KPMG Finds that Audit Committees Are Feeling the Effects of Increased Complexity
KPMG has released the results of a global survey of audit committee members. Seventy-four percent of the U.S. respondents identified “Increased complexity of business and risk environment -- e.g., cybersecurity, AI, supply chains, workforce challenges” as the “macrotrend” that will have the greatest impact on the audit committee’s focus and agenda in the coming months. “Geopolitical and economic risks, including inflation and possible recession” (50 percent) and “Rigor of the control environment in light of business disruption and/or pressures from economic slowdown” (40 percent) placed second and third. As to the enterprise risks under the purview of multiple board committees that most concern U.S. audit committee members, 44 percent chose “Cybersecurity/data privacy/AI” and 29 percent identified “Human capital management.”
The KPMG Board Leadership Center and Audit Committee Institute conducted the survey, which included 768 responses from respondents in 19 countries, in February and March 2023. 2023 Audit committee survey insights reports the views of the 144 U.S. audit committee members and chairs that participated in the survey. Significant findings based on the responses of the U.S. survey cohort are summarized below. (Note that survey questions permitted respondents to provide multiple answers, so response percentages are greater than 100. Only the top five responses are included in this summary).
Risks as to which the audit committee has significant oversight responsibilities (in addition to financial reporting and related control risks): Management’s enterprise risk management processes (74 percent), Cybersecurity and IT (72 percent), Legal/regulatory compliance (67 percent), Data governance (e.g., privacy, protection, ethics, AI and algorithm bias) (53 percent), Supply chain and other operational activities and Geopolitical and economic (tied at 19 percent).
How audit committee is addressing workload concerns: Improving focus of meeting agendas, materials, and management presentations (45 percent), Not concerned -- agenda/workload is appropriate (42 percent), Reassessing the committee’s skills/expertise and composition (16 percent), Re-allocating risk oversight responsibilities among committees (15 percent), Reassessing the audit committee’s charter (12 percent).
Audit committee role with respect to ESG-related issues: Oversees ESG-related disclosures in regulatory filings (51 percent), Considers management’s disclosure committee activities related to ESG disclosures -- including controls and committee composition (46 percent), Oversees compliance with ESG-related legal and regulatory requirements (29 percent), Oversees management’s processes to determine which ESG issues are material to the business (26 percent), Oversees company’s voluntary ESG/sustainability reporting (quality and disclosure controls) (23 percent).
Elements of the risks posed by the company’s data/digital activities that are particularly concerning or challenging from the audit committee’s oversight perspective: Cybersecurity -- including ransomware and IP risk (78 percent), Vulnerabilities posed by third parties/vendors (56 percent), Data privacy—including national and international regulatory compliance (39 percent), Reputational risks (22 percent), Insider threats to network/systems (16 percent).
Top challenges facing the finance organization: Attracting and retaining talent (50 percent), Strategic thinking and leadership (40 percent), Preparing for new regulatory disclosures on climate, cybersecurity, HCM, and other ESG-related issues (37 percent), Managing digital disruption/transformation (33 percent), Other (6 percent).
Ways in which internal audit can increase its value to the audit committee: Greater focus on critical enterprise risks (55 percent), Evolving its data/technology-related skills and capabilities (47 percent), Helping to connect dots and seeing the big picture (46 percent), Gauging the culture/tone throughout the organization (31 percent), Ensuring CAE has stature/visibility at the board and C-suite level (19 percent).
Concerns about the audit committee’s composition and skills: No concerns (44 percent), Lack of expertise in cybersecurity, technology (29 percent), Overreliance on the chair or a single member who has deep background/experience to oversee complex financial reporting, disclosures, and control issues (24 percent), Lack of expertise in climate and other ESG issues (22 percent), Committee size—potential need to add members to spread the workload and/or expertise (17 percent).
Comment: The KPMG survey results provide insight into what issues are on the minds and agendas of U.S. audit committee members and how committees are addressing challenges in the current environment. As with similar surveys conducted by other organizations (see, e.g., Scope Creep is Affecting Audit Committee Composition and Focus, January 2023 Update), audit committees may want to use the KPMG survey results as a way of benchmarking their agendas and approaches against those of their peers.