'Scope creep' challenging audit committees: CAQ

By Jim Tyson for CFODive.com

• Audit committees at U.S. companies face challenges from “scope creep” as they expand oversight beyond audit and financial reporting into cybersecurity, sustainability, technology and other areas outside their traditional purview, according to the Center for Audit Quality and Deloitte.

• Many audit committees at large companies plan a structural shake-up during the next 12 months as they take on new responsibilities, the CAQ and Deloitte said. One out of four committees plan to increase in size, 42% plan to replace at least one member and 28% plan to change their committee chairperson. 

• “Scope creep” poses some risks, according to Vanessa Teitelbaum, senior director for professional practice at the CAQ. “The biggest risk is that audit committees won’t have as much capacity to perform their core responsibility to oversee the financial reporting process, which would impact the quality of their oversight.”

The expansion of audit committee duties coincides with plans by the Securities and Exchange Commission to require detailed disclosure on several topics that, according to SEC Chair Gary Gensler, increasingly interest investors, including cybersecurity, climate risk, workforce composition and corporate board diversity.

A 490-page proposed SEC rule that would require publicly traded companies to provide in-depth disclosures on climate risk has sparked criticism and more than 14,000 public comment letters.

The SEC aims to mandate that companies disclose data on greenhouse gas emissions and describe on Form 10-K their strategy toward climate risk, including plans to achieve any targets they have set for curbing such risk.

Two out of three respondents (34%) to a CAQ and Deloitte survey said that their audit committees oversee disclosure and reporting on environment, social and governance issues, an increase of 24 percentage points compared with the survey conducted in 2021, the CAQ and Deloitte said.

More than half of the respondents (53%) said their audit committee oversees cybersecurity, while 43% said the committees handle enterprise risk management, according to the CAQ and Deloitte.

Some audit committees may find themselves unable to handle a wider range of responsibilities, Teitelbaum said in an email response to questions. “As more work is thrown to the audit committees that falls outside their traditional scope, they may find they don’t have the right skills or expertise to oversee a certain risk area.”

Also, “when boards assign an emerging risk to an AC [audit committee], they may just be checking a box versus thinking about this risk strategically,” she said.

Congress, following the Enron and WorldCom accounting scandals, assigned audit committees oversight of financial reporting under the Sarbanes-Oxley Act of 2002.

“Boards are likely increasing the scope of ACs because these emerging risk areas typically relate to disclosures, quantifiable metrics and internal controls,” Teitelbaum said.

Yet “perpetually assigning emerging risks to the audit committee — the ‘kitchen sink’ approach — can lead to suboptimal oversight due to overworked audit committees and a ‘check the box’ mentality,” she said.

As audit committees take on a wider range of tasks, CFOs should keep in mind that they still must answer for financial reporting, Teitelbaum said.

“It is management and specifically the CFO who is ultimately responsible for their company’s financial statement and this will be true of ESG and cybersecurity once these rules are established by the SEC,” she said.

The CAQ and Deloitte surveyed 164 audit committee members at publicly-traded companies from August until October 2022.