Home / Financial Services/ KPMG hosts 18th Audit Committee Forum

KPMG hosts 18th Audit Committee Forum

Comments / {{hitsCtrl.values.hits}} Views / Friday, 8 February 2019 00:00



A seasoned audit committee chair once remarked that every new appointee to the board should do time on the audit committee, as it provides such a comprehensive and all-encompassing view of the business and the challenges and risks faced by the  company. 

KPMG, Head of Audit 

Suren Rajakarier

As organisations have entered the digital era, IT governance gains importance. ‘Is IT governance an area which the audit committee should oversee? Or does this go beyond the purview of the audit committee?’ This was the focus of the 18th Audit Committee Forum hosted by KPMG recently. The panel discussion was conceptualised and moderated by Suren Rajakarier, Head of Audit, KPMG in Sri Lanka. 

In most governance structures the board of directors is responsible for the strategic direction and decisions regarding IT and the audit committee is only responsible for the oversight of certain strategic and operational aspects of IT affecting financial reporting. 

However, Rajakarier commenced proceedings by challenging this status quo by presenting an alternate view where globally many audit committees have oversight responsibilities for a range of other risks that have become increasingly complex and challenging in the current business environment – from operational and compliance risks posed by globalisation to cybersecurity and other risks related to emerging technologies. 

The panellists at the forum included Nations Trust Bank Chief Operating Officer and Senior Executive Vice President Thilak Piyadigama, KPMG Partner and Head of Banking Services Ranjani Joseph and John Keells Group Executive Vice President Suran Wijesinghe. The Forum members were chair persons of audit committees and members of audit committees.


Tone at the top 

IT governance is the structure, oversight and management processes which ensure the delivery of the expected benefits of IT in a controlled way. Therefore, Joseph commented on the importance of tone at the top and an IT governance framework, to ensure IT services do not function in a parallel universe, but wraps all activities of the organisation to deliver results. 

Her view was that traditional operational risk factors have changed with the proliferation of technology and most companies have become technology dependent. Therefore, audit committees specifically need to understand key risks arising from technology and oversee measures of mitigation.

One suggestion that came up and was discussed at length was the importance of audit committees using the CROs and internal auditors to maintain an ongoing dialogue with the audit committee on IT related risk such as cybersecurity, digitalisation, etc. Ranjani also articulated the need for preparing a risk register and a matrix where risks may be graded based on severity and likelihood of occurrence for continued monitoring by the audit committee. 


IT as a business enabler

Piyadigama was of the opinion that IT is a business enabler. He discussed how processes may be used to ensure new projects to deliver solutions that meet business needs and also to be delivered on time and within budget. His contention was that Chief Information Officers must be evaluate if the quality of IT systems and resources are appropriate for business needs. Some corporates use a CISO (Chief Information Security Officer) in such a process.

Wijesinghe’s comments covered the aspect of ‘How should audit committees approach IT risks to put in place safeguards against such risks?’ He said in relation to developing the scope of IT projects, the audit committee should clearly demarcate to management what is acceptable risk and what is not. Management should develop the scope of IT projects within this framework, to keep risks within the set boundary.

It was observed that in the future, the audit committee and integrated risk management committee may be merged as there are significant overlaps in responsibility and communication between the two is integral to avoid key operational risks being overlooked by both due to a slip in the terms of reference!  

Key points and takeaways

Rajakarier concluded the Forum by summarising the robust discussions and highlighting key learnings for the forum:

The frontline should be aptly trained to identify severity of risk and rank it according to the organisation risk appetite. This should be a continuous training and development requirement which should be monitored and improved with changes in the world. No person should be considered too junior to evaluate or identify risks. The first line of defence for any organisation is the operational staff and attention to developing a culture of risk management is equally important to the board and the audit committee.

Larger and complex corporates should consider recruiting a CIO and/or CISO and use a recognised IT governance framework to document and monitor activities, for example CoBIT, ISO standards, etc. As disruptive technologies move firmly into the mainstream, they will drive business transformation over the next three years. 

One in three global top tech industry leaders predict blockchain will likely disrupt their company. Blockchain results in greater operational efficiency, increased trust between institutions, and reduction in labour-intensive data gathering, processing time and costs.  This is only one such disruption and it is critical to assess the impact of emerging technologies on business and society, continuously. Transparency about how emerging technologies being implemented is important to the non IT personnel, audit committees and boards.

The 18th Audit Committee Forum was hosted at KPMG. The forum which operates under the aegis of the Sri Lanka Institute of Directors has been supported and enabled since inception by KPMG, in line with its globally recognised Audit Committee Institute initiative. Rajakarier facilitates these sessions using appropriate KPMG thought leadership during the sessions and moderates the discussions. 

Share This Article

Facebook Twitter


1. All comments will be moderated by the Daily FT Web Editor.

2. Comments that are abusive, obscene, incendiary, defamatory or irrelevant will not be published.

3. We may remove hyperlinks within comments.

4. Kindly use a genuine email ID and provide your name.

5. Spamming the comments section under different user names may result in being blacklisted.


Today's Columnists

Religion is a problem in Sri Lanka; can it be a solution?

Saturday, 17 August 2019

Generally, it is expected that religion should be a solution to a problem. Ironically in Sri Lanka religion is the problem. Therefore, what would be the solution? When religion becomes a problem of a country....

Orthodoxy and change: A perennial Muslim issue

Saturday, 17 August 2019

Whether Muslims live as minorities in non-Muslim countries or as majorities in a total of fifty seven countries, the clash of orthodoxy with modern challenges is a perennial issue that bedevils progress on several fronts in these communities.

Making the MCC Compact work for Sri Lanka

Friday, 16 August 2019

It is a sign of these political times that even an apolitical issue like a foreign aid program becomes a hot topic in Sri Lanka. In April 2019, the Board of Directors of the Millennium Challenge Corporation (MCC) approved a compact program for Sri La

Sri Lanka needs a president hungry for success, not power

Friday, 16 August 2019

The late John F. Kennedy described politics as a “noble adventure, an adventure in which one joins hands with the masses for the service of man”. Not that the Kennedys didn’t play “politricks” in their heyday. But playing “politricks” w

Columnists More

Special Report