Transcription
2007 KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated withKPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or anyother member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.I T A DV I S O RYIT Governanceand the AuditCommitteeRecognizing theImportance ofReliable and TimelyInformationK P M G I NT E R N AT I O N A L
2007 KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated withKPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or anyother member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
IT Governance and the Audit Committee: Recognizing the Importance of Reliable and Timely Information 1IT Governance and theAudit CommitteeIT governance is a set of businessprocesses that impose management and control disciplines onIT activities to help ensure theintegrity and protection of IT operations and the achievement oftargeted business goals. Thesedisciplines drive: Proper communications andplanning to help keep IT goalsaligned with those of thebusiness Identification, definition, andprioritization of IT investmentsthat create and sustain business value through regulatorycompliance, risk mitigation,operational performanceenhancements, processingreliability, cost effectiveness,and responsiveness to change Appropriate commitment tocontrols and reporting toaddress accountability, transparency, processing integrity,and data protection Identification and continuousinvolvement of the businessstakeholders who work with ITto identify and agree on business objectives and hold ITaccountable for their realization.There have been a number of high-profile instanceswhere processes that govern the integrity of information technology operations (IT governance) are not sufficiently effective to guard companies against seriousfinancial loss. Companies have damaged their operations and negatively impacted revenue recognition,profit, and reputation by compromising the integrity oravailability of their information as a result of problemsassociated with IT system implementations.Many companies have inadvertentlymade private customer data availableto unauthorized parties and, more troubling, were not aware of the extent ofthe problem until much later.Unfortunately, these types of seriousbusiness incidents are not isolated inan economy that is powered bycomplex information systems. Theseevents can occur when processes thatgovern the integrity and protection ofIT operations are not appropriatelyaligned with business objectives andgoals. They show that controls andnormal reporting are not alwaysenough. The incidents also underscorethe idea that unexpected combinationsof events and lack of discipline aroundthe execution of controls can createmajor business vulnerabilities.How companies use and control information continues to increase in importance as they rely on technology forvirtually every aspect of business operations. IT governance does much morethan consider the security of information. IT governance—as a vital elementin overall corporate governance—createsan environment where information canbe leveraged to deliver overall businessvalue. It can be used to measure theeffectiveness of information technology,the quality of IT management and staff,and the efficiency of decision-makingstructures and rules. The right IT governance enables new IT systems to bedeveloped and operated with greatereffect at lower risk. 2007 KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated withKPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or anyother member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.Recognizing the Importance ofReliable and Timely Information
2 IT Governance and the Audit Committee: Recognizing the Importance of Reliable and Timely InformationIT governance plays an importantrole in the management of manygeneral business risks. IT is one of the largest andleast-understood costs. IT plays an important role inprotecting the business from:– Errors caused by incorrectprocessing of information– Business interruption as aresult of inadequate contingency capabilities– Compromise of processingintegrity as a result of uncontrolled changesIT governance is critical to many aspects of the business that are important to auditcommittees, such as the integrity of the information that supports the financialstatements. IT governance is also an important factor in managing the cost-effectiveand reliable delivery of business process enhancements. Audit committees can playan important role by influencing the priority businesses place on the steps necessary to implement and maintain adequate governance of their IT activities. To betterunderstand how U.S. audit committee members actually address IT governance,KPMG’s Audit Committee Institute and the National Association of CorporateDirectors (NACD) conducted their Second Annual Audit Committee MemberSurvey, polling over 250 audit committee members around the country. Only9 percent (see Chart A) reported being “Very satisfied’’ that audit committeesdevote sufficient agenda time to the oversight of IT risk.Chart A: One in three companies are “Not satisfied” that the audit committee devotessufficient agenda time to IT risk oversight. Fewer than one in ten are “Very satisfied”with the agenda time spent on IT risk oversight.100%IT governance should therefore be animportant consideration for the auditcommittee. Incidents such as exposingprivate data may have a direct bearingon the audit committee’s responsibilitieswith respect to internal controls and riskmanagement, because they can impactfinancial statements. For that reasonalone, IT governance should merit theattention of the audit committee; butwhen you add other kinds of IT problems that can lead to business performance issues impacting businessprofitability, consumer confidence,investor confidence, regulatory compliance, and even the long-term viability ofthe business, you find additional reasonswhy IT governance should be high onboard agendas and, many times, auditcommittee agendas.Governments in virtually every majoreconomy have imposed some type ofinvestor-protection legislation in responsePercentage of Respondents 2007 KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated withKPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or anyother member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.– Unauthorized access to information, such as breaches ofprivacy rights, compromiseof processing integrity, andprocessing interference withmalicious intent.to these serious business issues. Such laws, rules, and regulations have placed greatimportance on overall corporate governance and the attendant role of IT governance.To be sure, IT governance is on the minds of many senior corporate officers, buthow often is the issue discussed when audit committees meet?May Not Add UpTo 100% Due atsatisfiedVerysatisfiedSource: 2006-2007 ACI/NACD Annual Audit Committee Member SurveyThis lack of satisfaction is especially relevant after recognizing that IT governancehas a direct correlation to virtually all of the top seven oversight priorities thataudit committee members identified in our survey (see Chart B). Those prioritiesincluded internal controls, risk management, IT data security, and business strategy. Contrasted against those priorities is the widely accepted notion that manysenior members of business organizations do not have a working understandingof IT, let alone IT governance. And, while there is general recognition that IT ispervasive and important, many executives do not believe that IT delivers a clearreturn on investment (ROI).
