Audit committees face increasingly complex risks in modern business, according to the latest KPMG survey. Arlene Harris speaks to Niall Savage about the four main risks and how committees can mitigate them
KMPG recently published the results of its Global Audit Committee (AC) Institute survey, which collates the views of 768 AC members and chairs, of which 31 were operating in Ireland.
Niall Savage, Partner and Head of Audit Markets at KPMG, says the survey results indicate that, while it may seem at odds with its traditional role, the AC and its members continue to have a “bellwether role for the business as they scan the risk horizon”.
Consequently, ongoing geopolitical issues, cyber threats, the rise of artificial intelligence (AI) and considerations around environmental, social, and governance (ESG) will remain top of the AC agenda in the coming months.
“The traditional and essential role of an AC is overseeing the numbers, controls and, as its title suggests, the audit process – both internal and external,” he says. “So its priority is more in the monitoring than the advising. This work is critical for ensuring financial transparency, confidence and compliance but does not encompass the broader aspects of business.
“However, given the typical composition of the AC, the external non-executives with wide-ranging experience, the effective AC Chairperson draws upon the insights of their members to identify and advise on risk areas and strategies to address them.
“The findings suggest that the things driving the agenda of the AC are big-picture risks that underpin their organisations’ strategies. And four key themes – geopolitical, cyber, AI and ESG – were identified as foremost in the minds of AC members.”
Indeed, these four themes don’t come without challenges, but there are ways in which ACs can navigate them in their role, supporting the board and management.
The effects of risk on the market
“Volatility by its nature creates uncertainty in the market, making it difficult for businesses and their stakeholders to make strategic operational and investment decisions,” says Savage. “For example, consumer sentiment in uncertain times can fall rapidly, with non-essential purchases frequently deferred, impacting large parts of the consumer market and leisure industries.
“Geopolitical volatility can also undermine investor confidence, cutting off access to finance and creating barriers for businesses through restricted access to markets, currency fluctuations and shifts in trade policies. There is also a heightened risk of supply chain disruption.”
In the last 12 months, ACs have been faced with:
post-lockdown uncertainty, which is driving cashflow forecasts (and risks) of how to meet consumer demands;
geopolitical conflicts, such as the Russian invasion of Ukraine, necessitating a rapid response to secure the safety of people and assess the impact on the business in addition to instability in Latin America and the Middle East;
rapid and often unexpected inflation across energy, wheat and other commodities, which created unforeseen risks of business failure if these could not be passed on easily;
increased interest rate rises and global financial market fluctuations in response to inflation, which changed base case forecasts for investment decisions, funding, and potentially going concerns;
ongoing global trade tensions, including those between the US and China, with increasing tariffs, which had ripple effects on global supply chains; and
the fallout from COVID and Brexit, which continued to affect the global economy.
Geopolitical risks
“It is difficult to predict what the next 12 months have in store, but some key actions for AC members to manage these risks include engaging with management and stakeholders to understand their assessment of geopolitical risks and existing strategies to mitigate those risks, and asking management to provide timely updates on geopolitical developments and the organisation’s risk mitigation efforts,” said Savage.
“Also, understanding the geopolitical risks that can impact the organisation and monitoring global political developments, regional tensions, trade disputes, regulatory changes and other geopolitical factors that may have implications for the organisation.
“And, staying informed about current events and diplomatic developments that can impact the organisation’s operations – along with knowing if the organisation is especially exposed to certain regions or risks, should the AC consider recruitment or training to ensure that they have the expertise to address any challenges they face, is also important.”
Savage also suggests assessing an organisation’s exposure to geopolitical risks, understanding management’s approach to contingency planning, and understanding the full list of regulatory compliance requirements and whether the organisation has processes in place to identify, monitor and adhere to applicable regulations.
ACs must also consider with management the need for scenario planning to model impact and respond to geopolitical events.
Cyber risks
Advances in modern technology have also brought about a growing number of cyber threats, and in the past 12 months, many Irish businesses and organisations have reported data leaks and thefts as cybercriminals become more sophisticated and professional in their approach to both getting access to systems through ransomware and social engineering but also monetising this access.
As firms try to protect themselves from this, the list of targets and potential weaknesses continues to grow with the proliferation of the internet of things (IoT), which may not have the same level of security and is, therefore, easier to compromise.
“For those engaged in public work, there is an additional political dimension and risk to cybercrime with nation state targeting for political gain, which has seen recent coverage of European Commission staff removing certain apps from their phone restrictions on Telco suppliers due to concerns over security,” says Savage.
“But there are some essential actions that ACs can take, which include understanding the cyber risk landscape, the type of threats it faces, potential vulnerabilities and the impact of a cyber incident.
“They can also evaluate the organisation’s cybersecurity governance and strategy while focusing on risk assessment, incident response, training and vendor competence. It is important to be informed – stay on top of cybersecurity initiatives and maintain open lines of communication to address any concerns or gaps identified.”
He would also encourage organisations to consider engaging external cybersecurity experts or conducting independent audits/penetration testing to assess the effectiveness of these controls, to ensure the AC is informed of cybersecurity incidents and evaluate the organisation’s response and promote cybersecurity awareness through training and incident reporting and ensure that appropriate cybersecurity risk reporting mechanisms are in place.
AI risks
The advent of AI has brought a new set of risks to business.
“Although long discussed and the subject of many films (Terminator 2 springs to mind), the potential impact of AI really hit home late last year with the launch of ChatGPT, which was quickly followed with spectacular claims of cost savings, entire professions wiped out and of course the danger of ‘the rise of the machines’,” says Savage. “Clearly, there are significant risks and opportunities for businesses and ACs to deal with, many of which are ‘unknown unknowns’ to combat this and assess risk.”
In the face of this new business landscape, “ACs should understand the concerns and opportunities for people, customers, suppliers and regulators. They should try to understand how best to get the right level of knowledge, evaluate the existing risk management framework to assess whether additional controls are needed, consider policies around the implementation and use of AI and review critical AI implementation projects.”
ESG risks
The final issue Savage addresses is ESG, which he says has been an “alphabet soup of regulation” for the past few years – and KPMG research indicates compliance with standards is only one of the ESG risks occupying the minds of AC members.
“There is a broader menu of risks to consider, which impact reputation, performance and financial success,” he says. “Failure to address these can lead to reputational damage and financial implications. So, AC members should consider the potential reputational risks associated with the company’s ESG performance and how they are managed. Climate change risks can impact the value of assets, and non-compliance can result in fines or penalties.”
To address these risks, it is important for ACs to understand and work closely with all stakeholders including management and internal auditors. Areas of focus should:
ensure the AC has the necessary expertise to effectively assess ESG risks – this may involve recruiting or training existing committee members;
engage with investors, regulatory bodies and industry associations to understand their expectations and perspectives on ESG;
develop a list and understanding of ESG risks relevant to the company across climate change, labour, data and inclusion and diversity;
review how data is currently captured and analysed and how reporting is verified;
look at the existing risk management practices and policies and assess the key controls and how the risks are currently monitored and reported;
benchmark these to peer groups and industry standards to ascertain whether they align with recognised frameworks; and
seek regular updates on ESG initiatives and consider external assurance on related reporting.
“There are more insights to the survey, and it is interesting to benchmark different priorities across the regions, priorities around finance team talent, the need for in-person time with management and a focusing agenda to maximise effectiveness,” says Savage.
“However, by elaborating on and identifying some common-sense actions on the four critical themes – geopolitical, cyber, AI and ESG – we have supported AC members for the next, hopefully, less volatile, 12 months.”
LOADING...