Rating Canada’s audit committees

May 2008 — PRINT EDITION

Table of Contents

Rating Canada’s audit committees*

As some audit committees strengthen their performance, they raise the bar for all audit committees.

*This is an expanded version of a summary that originally appeared in the May 2008 issue of CAmagazine.

Just how effective are Canada’s audit committees? And does company size matter? These are just two of the questions that KPMG’s latest annual audit committee effectiveness survey sought to answer. And, while the overall ratings for effectiveness were positive, the larger companies gave themselves higher marks than the smaller ones did.

The survey, carried out in early 2007 by KPMG’s Audit Committee Institute and the Institute of Corporate Directors, showed that 62% of the more than 230 respondents rated their audit committee as “very effective.” This result is virtually unchanged from the 2006 survey. However, while almost 80% of respondents with revenue of more than $1 billion rated their committee as “very effective,” only 43% of those with revenue of less than $100 million did the same.

This difference—not as evident in the 2006 survey—combined with divergences in practices between larger and smaller entities, is something Michael Meagher, executive director of the Audit Committee Institute, considers not only significant but “sometimes worrisome.” For example, all audit committees included oversight of internal control, risk management, and legislative compliance, accounting judgments, and estimates in their top priorities, but the size of their companies dictated how each of these items ranked on their agendas.

Most startling was the finding that, while only 20% of respondents with revenue under $1 billion included accounting judgments and estimates among their top priorities, 58% of respondents from larger organizations ranked them as a major concern. A similar proportion (59%) of the US and UK respondents to a 2007 global Audit Committee Institute survey of more than 1,300 audit committee members concurred.

Meagher attributes the US similarity to the fact that many of the largest Canadian companies are also registrants of the US Securities and Exchange Commission and have to reconcile to US GAAP. In the UK, the recently changed requirements to report under International Financial Reporting Standards (IFRS) may have been responsible for this focus. “If so, the Canadian transition to IFRS between now and 2011 might cause this topic to be a priority for several years to come.”

For now, internal controls are considered a top priority for all revenue categories in Canada (63% of all respondents). UK and US respondents (56% and 66% respectively) agreed. No doubt, says Meagher, “the Canadian Securities Administrators proposed rules on internal control over financial reporting had an impact on defining the importance of internal controls in Canada.”

Interestingly, says Meagher, US respondents rank this area much higher than their counterparts in Canada and the UK. “We believe that some of the US focus arises because US companies’ work to meet the requirements for internal control certification is much further advanced than in Canada or the UK.”

Risk management was rated the second-highest priority by most Canadian respondents, but appeared to be of slightly greater importance to companies in the middle size range (those with revenues of $100 to $999 million).

In last year’s survey, notes Meagher, respondents did not have a consistent view on whether the audit committee should be responsible for oversight of a company’s risk management program. “This year’s results suggest that many audit committees are now taking an active interest in this area.”

When it comes to oversight of business strategy, smaller companies (36%) included it in their top 3 priorities than the mid-sized and larger ones did (22% and 9% respectively).

Smaller companies also billed legal and regulatory compliance as a top priority (just over 50%). In contrast, fewer larger respondents did so (35%), and their responses are similar to their colleagues in the UK and the US (around 30%). Meagher believes that the CSA rules on internal control certification “likely account for some of this focus.”

Although, this year, information technology ranked at the bottom end of audit committee priorities, Meagher feels this issue will soon become more important, again because audit committees will begin overseeing management’s certification of internal controls.

When asked which specific IT areas are their audit committee’s primary oversight responsibility, almost 60% of the respondents said IT compliance and controls, and slightly less than half identified business continuity and information security/privacy. Almost one-third, however, said that their board’s oversight of these IT areas needs improvement.

A final, somewhat surprising finding is that one in five audit committees has not yet implemented a self-evaluation process. Again, this is a size issue. Meagher says this shortcoming is most serious among smaller companies, with 35% doing no such evaluations. Among the audit committees that do self-evaluate their performance, satisfaction with the process has increased from last year, although two thirds of the respondents still see room for improvement.

“As some audit committees strengthen their performance,” Meagher notes, “they raise the bar for all audit committees. Some of the smaller entity committees may need a call to action because shareholders will really be evaluating their performance against the practices of others.” He advises all audit committees “to examine their own oversight processes and priorities, and continue to progress toward greater effectiveness.”

The responses to the 2008 survey are currently being analysed. For more information, visit http://www.kpmg.ca/auditcommittee/