Wednesday, November 17, 2021

CAQ finds that more audit committees disclosed cybersecurity risks during COVID

By Amanda Maine, J.D.

The Center for Audit Quality (CAQ) released its eighth annual “Transparency Barometer,” which analyzes disclosures of audit committee oversight in proxy statements of the companies in the S&P 1500. While the CAQ observed some slight increases in most of these disclosers (as well as some stagnation), it found that cybersecurity disclosures increased by 5 to 7 percentage points. The CAQ attributed these increases in part to the COVID-19 pandemic changing the way people work, particularly companies that moved to a remote work environment with an increased dependence on technology and the need to disclose the increased risks of the virtual workspace.

Importance of audit committee disclosure. Before delving into the specifics of its findings, the CAQ outlined the importance of the role of independent audit committees and their role in investor protection, in particular their oversight of the work of external auditors, their appointment, and their compensation. Voluntary disclosure of audit committee levels of oversight signals higher levels of involvement, according to the CAQ. “Transparency and disclosure are key elements of trust in the financial reporting system.”

Cybersecurity disclosures. Cybersecurity disclosures have increased dramatically since the Transparency Barometer began tracking them six years ago, the report found. One reason is the increase in cybercrime, which, according to a 2020 study from PwC, made up 34 percent of all fraud events, outpacing accounting fraud, asset misappropriation, and tax fraud. In addition, the trend toward remote work during the pandemic has exposed new vulnerabilities to address. The CAQ expects this area of disclosure to continue to trend upward as cybersecurity vulnerabilities increase.

Common areas of disclosure. The highest rates of disclosure continue to be related to non-audit services and their potential impact to independence, auditor tenure, criteria considered to evaluate the audit firm, and involvement in audit partner selection. Because the external auditor is prohibited from providing certain services to its audit clients, the audit committee is responsible for overseeing the services that are permissible to ensure that they do not impact auditor independence. By disclosing these services, the audit committee helps stakeholders understand how non-audit services are used by the company and helps reinforce the auditor’s independence, according to the CAQ.

Disclosures related to audit firm evaluation can provide insight into the audit committee’s oversight of the audit firm by avoiding boilerplate language and to include specific details of the evaluation, such as whether the firm has specific knowledge related to, for example, industry, geographic reach, and complex accounting expertise.

Among areas of moderate rates of disclosure were those related to engagement partner rotation, considerations taken into account when appointing an external auditor, and stating the evaluation of the external auditor occurs at least annually, the CAQ found.

Lower rates of disclosure. The CAQ report also listed several areas of lower disclosure by the audit committee, stating that these areas present the greatest opportunity for increased transparency. One group of these areas include those related to fees and compensation, such as who is responsible for fee negotiation, the connection of the audit fee to audit quality, and the consideration of auditor compensation. Concerning audit fees, the report advises that while stakeholders may be concerned that audit fees may be too high, audit fees that are too low could also indicate that audit quality is compromised. A change in audit fees may be due to a unique transaction or circumstance; disclosure of why there has been a significant change in audit fees can provide more transparency for stakeholders.

CAQ summary. According to CAQ CEO Julie Bell Lindsay, “We are pleased to see that the positive, long-term trend of increased audit committee disclosures in public company proxy statements has continued…Investors do not always have insight into the oversight activities that audit committees perform, which is why these disclosures are so important.”