This report, published by KPMG suggests that audit committee members overwhelmingly (91 percent) view their audit committees as more being more effective in their oversight roles than prior to the enactment of Sarbanes-Oxley. However, much of this reported increased effectiveness is in the traditional areas of audit committee oversight responsibility of financial reporting matters, including review of management’s accounting judgments and estimates, internal controls, and section 404 compliance. In other areas of responsibility such as fraud risk, risk management, and information technology (IT) risk, many audit committee members feel their committees are only somewhat effective or need improvement.
While the top four priorities for audit committees for 2008 remained the same, the order of these priorities shifted from 2007. Oversight of risk management moved from the third-highest priority in 2007 to the top priority in 2008 and IT risk and data security moved from fourth in 2007 to the third priority in 2008. For 2008 the second priority area is greater oversight of accounting judgments and estimates, particularly in light of greater standard-setter push for fair value accounting. The fourth priority is internal controls and section 404 compliance, although most (70 percent) believe the audit committee is very effective in its oversight of internal controls. Also, when listing the top four concerns or challenges requiring particular attention in 2008, risk was the predominant concern with the list including concerns related to recession-related risks, risk intelligence, increased risk of earnings management, and the tone at the top, culture, and incentives underlying the risk environment.
Priority Areas of Oversight Related to Risk
Not only did risk management and IT risk make the list as the number one and three oversight priorities respectively for audit committees in 2008, but respondents also indicated these as the two oversight areas that most thought needed more devoted agenda time in their audit committee meetings. Risk management was the top oversight priority identified by audit committee members for 2008. The authors suggest this is likely due to factors including the fallout from the subprime crisis and ensuing increased scrutiny of risk management oversight as well as increasing awareness of the potential impact of significant business risks on financial reporting and compliance.
Seventeen percent of respondents indicated the audit committee has primary responsibility for the oversight of the significant nonfinancial reporting risks facing the company. Yet, only 28 percent of respondents were very satisfied that the audit committee understands management’s processes to identify and assess the significant business risks facing the company and only 21 percent were very satisfied with the information and reports provided by management regarding the status of its risk management efforts. Furthermore, in situations when there is a standing committee charged with primary oversight of the company’s significant business risks, only 41 percent of respondents were very confident that those committees are sensitive to the financial reporting implications of those risks. There also appears to be a lack of clear delineation of risk oversight responsibilities cited by many audit committee members. And, 43 percent of audit committee members believe that board and audit committee need to improve their consideration of risks that may be driven by the entity’s compensation incentives.
IT risk was the third-highest oversight priority identified by audit committee members for 2008. IT risk is also identified as the issue audit committees are least effective in overseeing and the authors comment that this may be due to lack of a strong background or understanding of IT systems and processes, a need for increased focus on the information rather than the technology portion of IT, as well as lack of clarity as to where oversight responsibility lies. Approximately one quarter of audit committee member respondents indicated the board and audit committee are not effective in overseeing the company’s IT governance processes, that they are unclear as to which areas of IT risk their audit committee has primary responsibility for, and that they are not satisfied with reports they receive from management regarding the company’s IT risks.
Other Audit Committee Oversight Processes Addressed
The article also addresses the views of participating audit committee members on many other subjects outside the scope of risk management including:
- Audit committee meetings and agendas
- Communication and coordination among the board, audit committee, and other standing committees
- Views on the skills, resources, and focus of companies’ CFOs, financial management teams, and internal auditors
- Audit committee education, self-evaluation, and evaluation of individual audit committee members