New survey puts risk management atop the list of audit committee concerns
Audit committees, which are responsible for overseeing the risk-management apparatus at many companies, generally say they aren't satisfied with how those systems are functioning. According to a new survey by KPMG's Audit Committee Institute, the effectiveness of the risk management program topped the list of issues that survey participants view as "posing the greatest challenges to their companies."
With 41 percent of respondents putting it in the top three, it beat out such heartburn-inducing topics as legal and regulatory compliance, which ranked second with 34 percent including it in their top 3 and managing cybersecurity risk, which ranked third at 28 percent.
The reason risk management is such a worry for audit committees can be found in the answers to another question in the survey on the status of such programs: they say building out a strong risk management capability is very much a work in progress at many companies. Indeed, 42 percent said a risk management system was implemented, "but needs substantial work." Another 15 percent of audit committee respondents said the risk management system was in the planning and development stages, and 4 percent said that there was "no active formal effort to implement a risk management system." (Well, good luck with the whole "we don't need no stinkin' risk management program" approach.)
According to the survey, audit committees may also be fretting over risk management programs because they think that don't do a good job of including risks that arise from business partners, suppliers, and other third parties. "We are clearly seeing an increased focus by boards on key operational risks across the extended global organization—for example, supply chain and outsourcing risks, information technology, and data security risks," the report's authors state. "And, at a higher level, boards are paying more attention to the capital 'R' risks that may pose the greatest risk to the company."
Where Internal Audit Comes In
Audit committees are also looking for internal audit to help improve the risk management program. When asked what steps internal auditors can take to maximize its value to the origination—apart from focusing on financial reporting and compliance risks—the top answer (56 percent) was to expand the audit plan to key areas of risk, such as cybersecurity and key operational and technology risk and related controls. It's hard to imagine an internal audit department that hasn't already responded to that clear message.
Other steps internal audit can take to maximize value, according to audit committee respondents, was to maintain flexibility in the audit plan to adjust for changing business conditions (53 percent) and expand the audit plan to include the effectiveness of the company's risk management processes generally (49 percent). Again, internal auditors are unlikely to find these to be new directives.
Audit committees want to "Challenge internal audit to take the lead in coordinating with other governance, risk, and compliance functions within the organization to limit duplication and, more importantly, to prevent gaps and help maximize collaboration between internal and external auditors," the report states.
Some of the other findings of the survey include:
• Tone at the top, culture, and short-termism are major challenges—and may need more attention.
• CFO succession planning and bench strength in finance organization continue to be weak spots.
• Two key financial reporting issues may need a more prominent place on audit committee agendas: Implementation of new accounting standards and non-GAAP financial measures.
• Audit committee effectiveness hinges on understanding the business.
For the report, KPMG surveyed 800 audit committee members in 42 countries. "While audit committees continue to express confidence in financial reporting and audit quality, the results highlight ongoing concerns about risk management, legal and regulatory compliance, cyber security risk, and managing the control environment in the company's extended organization," the report states.