KPMG hosts 18th Audit Committee Forum

A seasoned audit committee chair once remarked that every new appointee to the board should do time on the audit committee, as it provides such a comprehensive and all-encompassing view of the business and the challenges and risks faced by the  company. 

KPMG, Head of Audit  Suren Rajakarier

As organisations have entered the digital era, IT governance gains importance. ‘Is IT governance an area which the audit committee should oversee? Or does this go beyond the purview of the audit committee?’ This was the focus of the 18th Audit Committee Forum hosted by KPMG recently. The panel discussion was conceptualised and moderated by Suren Rajakarier, Head of Audit, KPMG in Sri Lanka. 

In most governance structures the board of directors is responsible for the strategic direction and decisions regarding IT and the audit committee is only responsible for the oversight of certain strategic and operational aspects of IT affecting financial reporting. 

However, Rajakarier commenced proceedings by challenging this status quo by presenting an alternate view where globally many audit committees have oversight responsibilities for a range of other risks that have become increasingly complex and challenging in the current business environment – from operational and compliance risks posed by globalisation to cybersecurity and other risks related to emerging technologies. 

The panellists at the forum included Nations Trust Bank Chief Operating Officer and Senior Executive Vice President Thilak Piyadigama, KPMG Partner and Head of Banking Services Ranjani Joseph and John Keells Group Executive Vice President Suran Wijesinghe. The Forum members were chair persons of audit committees and members of audit committees.

 

Tone at the top 

IT governance is the structure, oversight and management processes which ensure the delivery of the expected benefits of IT in a controlled way. Therefore, Joseph commented on the importance of tone at the top and an IT governance framework, to ensure IT services do not function in a parallel universe, but wraps all activities of the organisation to deliver results. 

Her view was that traditional operational risk factors have changed with the proliferation of technology and most companies have become technology dependent. Therefore, audit committees specifically need to understand key risks arising from technology and oversee measures of mitigation.

One suggestion that came up and was discussed at length was the importance of audit committees using the CROs and internal auditors to maintain an ongoing dialogue with the audit committee on IT related risk such as cybersecurity, digitalisation, etc. Ranjani also articulated the need for preparing a risk register and a matrix where risks may be graded based on severity and likelihood of occurrence for continued monitoring by the audit committee. 

 

IT as a business enabler

Piyadigama was of the opinion that IT is a business enabler. He discussed how processes may be used to ensure new projects to deliver solutions that meet business needs and also to be delivered on time and within budget. His contention was that Chief Information Officers must be evaluate if the quality of IT systems and resources are appropriate for business needs. Some corporates use a CISO (Chief Information Security Officer) in such a process.

Wijesinghe’s comments covered the aspect of ‘How should audit committees approach IT risks to put in place safeguards against such risks?’ He said in relation to developing the scope of IT projects, the audit committee should clearly demarcate to management what is acceptable risk and what is not. Management should develop the scope of IT projects within this framework, to keep risks within the set boundary.

It was observed that in the future, the audit committee and integrated risk management committee may be merged as there are significant overlaps in responsibility and communication between the two is integral to avoid key operational risks being overlooked by both due to a slip in the terms of reference!  

Key points and takeaways

Rajakarier concluded the Forum by summarising the robust discussions and highlighting key learnings for the forum:

The frontline should be aptly trained to identify severity of risk and rank it according to the organisation risk appetite. This should be a continuous training and development requirement which should be monitored and improved with changes in the world. No person should be considered too junior to evaluate or identify risks. The first line of defence for any organisation is the operational staff and attention to developing a culture of risk management is equally important to the board and the audit committee.

Larger and complex corporates should consider recruiting a CIO and/or CISO and use a recognised IT governance framework to document and monitor activities, for example CoBIT, ISO standards, etc. As disruptive technologies move firmly into the mainstream, they will drive business transformation over the next three years. 

One in three global top tech industry leaders predict blockchain will likely disrupt their company. Blockchain results in greater operational efficiency, increased trust between institutions, and reduction in labour-intensive data gathering, processing time and costs.  This is only one such disruption and it is critical to assess the impact of emerging technologies on business and society, continuously. Transparency about how emerging technologies being implemented is important to the non IT personnel, audit committees and boards.

The 18th Audit Committee Forum was hosted at KPMG. The forum which operates under the aegis of the Sri Lanka Institute of Directors has been supported and enabled since inception by KPMG, in line with its globally recognised Audit Committee Institute initiative. Rajakarier facilitates these sessions using appropriate KPMG thought leadership during the sessions and moderates the discussions.