The Center for Audit Quality (CAQ) and Ideagen Audit Analytics (IAA) have released Audit Committee Transparency Barometer 2024 (Barometer 2024), the CAQ’s eleventh annual analysis of audit committee disclosures of companies in the S&P Composite 1500. Barometer 2024 reports that the “most dramatic increase in audit committee disclosures in 2024 is in cybersecurity and ESG - board expertise and oversight.” However, many traditional audit-related disclosures have plateaued, and CAQ and IAA believe there is considerable room for improvement. (EY: Cybersecurity Disclosure Continues to Grow Along with Cyber Risks in this Update provides additional information on the increase in cybersecurity-related disclosure.)
Barometer 2024 tracks audit committee disclosures on thirteen topics, two of which include subtopics, and breaks down S&P 1500 disclosures between the S&P 500, the S&P MidCap 400, and the S&P SmallCap 600. For a discussion of last year's report, see CAQ Reports on Ten Years of Increasing Audit Committee Transparency, November-December 2023 Update. Highlights of Barometer 2024 are summarized below.
Directors Skills Matrix
Barometer 2024 added a new topic: whether the board of directors discloses a skills matrix. Eighty-five percent of the S&P 500 made such a disclosure, as did 75 percent of S&P MidCap companies and 62 percent of S&P SmallCaps. Barometer 2024 states that “[d]isclosing a board skills matrix is a best practice. Whether you are small, mid or large-cap, if you do not have a skills matrix disclosed, here is an opportunity to enhance your disclosure, consistent with your peers.”
Frequent Disclosures
Aside from the skills matrix, the three most frequently disclosed topics have not changed since 2022. These top three disclosures are:
Disclosure related to a discussion of how non-audit services may impact independence. In 2024, 85 percent of the S&P 500, 80 percent of S&P MidCaps, and 74 percent of S&P SmallCap companies made this disclosure. In 2023, the frequency of this disclosure was almost the same (S&P 500: 85 percent; S&P Midcaps: 82 percent, S&P SmallCaps:75 percent).
Disclosure of the length of time the auditor has been engaged. Seventy-three percent of the S&P 500, 61 percent of the MidCap 400, and 57 percent of the SmallCap 600 disclosed auditor tenure. Last year, 73 percent of the S&P 500, 60 percent of the MidCap 400, and 55 percent of the SmallCap 600 disclosed tenure.
Disclosure that the audit committee is responsible for cybersecurity risk oversight. Sixty-four percent of the S&P 500, 53 percent of the S&P MidCap 400, and 50 percent of the SmallCap 600 disclosed that the audit committee had cybersecurity risk oversight responsibility. In 2023, 59 percent of the S&P 500, 50 percent of the S&P MidCap 400, and 40 percent of the SmallCap 600 made this disclosure. Audit committee cybersecurity responsibility disclosure has risen sharply in the past eight years. In 2016 only 11 percent of the S&P 500 (and 5 percent of Mid-Caps and 4 percent of SmallCaps) discussed audit committee oversight of cybersecurity risk.
Oversight of the External Auditor – Opportunities for More Robust Disclosure
Barometer 2024 characterizes its findings regarding auditor oversight disclosure as indicating that, despite “long-term improvement in disclosure rates” over the past 11 years, a plateau seems to have been hit. The report observes that “we continue to hear that investors want more, providing an opportunity for audit committees to enhance disclosures on key matters to effectively tell the audit committee’s story to investors.”
Barometer 2024 discusses three specific areas in which the authors see opportunities for audit committees to provide more thorough disclosure regarding their oversight of the external auditor.
Discussion of audit committee considerations in appointing or reappointing the external auditor. Fifty percent of the S&P 500 included a discussion of the audit committee’s considerations in appointing or reappointing the external auditor. This was up slightly from 2023 when 49 percent disclosed these considerations. For the S&P MidCaps, this disclosure fell slightly to 35 percent from 36 percent, while for SmallCaps it rose from 26 percent to 29 percent. Barometer 2024 states: “These disclosures demonstrate the audit committee’s commitment to selecting and retaining a qualified external auditor, which is critical to promoting audit quality. Providing information regarding the factors considered, including pros and cons, and the unique considerations arising during the year, provides useful information and demonstrates the extent of the audit committee’s engagement.”
Discussion about how the audit committee considers length of tenure. As noted above, audit firm tenure is a frequent disclosure. However, few audit committees discuss how tenure factors into reappointment decisions. In 2024, 13 percent of the S&P 500, 5 percent of S&P MidCaps, and 4 percent of S&P SmallCaps made this type of disclosure. These disclosure percentages are not significantly different than in 2023, although, before 2022, no companies of any size disclosed how tenure affected reappointment.
