Given expectations for slow growth and economic and political uncertainty in the US and around the world, technology advances and business model disruption, cyber threats, continued regulatory scrutiny, and investor demands for transparency, it's hardly surprising that most audit committees point to risk management as the top challenge facing the company in the year ahead. More than 40 percent of the more than 800 audit committee members responding to our survey say their risk management systems require substantial work.
Our 2017 Global Audit Committee Pulse Survey shows that audit committees, by and large, continue to express confidence in financial reporting and audit quality; yet nearly 4 in 10 said the committee's effectiveness would be most improved by having a "better understanding of the business and key risks," while nearly a third said additional expertise related to technology or cyber security would be helpful.
Overall, audit committees are largely satisfied that their agendas are properly focused on legal and regulatory compliance issues, maintaining internal controls over financial reporting, and key assumptions underlying critical accounting estimates. However, they see room for improvement when it comes to focusing on CFO succession planning, talent and skills in the finance organization, tone at the top and culture, and aligning the company's short- and long‑term priorities.
Most audit committees say their organizations have a long way to go in their efforts to implement major new accounting standards. Fewer than 15 percent report a clear implementation plan for the new revenue recognition standard, and fewer than 10 percent reported a clear plan for implementation of the new leasing standard. And of those whose companies are affected by the Organisation for Economic Co-operation and Development's (OECD) country-by-country tax reporting, many expressed concern about the lack of clarity or communication with their committee on that issue. Survey respondents also cited ongoing opportunities to improve their company's ability to manage cyber risks.
Of course, these challenges will vary by company and by country (and it is difficult to compare data from 15 countries, often with markedly different business environments, regulatory requirements, and corporate governance practices). But our survey findings offer insights that audit committees around the world can use to sharpen the committee's focus, benchmark its responsibilities and practices, and strengthen its oversight.
Jose R. Rodriguez
Partner in Charge and Executive Director
KPMG's Audit Committee Institute
Risk management is a top concern for audit committees. The effectiveness of risk management programs generally, as well as legal/regulatory compliance, cyber security risk, and the company's controls around risks, topped the list of issues that survey participants view as posing the greatest challenges to their companies. It's hardly surprising that risk is top of mind for audit committees—and very likely, the full board—given the volatility, uncertainty, and rapid pace of change in the business and risk environment. More than 40 percent of audit committee members think their risk management program and processes "require substantial work," and a similar percentage say that it is increasingly difficult to oversee those major risks.
Internal audit can maximize its value to the organization by focusing on key areas of risk and the adequacy of the company's risk management processes generally. The survey results show that audit committees are looking to internal audit to focus on the critical risks to the business, including key operational risks (e.g., cyber security and technology risks) and related controls—and not just compliance and financial reporting risks. They also want the audit plan to be flexible and adjust to changing business and risk conditions.
Tone at the top, culture, and short-termism are major challenges—and may need more attention. A significant number of audit committee members—roughly one in four—ranked tone at the top and culture as a top challenge, and nearly one in five cited short-term pressures and aligning the company's short- and long-term priorities as a top challenge. Meanwhile, nearly the same percentage of audit committee members said they are not satisfied that their committee agenda is properly focused on those issues.
CFO succession planning and bench strength in the finance organization continue to be weak spots. Forty-four percent of audit committees are not satisfied that their agenda is properly focused on CFO succession planning, and another 46 percent are only somewhat satisfied. In addition, few are satisfied with the level of focus on talent and skills in the finance organization. Given the increasing demands on the finance organization and its leadership—financial reporting and controls, risk management, analyzing mergers and acquisitions (M&A) and other growth initiatives, shareholder engagement, and more—audit committees want to devote more time to the finance organization, including the talent pipeline, training, and resources, as well as succession planning for the CFO and other key finance executives.
Two key financial reporting issues may need a more prominent place on audit committee agendas: Implementation of new accounting standards and non-GAAP financial measures. Few audit committees say their companies have clear implementation plans for two major accounting changes on the horizon—the new revenue recognition and lease accounting standards. Given the scope and complexity of those implementation efforts and their impact on the business, systems, controls, and resource requirements, those efforts should be a key area of focus. In addition, audit committees ought to consider whether to increase attention to any non-GAAP financial measures, which are an area of significant attention and comment by regulators worldwide. Nearly a quarter of those surveyed say their role with respect to the presentation of those metrics is very limited.
Audit committee effectiveness hinges on understanding the business. Audit committee members say a better understanding of the business and the company's key risks would most improve their oversight effectiveness. They also view additional expertise in technology/cyber security as being key to greater effectiveness, since it would strengthen their ability to oversee those risks.
For more information, download the full report below.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.