In its 2015 Global Audit Committee Survey, KPMG found that audit committee members around the world had four key concerns: “economic and political uncertainty and volatility, regulation and the impact of public policy initiatives, operational risk, and cybersecurity.” Another growing concern, though, was agenda overload. According to a statement from the Executive Director of KPMG’s Audit Committee Institute in a KPMG press release, the “resounding message is that the audit committee can’t do it all…. Overseeing financial reporting and audit is a major undertaking in itself, and the risk environment is clearly straining many audit committee agendas today.”
Approximately 1500 audit committee members responded to the KPMG survey, of whom 62% were on committees at public companies. Of those responding, 24% said that the time required to fulfill their responsibilities has increased significantly and 51% saw a moderate increase; 40% (33% in the U.S.) thought it was “increasingly difficult” for the audit committee to have the time and expertise to oversee — in addition to its regular oversight responsibilities — the major risks on its agenda, and 8% (4% in the U.S.) were convinced that they did not have the time and expertise. And while some may quibble about the extent of the burden of the time commitment — 43% of audit committee members globally (27% in the U.S.) reported that they devoted 50 or fewer hours annually to carrying out their audit committee responsibilities, while 21% spent 100 hours (27% in the U.S.) and 10% said that they spent more than 300 hours (5% in the U.S.) – there is no question that, for many audit committee members, expertise regarding financial reporting does not translate comfortably into expertise regarding cybersecurity or technology risks, areas of oversight responsibility that are often now within the purview of audit committees. In response to a question regarding the prevalence of in-depth expertise on their audit committees, only 27% of respondents indicated that there was expertise regarding technology; beyond the requisite financial expertise, the highest level of expertise was in risk/risk management, which topped out at 61%, meaning that 39% of respondents believed that no one on their committees had risk management expertise.
Not surprisingly, with regard to oversight of financial reporting, audit committee members rated their committees either highly effective or generally effective (with the breakdown being 54% highly effective, 44% generally effective, globally, while, in the U.S., the percentages were 75% highly effective, 24% generally effective). They also gave themselves high marks for challenging management and applying skepticism, assessing outside auditors and other aspects of financial oversight. Members indicated that their effectiveness would be most increased by, among other things, improving their understanding of business strategy and risks (43% globally and 31% in the U.S.), greater diversity of perspectives (38% globally and 29% in the U.S.), more “white space” on the agenda for open dialogue (34% globally and 48% in the U.S.) and additional technology expertise (33% globally and 52% in the U.S.).
With regard to opportunities for improvement in communications from the finance organization, 90% of members would like to be briefed in more depth about financial risk management, followed by accounting, capital allocation and tax. KPMG observed that it was important to recognize when asymmetric risk – over-reliance on management’s perspective – was high and, as an antidote, seek out independent sources of information and views, including dissenting views from members of middle management, sell-side analysts and others – even social media – to identify and understand risks. Members would most like to see improvement from their outside auditors in providing industry-specific insights (62%), keeping the committee apprised of new developments (44%) and sharing views on the quality of financial management (43%).
Beyond strictly financial oversight, however, audit committees indicated that they hoped to spend more time on operational risks and risk management, as well as cybersecurity and technological change. Interestingly, when asked to identify the risks that pose the greatest challenges to their companies, only 16% indicated cybersecurity (although that number was 30% in the U.S.). Nevertheless, 40% wanted to devote more agenda time to cybersecurity in 2015, and 15% wanted to spend significantly more time on that topic. While members also indicated general satisfaction with the information they receive, the quality of committee interactions with the CIO ranked low among its communications with professionals/company functions, and concerns remained with respect to information delivery regarding cybersecurity, technology change, talent management, growth and innovation and challenges to the business model. Possibly, these agenda challenges and information deficiencies may be a reflection of the sense of some members that they are overextended.
To address issues of overload, many boards have allocated responsibility for some aspects of risk oversight either to the full board or to other committees, especially in areas that are not directly related to financial oversight, such as technology, cybersecurity, talent, business model disruption and operational/supply chain risks. For example, the survey indicates that, over the past several years, 13% of those responding have added risk committees to their boards. While, historically, risk committees have been associated primarily with banks and bank-like companies, perhaps this survey indicates that more consideration should now be given to establishing committees dedicated to oversight of operational and similar risks, such as risks related to cybersecurity and technology changes.