Research by KPMG's Audit Committee Institute covering more than 1,300 audit committee members in 25 countries around the world has found that nearly a third (30%) are not satisfied that their committee spends sufficient time looking at IT risk issues, with a further 59% only "somewhat" satisfied.
Two-thirds of audit committee members say that they have primary oversight responsibility for issues relating toIT compliance and controls, half of them say they take responsibility for oversight of business continuity issues and 45% for information security and privacy - but more than one in five (21%) say they have primary oversight responsibility for none of these.
Tim Copnell, director of KPMG's Audit Committee Institute in the UK, said: "The survey showed that 9 out of 10 audit committee members felt they had improvements to make in the oversight of IT risk issues. This is a worrying trend given that organisations are now so dependent on IT. If audit committees (or equivalent bodies) are not able to give sufficient attention to the oversight of IT risk, companies might be unwittingly exposed to risk. Some boards may consider the oversight of IT risk to fall outside the remit of the audit committee. If a separate committee or the board itself takes up the mantle, the board must be satisfied that they have access to sufficient skills to examine the issues appropriately."
The top priorities overall for audit committee members in 2007 remain the more traditional areas of risk management, internal controls and accounting judgements.