December 1, 2023
Cybersecurity: Describing the Audit Committee’s Role
The “Audit Committee Transparency Barometer” released yesterday by the Center for Audit Quality and Audit Analytics says that 59% of S&P 500 companies are disclosing that the audit committee is responsible for oversight of cybersecurity risk – up from 54% last year. Here’s an excerpt describing how to communicate what that role involves and how the audit committee members are well-equipped to carry it out:
As the audit committee’s role continues to expand, it is increasingly important for boards to monitor the skill set and composition of committee members to ensure that audit committee members have appropriate expertise to exercise their oversight. Beyond disclosing the expertise of certain committee members, audit committees may also consider disclosing how all members of the committee stay abreast of emerging areas. In the 2022 Audit Committee: The Kitchen Sink of the Board report, researchers interviewed audit committee members and found that more than half of them consider their continuing education to be a critical part of their ability to manage evolving responsibilities, and they often strategically select continuing education that focuses on emerging risk areas, such as cybersecurity, ESG, and risk management. Telling this story to stakeholders demonstrates the audit committee’s commitment to the oversight role.
The same study also found that investors want to understand the roles and responsibilities assigned to the audit committee, why audit committee members are appropriate for the specific company, examples of continuing education for audit committee members, how audit committees address key risks, and details that reflect broader audit committee responsibilities.
As the SEC has recently adopted its Cybersecurity Disclosure rule and is continuing to work on its Climate Disclosure rule, we expect that these topics will continue to be relevant for audit committees, particularly as this information is included in SEC filings. Audit committees play an important role in the oversight of these areas given their expertise and experience in oversight of financial reporting and internal controls.
Even though a lot of companies are disclosing the audit committee’s role in some dimension of cyber risk oversight, the CAQ also notes that this broad responsibility is parceled out among existing committees at 85% of S&P 500 companies, according to the latest Spencer Stuart Board Index. Yesterday on CompensationStandards.com, Meredith highlighted why even the Compensation Committee can’t escape involvement.
– Liz Dunshee