Audit committees recognize IT risks should be a focus

Dan Meyer at Tick Marks has brought my attention to a KPMG survey that reports audit committees are becoming more concerned about IT risks on financial reporting.

90% believed that IT oversight deserved more time at audit committee meetings. By constrast, 80% of committee members were satisfied with audit committee oversight of management judgments and estimates and 60% felt that committees were spending suffi­cient time on these issues.

Good to see audit committees are looking into this area with greater scrutiny. IT is often an area where firms of all sizes could benefit from increased focus and constantly thinking of ways to improve their controls and processes.

But what about the 20% that is satisfied with audit committee oversight of management judgments and estimates, but do not believe suffi­cient time is being spent on the issue? How can you feel an area needs more time and yet be satisfied with the oversight? This is why looking at surveys is fun.

The ACI survey findings demon­strate a huge gap between the impor­tance that audit committees place on IT risk and how much time they spend focused on it during their already busy meetings,” Smith said. “Since audit committees generally have only basic IT experience, there may be a reluc­tance to invite chief infor­mation officers and chief technology officers to their meetings, in part, because there is a lack of common vocabulary.”

Audit committees need to have at least one member who has a high level of knowledge in IT as it relates to financial reporting. There is no excuse for lacking someone with a good grasp on the IT risks the organi­zation faces. And CIOs and CTOs aren’t enough — CFOs need to have a more than basic under­standing, and even lower down in the accounting department.

I’m really pleased that the CICA has been so proactive towards training CAs on this topic. IT is one of the six topics covered in the profes­sional exam process. (The others are audit/assurance, perfor­mance measurement, tax, finance, and organi­za­tional effec­tiveness, control and risk management.) Clearly there is some overlap between the last compe­tency and IT.

An in-depth discussion of the six CA compe­tencies is published by the Institute and available here (pdf).

2 thoughts on “Audit committees recognize IT risks should be a focus”

  1. The IT stuff isn’t that hard to grasp. Then again, I know that stuff rather well, so it’s hard for me to imagine what a newbie would think.

    But you hope to heck your board members aren’t complete dunces.

    Yeah, I can be an optimist sometimes.

  2. Yeah it’s tough to put yourself in their shoes if they really have no clue, but it’s so important in even really small organi­za­tions now…

Comments are closed.