KPMG’s Audit Committee Institute recently released its 2014 Global Audit Committee Survey. Key findings include:
- The top five risks that audit committee members identified as posing the greatest challenges to their companies are government regulation/impact of public policy initiatives (48%); uncertainty and volatility (economic, political/social instability)(47%); operational/risk control environment (39%); legal/regulatory compliance (33%); and talent management and development (26%).
- The responsibilities of audit committees have expanded beyond financial reporting to include risk identification and management, particularly in such areas as cyber and IT risk and global compliance. While half of audit committee members are satisfied that the committee has the time and expertise to address the major risks on its agenda (in addition to financial reporting and internal control), 43% said that overseeing these other risks was “increasingly difficult” and 7% thought that the committee did not have the necessary time and expertise. About one in five of the respondents said that their board had created a new committee to focus on risk or on a specific type of risk (e.g., compliance or technology); 36% said that their board would consider such changes “in the near future.”
- As the audit committee’s responsibilities expand into additional risk areas, there is a strong consensus that the internal audit staff’s responsibilities should expand as well. Over 80% of respondents thought that internal audit’s role should extend beyond financial reporting and controls to include other risks facing the company. The top area in which respondents thought that internal audit should spend more time in the coming year was risk management processes (65%). Half of the audit committee members surveyed were satisfied that internal audit had the skills and resources to be effective in the role envisioned for it; 42% were somewhat satisfied; and 8% were not satisfied that the internal audit staff could do the job they envisioned.
- Respondents were asked to rate the quality of the information they received on various types of risk. The three areas with the highest percentage of “needs improvement” responses were cyber security, including data privacy and protection of intellectual property (32%); pace of technology change (e.g., emerging technologies, mobile, social media) (27%); and global systemic risk (pandemic, social unrest, political instability) (24%).
KPMG surveyed approximately 1,500 audit committee members in 34 countries between September and November 2013. All respondents served on the audit committee, or equivalent supervisory board, of at least one company. Sixty-six percent of the respondents were on a public company board; 51 percent serve as audit committee chair.
Comment: As noted in prior Updates, the SEC and the PCAOB have indicated that they expect audit committees to devote more time and attention to various aspects of financial reporting and auditor oversight, such as assessing audit quality, overseeing the ICFR audit, and understanding the engagement quality review process. In this context, boards may want to consider assigning responsibility for at least some aspects of risk – such as cyber security – to another committee in order to make sure that the audit committee has adequate time to perform its core mission. The KPMG survey also underscores the importance of matching the responsibilities and resources of the internal audit function to the responsibilities of the audit committee