IT Governance and the Audit Committee: Recognizing the Importance of Reliable and Timely Information 359%Accounting judgments and estimatesInternal controls56%Risk managementMultipleResponsesAllowed47%Information technology, data security31%Legal/regulatory compliance28%Internal Auditor effectiveness22%Business strategy19%External Auditor effectivenessMany of the Audit CommitteePriorities often involve issuesof IT Governance.16%Taxes14%11%Fraud riskOther3%0%20%40%60%80%100%Percentage of respondentsSource: 2006-2007 ACI/NACD Annual Audit Committee Member SurveyIt is generally accepted that IT governance and its enhancement must come fromthe top of the organization. When audit committee members were polled to determine whether they are satisfied with their board’s oversight of IT risks, the resultsshow that there is plenty of room for improvement (see Chart C). Only 19 percentof respondents said they are “Very satisfied” with the board’s oversight of ITcompliance and control.Chart C: Satisfaction with audit committee IT risk oversight is low.IT compliance and controls29%52%19%Business continuity38%50%13%Information security/privacy40%47%13%0%May Not Add UpTo 100% Due ToRounding20%40%60%80%100%Percentage of respondentsNeeds improvementSomewhat satisfiedVery satisfiedSource: 2006-2007 ACI/NACD Annual Audit Committee Member SurveyIn addition, based on its importance in controlling risk and driving demonstrablebusiness value, IT governance should be viewed as: An integrated element of good corporate governancePart of the oversight responsibility of board members and executivesDependent on top-down commitment and managementAn essential factor in the alignment of IT with the priorities of the businessAn essential factor in managing controls, recognizing important issue correlations,and imposing the appropriate disciplines around performance and accountability.Some of those who more effectivelymanage IT governance realize that focuson IT governance can mean the difference between a costly failure and ameasurable success. They also realizethat when an organization demonstratesa commitment to the integration of ITgovernance into its overall corporategovernance, it can send a clear messageto regulators, shareholders, stakeholders,bond-ratings agencies, and the capitalmarkets that it is serious about accountability, controls, and processing integrity.Despite the importance of IT governance, the marketplace demonstratesthat many IT organizations do not have aworking accountability for the businessvalue they create, have not created adesign architecture that facilitateschange, and may not be fully leveragingthe opportunities afforded by recentcompliance legislation and regulation.Executives Agree that ITGovernance Is Important,but Challenges RemainCorporate information assets canaccount for more than 50 percent ofcapital spending*, yet there is a pervasive perception that many IT projects donot meet expectations.Some IT project failures have beenhighly damaging, such as the case ofa multinational foods company thatspent more than USD100 million and30 months on an enterprise resourceplanning (ERP) system that was plaguedwith problems from the start. When thecompany launched its ERP system itdiscovered shipments were slow andsome orders were incomplete. As aresult, customers were angry and quarterly profits fell by USD150 million,compared with the same quarter a yearearlier. If this project had more formal* “Information Technology and the Board of Directors,”Harvard Business Review, October 2005 2007 KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated withKPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or anyother member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.Chart B: IT governance has not been an audit committee priority, but should it be? Companiesrated the following areas of oversight among the highest priorities on the audit committeeagenda for 2007.
