As part of its report, What Audit Committees Should Prioritize in 2023, the EY Center for Board Matters identified areas that audit committee members will have to focus on over the next 11-plus months, including risk management, financial reporting, and tax and policy developments. We spoke with Patrick Niemann, EY Americas audit committee forum leader, to dive into three more areas that audit committees will want to monitor: ESG, the economy and cybersecurity.
Directors & Boards: What are the major areas of concern for board audit committees as we progress further into 2023?
Patrick Niemann: The audit committee's role continues to grow more demanding and complex as developments in risk management, financial reporting, tax and the regulatory landscape evolve. While board audit committees adjust to the dynamic business environment of 2023, three key areas will pose the most road bumps: ESG, economic volatility and cybersecurity.
With risk, however, comes opportunity. Audit committees play an important role in building resiliency and confirming how companies are preparing to respond to and manage ESG, economic and cyber risks in the year ahead.
DB: What are the ESG issues of greatest concern for audit committees?
PN: In anticipation of the SEC's forthcoming climate disclosure rules this year, which include potential changes to regulations governing disclosures about climate-related and other ESG matters, such as board diversity and human capital, audit committees should work with management to understand and upgrade their company's audit trail to support future ESG reporting.
This year, board audit committees need to evaluate the implications arising from SEC rulemaking related to ESG matters, including climate and cybersecurity risk and how the board oversees these risks. From here, the committee can determine whether the company has robust and adequate disclosure controls and procedures over the company's existing climate and cyber-related disclosures to prepare for final rules by the SEC.
Today, a wide gap exists between business leaders and investors as it relates to sustainability. A recent EY of cyber-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies found that companies continue to increase disclosures in certain categories of cybersecurity risk and oversight. However, in some areas, the gaps in information are nearly universal. For instance, only 9% of Fortune 100 companies disclosed performing response-readiness simulations, a practice that is proven to enhance enterprise resilience.
The SEC's proposed rules on cybersecurity will have a significant impact on future disclosures and require boards to up their cybersecurity strategies. Accordingly, audit committees should closely monitor this area and encourage management to proactively strengthen its disclosures. In the new year, audit committees must establish cybersecurity as a key consideration for boards and embed security philosophies from the start in all new technology, products and business practices.