Home > Risk > What do audit committees think about risk and audit?

What do audit committees think about risk and audit?

I am encouraged by the latest KPMG report, their 2017 Global Audit Committee Pulse Survey.

I am encouraged because KPMG appears to be asking the right questions and getting intelligent answers.

Here are some interesting excerpts, with emphasis added:

  • …nearly 4 in 10 said the [audit] committee’s effectiveness would be most improved by having a “better understanding of the business and key risks”
  • The effectiveness of risk management programs generally, as well as legal/regulatory compliance, cyber security risk, and the company’s controls around risks, topped the list of issues that survey participants view as posing the greatest challenges to their companies. It’s hardly surprising that risk is top of mind for audit committees— and very likely, the full board—given the volatility, uncertainty, and rapid pace of change in the business and risk environment. More than 40 percent of audit committee members think their risk management program and processes “require substantial work,” and a similar percentage say that it is increasingly difficult to oversee those major risks.
  • Internal audit can maximize its value to the organization by focusing on key areas of risk and the adequacy of the company’s risk management processes generally. The survey results show that audit committees are looking to internal audit to focus on the critical risks to the business, including key operational risks (e.g., cyber security and technology risks) and related controls—and not just compliance and financial reporting risks. They also want the audit plan to be flexible and adjust to changing business and risk conditions.
  • Tone at the top, culture, and short-termism are major challenges—and may need more attention. A significant number of audit committee members—roughly one in four—ranked tone at the top and culture as a top challenge, and nearly one in five cited short-term pressures and aligning the company’s short- and long-term priorities as a top challenge. Meanwhile, nearly the same percentage of audit committee members said they are not satisfied that their committee agenda is properly focused on those issues.

Whether you are on a board, an executive, a risk or internal audit practitioner, each of these areas merits attention.

Does this survey reflect the situation at your organization? If so, what is being done about it?

I welcome your views.

  1. Glenn Daly
    June 29, 2017 at 2:42 PM

    Audit Committee would probably have similar views. But there is a huge difference beteeen AC members saying this in a survey and then acting on it. What AC is going to devote more resources to key risk areas at the expense of financial controls/fraud areas? (ie the very areas an AC’s reputation is typically dependent upon). I personally see nothing new in KPMG’s survey other than repeating the normal stuff (albeit we now have the obvious mentioning of cyber risk – hardly surprising).

  2. Tavonga
    June 30, 2017 at 12:04 AM

    @Glenn – Spot on.

  3. June 30, 2017 at 8:33 PM

    Norman, from what I just read I believe the answers are indeed intelligent and I share the same sentiment. If the Audit Committees of companies are action oriented then we should see major improvements in the areas identified. The Auditor can use his/her consultative role to educate Audit Committees who are not privy to this knowledge. I love the fact that bullet one is top on the list as it is the key to the effectiveness of any Audit Committee. I believe more and more Audit Committees are making an effort to understand the business and the key risk areas. Companies should invest in sending their Audit Committees on seminars relating to Governance, Risk and Compliance (GRC), as a means of equipping them to become more effective to the organisation.

  4. Bishwajit
    July 1, 2017 at 11:49 PM

    Tone at the top, culture, and short-termism all three are facts of life for Internal Audit practitioners. CEOs need to work on these but hardly have time or energy for it. Most of the time Internal audit is considered as one more compliance item to have to satisfy the regulators / shareholders and expectations are that it will do some random audits and will have minimum head count. don’t see much change in this attitude over last two decades working in different geographies. Audit Committees in some cases are not interested and in some not strong enough to stand up to CEOs.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: