Audit committees recognize IT risks should be a focus
Dan Meyer at Tick Marks has brought my attention to a KPMG survey that reports audit committees are becoming more concerned about IT risks on financial reporting.
90% believed that IT oversight deserved more time at audit committee meetings. By constrast, 80% of committee members were satisfied with audit committee oversight of management judgments and estimates and 60% felt that committees were spending sufficient time on these issues.
Good to see audit committees are looking into this area with greater scrutiny. IT is often an area where firms of all sizes could benefit from increased focus and constantly thinking of ways to improve their controls and processes.
But what about the 20% that is satisfied with audit committee oversight of management judgments and estimates, but do not believe sufficient time is being spent on the issue? How can you feel an area needs more time and yet be satisfied with the oversight? This is why looking at surveys is fun.
“The ACI survey findings demonstrate a huge gap between the importance that audit committees place on IT risk and how much time they spend focused on it during their already busy meetings,” Smith said. “Since audit committees generally have only basic IT experience, there may be a reluctance to invite chief information officers and chief technology officers to their meetings, in part, because there is a lack of common vocabulary.”
Audit committees need to have at least one member who has a high level of knowledge in IT as it relates to financial reporting. There is no excuse for lacking someone with a good grasp on the IT risks the organization faces. And CIOs and CTOs aren’t enough — CFOs need to have a more than basic understanding, and even lower down in the accounting department.
I’m really pleased that the CICA has been so proactive towards training CAs on this topic. IT is one of the six topics covered in the professional exam process. (The others are audit/assurance, performance measurement, tax, finance, and organizational effectiveness, control and risk management.) Clearly there is some overlap between the last competency and IT.
An in-depth discussion of the six CA competencies is published by the Institute and available here (pdf).