subject-matter experts, or it may choose to break out certain risks into a dedicated committee (e.g., Finance, Cybersecurity).
- Protect the board from common cyber mistakes: Boards and audit committees must not ignore the risks that may be lurking in the boardroom. Several recent exposés and court cases have revealed the dangers of using personal email and text messages at the board level.