KPMG’s research has revealed that audit and supervisory committee members consider that there should be an increase in the role of audit committees in the oversight of risk management, an understanding of the risk management and reporting processes and also improved communication with the company’s management.

Only a third of the respondents stated that they were satisfied that the audit committee understands management’s processes for risk identification and assessment, and only 32 percent are very satisfied with the information that management provides to the audit committee regarding the status of risk management efforts.

Although IT / data security has emerged as a fourth-highest priority for audit committees, one quarter of the survey respondents claim that audit committees are not effective in overseeing the IT governance process, and only 15 percent are satisfied with management reports concerning IT risks. 72 percent of the respondents say their audit committees are responsible only for financial reporting-related IT risks.

A significant majority (69%) declares itself satisfied with management’s capacity to supply audit committees with information related to the aspects they have “traditionally” supervised: critical accounting policies, accounting judgments and estimates, internal controls and compliance.
Roughly one third of the respondents consider that the audit committee and other board committees communicate appropriately, and in many cases there is an overlap of their responsibilities (such as risk management and executive compensation).

With respect to interaction with internal audit, nearly half the respondents say they are very satisfied that the company’s internal audit function adds value to the company, while less than half say they are very satisfied that the CEO, CFO and senior management have a clear, shared vision of the role of internal audit in the company.

Three quarters of the respondents say that internal audit’s responsibilities should extend beyond its primary mission – assessment of internal controls – to include helping the organization in achieving its strategic objectives in areas such as risk management and process improvement.

Romania has recently passed legislation which aligns it with international practices in risk management and corporate governance: Government Emergency Ordinance no. 90, which came into effect in July 2008 and Order no. 1752 of 17 November 2005 issued by the Ministry of Public Finance. According to Ordinance no. 90, public interest entities are required to monitor the effectiveness of internal control and risk management systems, and this responsibility must be assigned to their audit committees.

Order 1752 requires the Board of Directors to include in its consolidated report a description of the main features of the internal control and risk management systems applied in the financial reporting process.

As Tanya Free (photo), Risk Advisory Partner in KPMG in Romania, explains “the onset of the global economic downturn has made risk management even more important, so it is good to see that Romania has strengthened its legislation in this area. However, the role of internal audit in this entire process of risk management and its contribution to process improvement and the business control environment must not be underestimated.”

Georgiana Iancu (Timofte), Internal Audit Manager in KPMG Romania ads: “In Romania, internal audit is just in its early stages as shown also by the results of a recent study conducted by KPMG in Romania in which we interviewed internal auditors working in this country. The study primarily targeted the attention given to the professional training of internal auditors and to the quality of internal audit resources to help internal audit respond to the ever increasing demands from management and audit committees. The study revealed that the role of internal audit is not fully understood and appreciated by top management of Romanian companies, as the annual training budgets allocated to internal auditors are, in most cases, less than 250 euros per internal auditor, or in some cases nothing at all, while the global average of the annual training budget per internal auditor is 1,700 euros.

At the same time, more than 60 percent of the internal auditors participating to our survey admitted they do not possess qualifications in their field of expertise (such as Certified Internal Auditor or Certified Information Systems Auditor), even though, globally, over 60 percent of the members of an internal audit team possess this type of professional qualification. Internal auditors in Romania have a strong need of professional training in all internal audit specific areas, but, at the same time, admit that access to such training is quite limited.”

As Ms Free concludes, “this suggests that there is a strong need for improvement in risk management and corporate governance, nationally as well as internationally, and for the tools used in these processes to also be improved.”