The expanded audit committee oversight role
To address the growing breadth of matters requiring oversight and the associated growing complexity, corporate boards at S&P 500 companies are evolving to strengthen oversight. A recent EY analysis of S&P 500 company boards showed that three of four boards now have at least one additional board committee beyond the core three required committees. Even with that, audit committees are taking on more responsibility.
For example, the analysis found that audit committee oversight of cybersecurity and other nonfinancial risks grew significantly. Nearly 73% of S&P 500 company board audit committees now include cybersecurity, up from 25% in 2019. Additionally, environmental, social and governance; sustainability; or climate now appear in the descriptions of audit committee responsibilities for 13% of the S&P 500 companies analyzed.
Both climate and cybersecurity are areas where new disclosure rules have been proposed by the U.S. Securities and Exchange Commission (SEC). Under the proposed rulemaking on cybersecurity, companies would need to disclose whether the entire board, a specific member or a board committee is responsible for cybersecurity oversight. The proposed climate disclosures would bring about significant change in what information must be reported in certain filings, including notes to the financial statements.
Reinforce risk resiliency
To evaluate and bolster the risk resiliency of organizations, it is critical that the audit committee reviews the business’ scenario plans, stress tests and contingency plans. It needs to determine whether the assumptions that underpin the organization’s strategic plans still hold.
For instance: Did the stress testing account for ongoing inflation, the Federal Reserve’s rate hikes, geopolitical tensions, labor shortages, technology changes, shifts in consumer preferences or climate change? Has the organization conducted financial risk modeling analyses to evaluate routine (low-impact, high-likelihood) scenarios vs. “black swan” (high-impact, low-likelihood) events?
Additionally, is management fostering organizational resiliency by leveraging artificial intelligence to alert the company about emerging and disruptive trends?
Be diligent about cybersecurity
To assess how the business maintains a consistent level of diligence and cyber hygiene to defend against ransomware and cyber-attacks, it is critical that the audit committee evaluates the diligence of the business’s cyber defenses. It should examine the plans for monitoring, communicating and disclosing information about cyber-attacks, while factoring in the proposed SEC rules and “Shields Up” guidance from the U.S. Cybersecurity & Infrastructure Security Agency.
In the face of heightened risks, the audit committee also will want to hear from management about how anomalies will be reported internally (including to the board) and externally to stakeholders, e.g., regulators and the broader cyber community.
In tandem with that, the audit committee needs to determine whether management has increased the sophistication of its cyber response plans. Is the organization using simulation drills to test the organization’s response readiness in the event of an attack? That includes how human risks are being mitigated to further shore up the organization’s risk resilience and strengthen its cyber defenses.
The efficacy of the company’s cyber insurance coverage should be verified. If any changes were made to the coverage, what is the impact?
Align talent strategy with the business
As companies adopt new technologies for audit and finance functions, the audit committee will want an evaluation of whether the company has the requisite talent and skills to execute the company’s strategy. And, with the adoption of new technologies, are those using them being educated and trained about risk mitigation and cybersecurity behaviors? The audit committee needs validation that technology and process changes are accounted for in internal controls.
Additionally, given the hypercompetitive labor market that businesses have encountered, the audit committee should review talent acquisition and retention strategies to ensure the business is keeping pace with the labor market and business transformations that are underway.
Remain aware of new regulatory requirements
The complexity of monitoring and complying with the ever-changing regulatory environment continues to be a challenge and an area of focus, especially with new laws, changing reporting requirements and evolving tax policies.
For instance: The impacts and modeling efforts related to the recently passed U.S. Inflation Reduction Act could affect how a company embeds federal, state and local incentives into its capital investment strategy to drive a consistent return on investment.
International bodies, such as the Organisation for Economic Co-operation and Development, and the effects of their policies, such as the Pillar 2 global minimum taxation policy, may have ripple effects across federal and foreign tax laws. What could that mean for business operations, including plans for systems and controls to manage the changes?
How finance, internal audit and other senior management can support the audit committee
To be effective, the audit committee relies heavily on finance, internal audit and other senior management to provide the right information required to fulfill its oversight responsibilities. Maintaining an ongoing dialogue with audit committee members while staying attuned to their expanding scope, including their focus on risk, cybersecurity, talent and the regulatory landscape, can help enable the board to discharge its responsibilities and provide the best guidance to the business as it charts its course for the future.
The views reflected in this article are the views of the author and do not necessarily reflect the views of Ernst & Young LLP or other members of the global EY organization.
Patrick Niemann is the leader of the EY Audit Committee Forum.