Risk management now looms as the top concern–eclipsing accounting judgments and estimates–in the minds of nearly 300 public company audit committee members surveyed by KPMG's Audit Committee Institute (ACI) and the National Association of Corporate Directors.

Furthermore, only 28% of respondents say they are "very satisfied" with their understanding of management's process for identifying and assessing significant business risks, and only 21% with management's risk reports. ACI Director Ed Smith says the credit crisis is fueling this concern. "Everybody thought financial institutions were way ahead on risk. If we look at the credit crunch, there were a lot of surprises there. I think many directors were surprised," Smith says.

Respondents ranked Information Technology (IT) risk and governance as their third biggest concern and the area where they have the least confidence. One-quarter said they were unclear about their committee's responsibilities for oversight of IT risk and 26% said they were not satisfied with management's reports on IT risks. "IT is one of those areas that has steadily been creeping up on the audit committee's agenda," says Smith, noting that the New York Stock Exchange's listing requirements require audit committees to discuss risk assessment and risk management policies.