Public companies are required to have audit committees to perform annual audits of their financial reporting and disclose certain financial information. This requirement was established by the Security and Exchange Commission (SEC) in 2002 after the passage of the Sarbanes-Oxley Act (SOX), which formally defines the roles of the audit committee as overseeing financial reporting accuracy, hiring independent external auditors to examine financial statements, and reviewing the company’s internal accounting controls. Having accurate and honest financial reporting that abides by the standards set forth by the U.S. Generally Accepted Accounting Principles (U.S. GAAP) is important for conveying company performance to internal investors and external shareholders. In the past two decades, the roles of the audit committee have significantly expanded to encompass a greater risk management responsibility due to the emergence of new technological forms of risks (i.e. cyber risks, cloud safety, etc.)
Challenges Facing Audit Committees
With the ever changing landscape of technology, there has been a growing range of risks that the audit committee must oversee. Risk management is an imperative part of the audit committee’s job that has grown increasingly complex due to new components, such as cyber risk, Environmental, Social and Governance (ESG), and corporate culture. This rapidly evolving agenda of audit committees has led many firms to begin considering forming new committees to conquer and divide the responsibilities.
Of these roles, cybersecurity has been a hotly contended subject. Cybersecurity is a relatively new area of risk management that forms an important component of strengthening a company’s technological profile, efficiency, and data systems. While this area has been traditionally under the jurisdiction of audit committees, many firms have formed their own full-level “cyber risk” committees to oversee it. In today’s digital landscape, with many companies migrating their data and communication channels to cloud-based solutions, cyber risk becomes one of the greatest risks enterprises face, and audit committees manage an up-to-date eye on it by either focusing their resources to develop sound cybersecurity frameworks or assigning the role to a new committee.
Audit committees also face the challenge of providing unbiased analysis of financial reports independent of their affiliations with or knowledge of the company. The SEC requires that audit committees be composed of independent directors in order to objectively manage a company’s accounting practices. Just like how having an independent board is important to overseeing the company’s welfare and balancing all party’s interests, maintaining an independent audit committee is especially important because it concerns providing an honest, accurate, and legally abiding accounting process and directly deals with profit misreporting or manipulations.
For this reason, the SOX requires public companies to hire external auditors for an added layer of security. Independent auditors are certified public accountants hired to provide an objective, third party assessment of a company’s financial reports and audit process. If they determine that a company complies with GAAP, then they will issue the company a standard audit report. Otherwise, they will order management to revise their statements and recommend changes to optimize the company’s system of internal controls.
How to Improve Audit Committees
- Maintain and Refresh Committee Expertise. Since the roles of the audit committee are constantly expanding and evolving, companies must keep a vigilant eye on their audit committee’s governance and composition to ensure that they consistently include members of all areas of expertise. They must consistently reevaluate the company’s needs to assess new risks and expertise areas to recruit in.
- Strengthen Cybersecurity within the Committee. Audit committees handle the company’s most sensitive information and are the most susceptible to data breaches. Educating audit committee members on basic data protection practices and establishing ground rules for communications, such as never using a personal email or texts, will reduce the risk of information leaks and hacks.
- Understanding Regulations. Members of the audit committee should all be familiar with SOX. In 2003, the SEC adopted a new standard that mandates national securities exchanges to disallow listings from companies that do not meet the audit committee requirements of SOX. Since the audit committee’s key roles are all regulated by SOX, boards should understand these requirements in and out to ensure that their performance is in compliance.