As uncertainty and disruption across the global business landscape are intensifying pressures on the risk and control environment in new and unexpected ways, the audit committee’s perspective can serve as a bellwether for the business and the board.
To gain a better understanding of how audit committee members are managing their expanding workload and oversight responsibilities amid this uncertainty and disruption, we surveyed 144 US audit committee members and chairs. (The US views were collected as part of a global survey conducted by the KPMG Board Leadership Center and Audit Committee Institute in February and March 2023.)
Encouragingly, the survey results show that most audit committees view their companies’ risk management processes as sophisticated or keeping pace. But their confidence is muted by sobering concerns—particularly risks posed by a company’s digital activities, potential gaps in the oversight of emerging risks, and talent needs in the finance and internal audit organizations. Few audit committees are looking to reallocate risk oversight responsibilities to ease their own workload, although some expressed concerns about skill sets and expertise on the audit committee. The following are some of the key US survey findings.
Respondents identified key macro trends impacting the committee’s focus and agenda. Among them are the increased complexity of the business and risk environment posed by cybersecurity, artificial intelligence developments, supply chain disruptions, and workforce challenges (74%); geopolitical and economic risks, including inflation and risk of recession (50%); and regulatory and stakeholder demands for disclosure and transparency around climate and other environmental, social, and governance (ESG) risks (22%). These macro trends will put pressure on the company’s risk and internal control environment, as well as the finance and internal audit functions.
While the full board oversees mission-critical risks, audit committee risk oversight responsibilities continue to expand. Although 80 percent of survey respondents reported that their full boards have oversight responsibility for the companies’ mission-critical risks, most say the audit committee continues to shoulder heavy risk agendas and oversight responsibilities beyond its core responsibilities. Respondents reported that their audit committees have substantial oversight responsibility for management’s enterprise risk management system and processes (74%); cybersecurity and information technology (IT) (72%); legal and regulatory compliance (67%); and data governance (53%). Many audit committees also have significant oversight responsibilities for other risks, including ESG, climate, geopolitical, and economic risks, as well as supply chain and other operational risks. And while many survey respondents expressed concern about their audit committees’ workload, only 15 percent said that their boards were reallocating risk oversight responsibilities among committees.
Audit committees are heavily involved in overseeing ESG and sustainability disclosures, and many should anticipate even deeper involvement. A majority of survey respondents (51%) said that their audit committees oversee ESG-related disclosures in regulatory filings, 46 percent consider management’s disclosure committee’s activities in connection with these disclosures, and 23 percent reported that their committees oversee voluntary ESG and sustainability reporting. Audit committee members of large companies (those with revenue of $10 billion or more) reported significantly more involvement in oversight of ESG and sustainability reporting—including disclosures in regulatory filings (67%), overseeing management’s disclosure committee’s activities in connection with these disclosures (59%), and helping to coordinate ESG oversight responsibilities among the board’s standing committees (33%). The SEC’s disclosure proposals—particularly its climate proposal—as well as recent foreign sustainability reporting requirements such as the European Union’s Corporate Sustainability Reporting Directive, which has an extraterritorial reach that may apply to many US multinationals, will greatly expand the audit committee’s workload and oversight responsibilities and require greater coordination with other standing committees.
Risk management and reporting are generally viewed as strong, but with key areas of concern related to digital activities, potential gaps in oversight, and talent. While 84 percent of all survey respondents—and 93 percent of respondents from large companies—said that their companies’ risk management and reporting capability was “sophisticated” or “keeping pace with the risk environment,” they identified three critical challenges ahead. These are the risks posed by the company’s data or digital activities, such as cyber risk (including ransomware and intellectual property theft), vulnerabilities posed by third parties or vendors, and data privacy; potential oversight gaps when multiple standing committees have oversight responsibilities for a category of risk such as cybersecurity, data privacy, compliance, or supply chain issues; and whether talent and skill sets in the finance and internal audit organizations are keeping pace.
The audit committee’s skills and expertise are getting a closer look. While 44 percent of respondents said they had “no concerns” about their committees’ composition and skill sets, 29 percent had concerns about a lack of expertise in cybersecurity, 22 percent were concerned about a lack of expertise in climate risk and other ESG issues, and 17 percent were concerned about the audit committee’s size—and the potential need to add members to spread the workload or add expertise. In addition, 24 percent of respondents expressed concern that their audit committees were over-relying on the chair or a single member who has the background and expertise to oversee complex financial reporting, disclosure, and control issues.