Focusing on the financial reporting and related control risks is both a top priority and major undertaking for today’s audit committees. However, many audit committees now have substantial oversight responsibilities for a range of risks beyond this core role.
Challenges run the gamut from global economic volatility and the wars in Ukraine and the Middle East to cybersecurity risks and ransomware attacks, in addition to preparations for climate and sustainability reporting requirements.
These are compounded by uncertainty in the UK regulatory landscape—not least the extent to which internal control frameworks need to be strengthened, evidenced and assured in response to the recent revisions to the UK Corporate Governance Code.
A committee under stress
With such heavy agendas and oversight responsibilities, there is a danger that audit committees can become overburdened. There are several courses of action audit committees can take to mediate this risk. They could do more—which means longer and/or more frequent meetings.
Similarly, they could do things better—which means creating efficiencies. These might include: streamlining committee meetings by insisting on quality pre-meeting materials (and expecting pre-read materials to have been read); making use of consent agendas; and reaching a level of comfort with management and auditors, so that some financial reporting and compliance activities can be ‘process routine’, freeing up time for more substantive issues facing the business.
Audit committees can also question whether sufficient time is being spent with management and the auditors outside of the boardroom—to get a fuller picture of the issues. But all this will only get the committee so far.
An alternative approach is to work with the board to revisit the oversight structures—which might mean pushing some oversight back to the full board or introducing additional committees to take on specific issues. Of course, this might not be practical for small boards as you just end up with the same people, with the same skill sets, doing all the work.
Considering whether a technology, risk, sustainability or other committee would ease the audit committee’s workload (and improve board effectiveness) can be a healthy part of a company’s risk oversight discussion.
Additional committees are on the rise across the FTSE 350, nevertheless, there can be significant challenges where oversight of an issue sits across different committees. For example, climate change-related risk might naturally reside with an ESG committee, but it will also touch the audit committee (systems and data), the compensation committee (management incentives) and even the nomination committee (skills and experience required of the senior executive team).
Overlap is to be expected, but this puts a premium on information sharing, communication and coordination between the audit committee and the other parts of a company’s governance structure.
Skills and experience
Ensuring the audit committee has the right composition and skill sets in the light of its expanding role is also a challenge. In making this assessment, there are three areas for audit committees to probe:
1. Does the committee include members who have the experience and skill sets necessary to oversee areas of risk (beyond the committee’s core responsibility) which the audit committee has been assigned—such as cyber and data security, supply chain issues and geopolitical risk, ESG risks and disclosures, or climate?
2. Is the committee relying only on one or two members to do the ‘heavy lifting’ in the oversight of financial reporting and controls?
3. As the audit committee’s workload expands to include the oversight of non-financial reporting and associated controls—including climate, environmental and social issues—does the committee have the necessary financial reporting and internal control expertise to effectively carry out these tasks as well as its core oversight responsibilities?
Dialogue with investors
Building trust requires an open and transparent dialogue between audit committees and investors. Investors often operate under the assumption that audit and assurance processes are conducted with precision and in compliance with rigorous standards.
While they may not require a regular dialogue on audit matters, they are generally interested in maintaining an open line of communication with audit committee chairs and are prepared to engage when necessary. Similarly, many audit committee chairs recognise the importance of investor engagement.
To further strengthen this connection, companies should ensure it is understood that the audit committee chair is open and willing to engage with investors, and not be offended if investors don’t engage regularly. Also, audit committee chairs should attend results presentations and make it known they are present and available to answer questions from investors. Equally, they might join CFO roadshows to provide additional insights and perspectives.
And, finally, they should clearly communicate their governance and oversight structures and the role played by the audit committee—particularly in respect of the corporate reporting, compliance, risk and control processes brought to the fore by today’s geopolitical instability and unprecedented levels of disruption.
Timothy Copnell is chair of KPMG’s UK Audit Committee Institute