Discussion of audit fees and their connection to audit quality. A third area in which disclosure is rare, but, in the view of the CAQ and IAA, should increase is how the audit committee evaluates the relationship between audit fees and audit quality. “Clear disclosures about how the audit committee evaluates audit fees in relation to audit quality highlight the audit committee’s commitment to promoting audit quality. This is also an opportunity for the audit committee to discuss how it drives efficiencies in the audit and is focused on not only the cost of the audit, but also the quality.” Currently, only 6 percent of the S&P 500 make disclosures related to the audit committee’s view of the connection between fees and quality. For smaller companies, the frequency of such disclosure is even lower.
Other Cybersecurity and ESG Disclosures
Barometer 2024 notes that the role of the audit committee has expanded to include oversight of topics like cybersecurity and ESG reporting. This in turn should lead to an expansion in audit committee disclosure: “As cybersecurity, ESG, and other emerging topics are multi-faceted and evolving, how the board assigns oversight of these risks among its committees is helpful information for investors.” The best disclosures include “the roles and responsibilities assigned to the audit committee, an explanation of why the audit committee is suited to oversee those topics, and discussion of why audit committee members are appropriate for the specific company.”
As discussed earlier, audit committee responsibility for cybersecurity risk oversight is one of the most common disclosures. Other topics related to new responsibilities that have grown in disclosure frequency over the last several years are whether the board includes a cybersecurity expert, whether the audit committee is responsible for ESG oversight, and whether the board includes an ESG or sustainability expert.
Board cybersecurity expertise. In 2024, 60 percent of the S&P 500 disclosed that the board had cyber expertise, as did 41 percent of Midcaps and 37 percent of SmallCaps. This reflects a significant increase in just the past year. In 2023 51 percent of the S&P 500 disclosed having a cybersecurity expert on the board, as did 36 percent of the MidCap 400 and 28 percent of the SmallCap 600. In 2016, only 7 percent of the S&P 500, 4 percent of Mid-Caps, and 3 percent of SmallCaps disclosed having such an expert.
Audit committee responsibility for ESG oversight. Disclosure that the audit committee is responsible for ESG oversight has also increased, although at a slower pace than cybersecurity responsibility disclosure. In 2024, 34 percent of the S&P 500, 20 percent of the S&P MidCap 400, and 15 percent of the S&P SmallCap 600 reported that the audit committee had ESG oversight. In 2023, the comparable figures were 29 percent (S&P 500), 17 percent (MidCap 400), and 12 percent (Small Cap 600).
Board ESG/sustainability expertise. Disclosure that the board has an ESG or sustainability expert is also increasing. Fifty-nine percent of the S&P 500 disclosed such expertise in 2024, compared to 54 percent in 2023. At Midcap companies, this disclosure rose from 41 percent in 2023 to 50 percent in 2024; at SmallCaps, the increase was from 29 percent to 39 percent.
Disclosure Examples and Audit Committee Questions
An appendix to Barometer 2024 presents examples of effective disclosures from specific audit committee reports for each of the 13 disclosure topics tracked in the annual analysis. Another appendix contains a detailed pro forma description of an audit committee and its responsibilities, along with a model audit committee report. A final appendix, “Questions to Consider When Preparing Audit Committee Disclosures,” lists questions to aid in drafting disclosure concerning the work of the audit committee. These questions are arranged under the 13 disclosure topics tracked in the Barometer 2024 report.
Audit Committee Takeaways
Barometer 2024 concludes with this point:
“It is crucial for audit committees to tell their stories to clearly articulate the work that they do to protect investors through their oversight of the external auditor and emerging risks. Robust disclosures provide important information to investors about how the audit committee promotes audit quality and fulfills its responsibilities. While we know that significant progress has been made, we strongly encourage audit committees to seize this opportunity to enhance their disclosures by considering where further transparency can be provided regarding not just what the audit committee does, but how it does it.”
Audit committees can use Barometer 2024 to benchmark their company’s disclosures. Committees should also consider expanding their audit committee reports, particularly in the areas that Barometer 2024 flags for improvement. The disclosure examples and questions in the appendices are a useful source of ideas for committees that want to enhance their disclosures, although each committee should of course tailor its disclosure to its circumstances. Barometer 2024 states, “It’s up to the audit committee to tell their unique story each year to provide transparency to investors as to how the audit committee is fulfilling its oversight responsibilities and promoting audit quality.”
Comments