IT risks rising up audit committee agendas

Research by KPMG's Audit Committee Institute among over 1,300 audit committee members in 25 countries around the world has found that nearly a third (30 percent) are not satisfied that their committee spends sufficient time looking at IT risk issues, with a further 59 percent only "somewhat" satisfied.

Two thirds of audit committee members say that they have primary oversight responsibility for issues relating to IT compliance and controls, half of them say they take responsibility for oversight of business continuity issues, and 45 percent for information security/privacy – but over one in five (21 percent) say they have primary oversight responsibility for none of these.

Tim Copnell, director of KPMG's Audit Committee Institute in the UK, said: "The survey showed that 9 out of 10 audit committee members felt they had improvements to make in the oversight of IT risk issues. This is a worrying trend given that organizations are now so dependent on IT. If audit committees (or equivalent bodies) are not able to give sufficient attention to the oversight of IT risk, companies might be unwittingly exposed to risk. Some boards may consider the oversight of IT risk to fall outside the remit of the audit committee. If a separate committee or the board itself takes up the mantle, the board must be satisfied that they have access to sufficient skills to examine the issues appropriately."

The top priorities overall for audit committee members in 2007 remain the more traditional areas of risk management, internal controls and accounting judgements.

Overall, audit committee members are happy that their committee is effective: half of respondents rated their committee as very effective (rising to a high of 65 percent in the Americas), 40 percent rated it as somewhat effective, and 8 percent believed their committee needed improvement.

Members identified several specific areas where improvement could be needed. Nearly half of respondents (45 percent) said that the approach taken in establishing the audit committee agenda could be improved, while nearly seven in ten (69 percent) believed that the committee's self-evaluation process could be made more robust.

There were also signs of concern that some companies' internal audit functions were not as effective as they could be: over half (52 percent) of respondents said they were only somewhat satisfied that the company had an effective internal audit function, and 6 percent were not satisfied at all.

Audit committee members were generally very satisfied with the levels of support that they receive from other parties such as the CFO, the chief audit executive, and the external auditor. Satisfaction was lowest with the support received from in-house general counsel (55 percent of respondents very satisfied) and external legal counsel (40 percent).

KPMG's research found that the typical audit committee comprises three or four members who often have a CEO or CFO background and serve on one or two audit committees in total. They typically meet six times a year (five times face to face, and once by teleconference call), although this ranges from over seven times a year in the Americas to around four times a year in Africa. On average, audit committee members devote 100 hours a year or less to their duties. Again, there is some regional variation in this: in the Americas, 20 percent of audit committee member respondents said they devote between 100 and 150 hours, whereas in Asia 42 percent of members spend less than 50 hours a year on their duties.

KPMG's Copnell concluded: "The survey shows that audit committee practices are continuing to develop. Historical and cultural differences aside, audit committee members generally believe their committees are providing effective oversight over the financial reporting process. However, important questions arise as to how effectiveness is measured. Is an audit committee effective simply because it fulfils its terms of reference and complies with any relevant corporate governance codes? Or are audit committees measuring their performance against a higher benchmark? Going forward, some audit committees may need to address how they are adding value and what they could do better rather than having compliance as their primary goal."

You may like these other stories...

Individuals interested in reviewing the proposed 2015 US Generally Accepted Accounting Principles (GAAP) taxonomy from the Financial Accounting Standards Board (FASB) have until October 31 to submit their written comments....
Ernst & Young 2013 audit deficiency rate 49%, regulators sayMichael Rapoport of the Wall Street Journal reported on Thursday that the Public Company Accounting Oversight Board (PCAOB) found deficiencies in 28 of the...
PwC must face $1 billion lawsuit over MF Global adviceA federal judge on Wednesday ordered PricewaterhouseCoopers (PwC) to face a $1 billion lawsuit claiming that its bad accounting advice was a substantial cause of the...

Already a member? log in here.

Upcoming CPE Webinars

Sep 9
In this session we'll discuss the types of technologies and their uses in a small accounting firm office.
Sep 10
Transfer your knowledge and experience to prepare your team for the challenges and opportunities of an accounting career.
Sep 11
This webcast will include discussions of commonly-applicable Clarified Auditing Standards for audits of non-public, non-governmental entities.
Sep 24
In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards. A dashboard condenses large amounts of data into a compact space, yet enables the end user to easily drill down into details when warranted.