Recently, KPMG released its 2017 Global Audit Committee Pulse Survey, which reports on audit committee activities based on survey responses from 800 audit committee members across 42 countries. Asking, "Is Everything Under Control?," the Survey identified many familiar issues and concerns for audit committee members.
Overall, surveyed respondents reported confidence in their company’s financial reporting and audit quality but expressed concerns regarding risk management, legal and regulatory compliance, managing cyber security risk, and managing the control environment. Many of these concerns are similar to concerns identified in past surveys. (See our previous post about the 2015 Global Audit Committee Survey.)
Based on the data collected, the Survey offered the following six takeaways:
- Risk management is a top concern for audit committees.
- Internal audit can maximize its value to the organization by focusing on key areas of risk and the adequacy of the company’s risk management processes generally.
- Tone at the top, culture, and short-termism are major challenges—and may need more attention.
- CFO succession planning and bench strength in the finance organization continue to be weak spots.
- Two key financial reporting issues may need a more prominent place on audit committee agendas: Implementation of new accounting standards and non-GAAP financial measures.
- Audit committee effectiveness hinges on understanding the business.
As noted in the Survey, "It's hardly surprising that risk is top of mind for audit committees—and very likely, the full board—given expectations for slow growth and economic uncertainty, technology advances and business model disruption, cyber threats, and greater regulatory scrutiny and investor demands for transparency." The top three challenges identified by surveyed respondents were (1) effectiveness of the risk management program, (2) legal/regulatory compliance, and (3) maintaining the control environment in the company’s extended organization. More than 40% of surveyed respondents believe their risk management program and processes "require substantial work," and a similar number believe "it is increasingly difficult to oversee those major risks." The Survey further stated that "[w]e are clearly seeing an increased focus by boards on key operational risks across the extended global organization," with boards being more sensitive to the matters of tone at the top and organizational culture.
Cyber security and technology-related risks drove many survey responses, with United States respondents identifying cyber security risk as the top risk to their company. In this regard, the Survey observed that "[d]iscussions are shifting from prevention to an emphasis on detection and containment and are increasingly focused on the company's 'adjacencies,' which can serve as entry points for hackers." United States respondents identified vulnerability from third parties/supply chains and keeping technology systems up to date as the two most significant gaps in their company's ability to manage cyber risks. To help manage evolving cyber-related risks, the Survey advised that boards should help guide their companies’ cyber mindset to an enterprise-wide level, rather than just viewing it as an IT risk.
Aside from operational risks, the Survey also benchmarked audit committee involvement in new accounting standards and company disclosures. According to the Survey, "[f]ew audit committees say their companies have clear implementation plans for two major accounting changes on the horizon—the new revenue recognition and lease accounting standards." This assessment aligns with comments made by SEC Chief Accountant Wesley Bricker at the 2016 American Institute of Certified Public Accountants Conference on SEC and PCAOB Developments. (See our prior post.) Relatedly, the Survey suggested that audit committees may also wish to consider devoting more attention to non-GAAP measures, with nearly one-quarter of surveyed respondents saying their committees have a limited role in their company's presentation of non-GAAP measures.
In light of the challenges facing audit committees, the Survey explored areas for audit committee improvement. "Overall, audit committees are largely satisfied that their agendas are properly focused on legal and regulatory compliance issues, maintaining internal controls over financial reporting, and key assumptions underlying critical accounting estimates." The top three areas for improvement to increase overall audit committee effectiveness, as identified by the surveyed respondents, include (1) a better understanding of the business and its risks, (2) additional expertise in technology/cyber security, and (3) a greater willingness and ability to challenge management. While specific challenges and priorities vary by country and by company, the Survey offers useful benchmarks for audit committees to reference when setting their agendas and evaluating their effectiveness.