4 IT Governance and the Audit Committee: Recognizing the Importance of Reliable and Timely Information 2007 KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated withKPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or anyother member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.governance procedures in place it mighthave had better-defined business objectives, regular management of progress,control checkpoints, financial controls,and clear accountability for results, all ofwhich may have helped identify issuesearlier. The board and audit committeemight have received specific, periodicmessages about potential failure well inadvance of this catastrophe.Consider the findings of a recentKPMG-commissioned global surveyon attitudes about IT. Nearly half(47 percent) of respondents said theirorganizations do not monitor and measure project results, making the analysisof ROI particularly difficult. The survey,which was conducted for KPMG by theresearch firm Ipsos Corp., also foundthat 34 percent of respondents do notprepare a business case for every ITinvestment opportunity. For those organizations that reported that they didcomplete business cases for IT investments, about one quarter (26 percent)do not monitor and manage the costs,schedule, scope, and performance of theprojects to keep them consistent withthe original business case assumptions.It is no wonder, then, that a 2005 KPMGProject Management survey discoveredthat half of the respondents reported atleast one IT project failure in their organization during a 12-month period. Eightysix percent of organizations also reportedlosing up to 25 percent of target benefitsacross their entire project portfolio.According to the 2005 TechnologyIssues for Financial Executives Survey,conducted by the Financial ExecutivesResearch Foundation (FERF), only abouthalf (47 percent) of survey respondentsappeared to be satisfied with the returnson their IT investments. FERF notes thatcompanies with strategic IT plans thatare fully aligned with their corporatestrategy report higher returns from theirIT investments than those companies forwhich business alignment is a problem.There are many explanations as to whyprojects do not meet expectations, butperhaps the most basic is that the ITpeople and the business people insidean organization often speak differentlanguages. When IT executives speak tocolleagues in operations they sometimes use technical jargon that puts offtheir audience and do not communicatefrequently enough to stay aligned asbusiness environments change. It istherefore important that when auditcommittee members discuss IT governance issues with the board theyemphasize the importance of frequentcommunications and cross-training forthe business and technical executives.The Ipsos Corp. research also showsthat while organizations acknowledgethe importance of IT governance, theylack the commitment to build it intotheir corporate governance efforts.Respondents were asked to describewhat IT governance means to them, andwere later asked whether their organization had implemented any of thosemeasures. Although 73 percent ofrespondents said they believe the establishment of policies is an essentialcomponent of governance, only56 percent actually have such processesin place in their organizations. This represents a significant gap of 17 percentagepoints between what is perceived asimportant and what is actually implemented. In addition, 65 percent ofrespondents said management of riskwas an essential component of IT governance, yet only 53 percent said theirorganizations have actually implementedany IT governance practices aimed atmanaging risk.
IT Governance and the Audit Committee: Recognizing the Importance of Reliable and Timely Information 5What Audit CommitteesCan DoAs a result, audit committees and boardsmay need to consider how best to aligntheir oversight responsibilities for ITgovernance—what arrangement makessense? The audit committee clearly hasresponsibility to oversee financial reporting-related IT risks. The question is,who—the audit committee, the fullboard, or another board committee—should have oversight responsibility forother categories of IT risk, as well as ITstrategy and investments. Audit committees can play an important role, andserve as a catalyst, in clarifying theseoversight responsibilities.Ultimately, through their oversightactivities, audit committees and boardscan help ensure that management haseffective IT governance processes tomanage IT risks, as well as IT strategyand investments. 2007 KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated withKPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or anyother member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.Information and information technologyare vital to virtually all companies today,and will be even more important in thefuture. Moreover, the risks to informationand the technology driving it—from information quality and reliability, to privacyand security, to business continuity/disaster planning—can pose criticalthreats to the business. Yet, many auditcommittees lack the time and expertiseto oversee the management of theserisks as well as IT governance generally.
kpmg.comContactsRichard K. AndersonPrincipal, IT Advisoryrichardanderson@kpmg.comStephen G. Hasty Jr,Partner, IT Advisorysthastyjr@kpmg.comLawrence RaffPartner, IT Advisorylraff@kpmg.comCaryn P. BocchinoSenior ManagerAudit Committee Institutecbocchino@kpmg.comThe information contained herein is of a general nature and is not intended to address the circumstancesof any particular individual or entity. Although we endeavor to provide accurate and timely information,there can be no guarantee that such information is accurate as of the date it is received or that it willcontinue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.Visit KPMG on the World Wide Web at www.kpmg.com. 2007 KPMG International. KPMGInternational is a Swiss cooperative. Memberfirms of the KPMG network of independentfirms are affiliated with KPMG International.KPMG International provides no client services.No member firm has any authority to obligateor bind KPMG International or any othermember firm vis-à-vis third parties, nor doesKPMG International have any such authority toobligate or bind any member firm. All rightsreserved. Printed in the U.S.A.Document code: GSC041
KPMG’s Audit Committee Institute and the National Association of Corporate Directors (NACD) conducted their Second Annual Audit Committee Member Survey, polling over 250 audit committee members around the country. Only 9 percent (see Chart A) reported being
