Report highlights the expanding role of audit committees

Published: Tuesday, 25 January 2022 08:56

The ‘Audit Committee Practices Report’, a collaborative report developed by Deloitte’s Center for Board Effectiveness and the Center for Audit Quality, shows how audit committees are increasingly taking responsibility for enterprise risk management and for cyber security. Audit committees are being challenged by increased complexity in their core responsibilities, as well as scope creep across other areas within their organizations, says the report, which is based on a survey of 246 audit committee members from predominantly large (greater than $700 million market cap), US-based public companies.

Key highlights from the report include:

Enterprise risk management

When asked who was responsible for oversight of enterprise risk management (ERM) within their organizations, 42 percent of respondents said the audit committee, 33 percent said the board, and 20 percent said the risk committee. Of those respondents indicating that their audit committee was responsible for overseeing enterprise risk management, 32 percent expect to spend more time on ERM oversight compared to last year, possibly as a means of managing the growing number of emerging risks. The list of external factors impacting organizations’ risk profiles continues to expand and includes risks related to the geopolitical arena; the regulatory environment; supply chain; climate change; and diversity, equity, and inclusion; among others.

Cyber security and data privacy security

53 percent and 48 percent of respondents said that the audit committee is responsible for overseeing cybersecurity and data privacy security, respectively. 69 percent of those with cyber security oversight responsibility anticipate spending more time on it in the coming year compared with the past year, and 62 percent see cyber security as one of the top risks to focus on in the coming year. The majority (60 percent) of audit committees are including cyber security on their agendas quarterly. 35 percent of respondents stated their audit committee has cyber security expertise, with 41 percent acknowledging a need for additional expertise is this area.

Obtain the report.