Accounting firm EisnerAmper has released its fifth annual survey of directors, Concerns About Risks Confronting Boards. The results indicate that, while directors are worried about reputational risks, cybersecurity, and regulation, most respondents believe that their boards are performing well on risk management. In addition, a strong majority believe that internal audit is “helpful” or “very helpful” in risk identification.
The web-based EisnerAmper survey included the opinions of directors serving on the boards of more than 250 publicly-traded, private, not-for-profit, and private equity-owned companies across a variety of industries. The largest groups of respondents served on public company boards (38 percent) and were from organizations with over $1 billion in revenue (24 percent).
Excluding financial risk, respondents cited reputational risk (72 percent), cybersecurity/IT risk (62 percent), regulatory compliance risk (50 percent), CEO succession planning (47 percent), and crisis management (31 percent) as the top five areas of risk management that were important to their board.
These rankings were the same when responses were broken out to focus only on public company directors, except that risk due to fraud (39 percent) rose to fifth place, and crisis management fell to eighth.
As to who was addressing risk and how well they were doing so, the following percentages of directors indicated that particular groups were performing “very well” or “well enough” with respect to risk --
Regular board and committee meetings -- 90 percent
Risk management insurance providers – 69 percent
External auditors – 70 percent
Accounting department – 89 percent
Legal and compliance group – 89 percent
IT department – 76 percent
Respondents were also asked how helpful internal audit had been in identifying risks. Looking only at public company directors, 74 percent
5 Update │ August 2014
viewed internal audit as either “helpful” or “very helpful” in risk identification, while the remaining 26 percent regarding internal audit as either “not helpful” or only “slightly helpful.” Private company and not-for-profit directors gave internal audit somewhat lower grades.
Perceptions of internal audit’s risk-spotting skills increased with company size. For companies with revenues in excess of $1 billion, only 14 percent of respondents thought that internal audit was either “not helpful” or “slightly helpful;” half of directors at these companies regarded internal audit as “helpful,” while an additional 36 percent said it was “very helpful” in risk identification. As a corollary, 38 percent of public company board members surveyed indicated that there were currently no proposed changes in the internal audit function at their organization; 44 percent stated that the board was proposing internal audit “staff enhancements.”
Comment: While the EisnerAmper and the TRA surveys are not directly comparable, the findings could suggest that in some organizations internal audit and the board may have different views of the scope of internal audit’s responsibilities and of whether it is adequately assisting the board in identifying risk or whether it needs to expand its remit. Audit committee chairs should consider discussing these issues directly with the head of internal audit and making sure that they share the same understanding of how internal audit can best assist the committee.