Research by KPMG's Audit Committee Institute among over 1,300 audit committee members in 25 countries around the world has found that nearly a third (30 percent) are not satisfied that their committee spends sufficient time looking at IT risk issues, with a further 59 percent only "somewhat" satisfied.
Two thirds of audit committee members say that they have primary oversight responsibility for issues relating to IT compliance and controls, half of them say they take responsibility for oversight of business continuity issues, and 45 percent for information security/privacy – but over one in five (21 percent) say they have primary oversight responsibility for none of these.
Tim Copnell, director of KPMG's Audit Committee Institute in the UK, said: "The survey showed that 9 out of 10 audit committee members felt they had improvements to make in the oversight of IT risk issues. This is a worrying trend given that organizations are now so dependent on IT. If audit committees (or equivalent bodies) are not able to give sufficient attention to the oversight of IT risk, companies might be unwittingly exposed to risk. Some boards may consider the oversight of IT risk to fall outside the remit of the audit committee. If a separate committee or the board itself takes up the mantle, the board must be satisfied that they have access to sufficient skills to examine the issues appropriately."
The top priorities overall for audit committee members in 2007 remain the more traditional areas of risk management, internal controls and accounting judgements.
Overall, audit committee members are happy that their committee is effective: half of respondents rated their committee as very effective (rising to a high of 65 percent in the Americas), 40 percent rated it as somewhat effective, and 8 percent believed their committee needed improvement.
Members identified several specific areas where improvement could be needed. Nearly half of respondents (45 percent) said that the approach taken in establishing the audit committee agenda could be improved, while nearly seven in ten (69 percent) believed that the committee's self-evaluation process could be made more robust.
There were also signs of concern that some companies' internal audit functions were not as effective as they could be: over half (52 percent) of respondents said they were only somewhat satisfied that the company had an effective internal audit function, and 6 percent were not satisfied at all.
Audit committee members were generally very satisfied with the levels of support that they receive from other parties such as the CFO, the chief audit executive, and the external auditor. Satisfaction was lowest with the support received from in-house general counsel (55 percent of respondents very satisfied) and external legal counsel (40 percent).
KPMG's research found that the typical audit committee comprises three or four members who often have a CEO or CFO background and serve on one or two audit committees in total. They typically meet six times a year (five times face to face, and once by teleconference call), although this ranges from over seven times a year in the Americas to around four times a year in Africa. On average, audit committee members devote 100 hours a year or less to their duties. Again, there is some regional variation in this: in the Americas, 20 percent of audit committee member respondents said they devote between 100 and 150 hours, whereas in Asia 42 percent of members spend less than 50 hours a year on their duties.
KPMG's Copnell concluded: "The survey shows that audit committee practices are continuing to develop. Historical and cultural differences aside, audit committee members generally believe their committees are providing effective oversight over the financial reporting process. However, important questions arise as to how effectiveness is measured. Is an audit committee effective simply because it fulfils its terms of reference and complies with any relevant corporate governance codes? Or are audit committees measuring their performance against a higher benchmark? Going forward, some audit committees may need to address how they are adding value and what they could do better rather than having compliance as their primary goal."