not satisfied with oversight of IT risk
Nearly one-third of audit committee members surveyed in a recent
study said they are not satisfied their committee spends sufficient
time looking at IT risk issues. Another 59 percent were only
The study by KPMG’s UK Audit Committee Institute canvassed the
opinions of more than 1,300 audit committee members in 25 countries
Two-thirds of those consulted said they have primary oversight
responsibility for issues relating to IT compliance and controls.
One-half said they take responsibility for oversight of business
continuity issues and 45 percent for information security/privacy.
One in five said they have primary oversight responsibility for
none of these areas.
KPMG Audit Committee Institute director Tim Copnell said the
survey showed that nine out of ten audit committee members felt
they had improvements to make in the oversight of IT risk
“This is a worrying trend given that organisations are now so
dependent on IT,” Copnell warned. “If audit committees, or
equivalent bodies, are not able to give sufficient attention to the
oversight of IT risk, companies might be unwittingly exposed to
risk. Some boards may consider the oversight of IT risk to fall
outside the remit of the audit committee.
“If a separate committee or the board itself takes up the
mantle, the board must be satisfied that they have access to
sufficient skills to examine the issues appropriately.”
The top priorities overall for audit committee members in 2007
were the more traditional areas of risk management, internal
controls and accounting judgements.
Overall, audit committee members said their committees were
effective. One-half of respondents rated their committee as very
effective (rising to a high of 65 percent in the Americas), 40
percent rated it as somewhat effective, and 8 percent believed
their committee needed improvement.
In terms of specific areas for improvement, 45 percent said the
approach taken in establishing the audit committee agenda could be
improved, while 69 percent said the committee’s self-evaluation
process could be made more robust.
There were signs of concern that some companies’ internal audit
functions were not as effective as they could be. More than half
said they were only somewhat satisfied that the company had an
effective internal audit function and 6 percent were not satisfied
Audit committee members were generally very satisfied with the
levels of support that they receive from other parties such as the
CFO, the chief audit executive and the external auditor.
Satisfaction was lowest with the support received from in-house
general counsel and external legal counsel.
The research found that the typical audit committee comprises three
or four members who often have a CEO or CFO background and serve on
one or two audit committees in total. They typically meet six times
a year (five times face to face, and once by teleconference call),
although this ranges from more than seven times a year in the
Americas to around four times a year in Africa. On average, audit
committee members devote 100 hours a year or fewer to their