The majority of corporate audit committee members surveyed are increasingly concerned about information technology risk—and a larger majority worry over how a “lack of innovation” could negatively affect their company’s growth—according to a study by the Audit Committee Institute of KPMG LLP.
The survey revealed that the speed and impact of IT developments—from the influence of the cloud to social media and mobile technologies—are causing directors to probe more deeply into “defensive” IT risks, including data privacy and security, cyber risk, and regulatory compliance.
Importantly, directors are also sharpening their focus on an underlying strategic IT risk: The failure to understand IT as a critical business driver and to leverage technology as part of the company’s strategy and business model.
The survey polled 240 audit committee members serving boards of at least one U.S. public company.
More than half (58%) of corporate audit committee members say they need to devote more time to the oversight of IT risk and emerging technologies, while 70% pointed to “lack of innovation” as a potential threat to their businesses, according to the annual “2011 Public Company Audit Committee Member Survey,” conducted by the ACI with the National Association of Corporate Directors.
“Boards and audit committees are sharpening their focus on their companies’ increasing vulnerabilities in IT and technology,” says Jim Liddy, KPMG’s U.S. vice chair-Audit. “This data is valuable because it confirms what KPMG is hearing directly from clients who are confronting the risks brought on by rapid technology change and its implications for strategy, cyber security, and compliance.
“Directors also recognize that linking risk and strategy continues to be a challenge for their companies,” Liddy says, noting that corporate strategy was ranked third-highest among the issues where audit committees say they want to devote more time over the next year.
The study also found that audit committee members are not happy with the quality of the information they receive regarding IT risk—fewer than half (41%) expressed satisfaction. Survey respondents also indicated that they want to hear more frequently from the chief information officer, midlevel management, and the chief risk officer.
In addition, only 34% of respondents indicated they were satisfied that they hear dissenting views about the company’s risk environment and related controls.
“The quality of information regarding IT risk was ranked lowest of all categories,” says Mary Pat McCarthy, vice chair and executive director of KPMG’s Audit Committee Institute. “This reflects the ongoing challenge, and the critical importance, of effective communications with the CIO—in plain-English and business context.”
Among the study’s other findings:
• 42% said they were not fully satisfied that the company has identified growth-related risks and implemented controls to monitor them.
• 42% said their company’s risk management program still “requires substantial work.”
• Of the types of systemic risks posing the “greatest threat” to their companies, most were concerned about economic and financial risk, at 87%, “cyber risk” (assault on global IT infrastructure), at 41%, “geopolitical risk,” 39%, and supply chain risk, 32%.
• 8% said they were satisfied that the company is “ready to respond” in the event that a crisis “goes viral” through social media networks (and 23% were “not sure”).
• 22% reported that the company’s crisis-readiness and response plans were “robust and ready to go.”
• 62% of respondents said their board or audit committee had not received briefings on the company’s plans for employing the cloud.
• 77% said their audit committees or boards had not yet discussed the company’s policy concerning use of social media to reach customers and investors.
• 92% of respondents said they were satisfied with the level of open and frank information flow between the chief financial officer or finance organization and the audit committee.
• 95% said their audit committee was effective in its oversight of the company’s financial reporting’s accuracy and integrity.
• 96% reported satisfaction with the quality of information the audit committee receives about disclosures.
• 90% reported satisfaction with the support that the audit committees received from the external audit firm’s resources, technical specialists, and national office.