Audit committees are uneasy about IT risks these days.
That's one finding of the most recent report from KPMG's Audit Committee Institute, and it should surprise nobody. IT risks—emerging technologies, IT projects gone awry, data security—are where audit committee members feel least comfortable with their knowledge of the subject, and with their ability to make recommendations to the CEO or the board. What's more, audit committees also say they aren't entirely pleased with the information they get about those risks.
Those risks will only grow more pressing in the future. So the question is how compliance and audit executives can help them.
Before we get lost in this murky new world of corporate governance, let's start with a look at the old one. (Compliance Week writer Tammy Whitehouse has an excellent article this week looking at the KPMG survey more broadly.) Audit committees do feel fairly confident in their ability to handle “traditional” committee tasks: policing the financial statements, ensuring compliance with laws such as the Sarbanes-Oxley Act, monitoring the relationship with the company's external auditor. Some numbers to that effect:
- 94 percent of respondents rated the information they receive about legal or regulatory compliance risks as “good” or “generally good.”
- 93 percent said the same about information on operational risks and the control environment.
- 99 percent rated their understanding of key financial reporting and control risks as “excellent” or “good.”
- 88 percent said the same for their understanding of ethics & compliance programs, although more rated their understanding as “good” (48 percent) than “excellent” (40 percent).
- Only 8 percent are dissatisfied with the internal audit department's skills and resources to be effective.
Overall the report paints a complimentary picture for compliance and audit executives—and of audit committee members too, who give themselves good marks for spending sufficient time on financial, compliance, and control issues. Now comes the more difficult encore: replicating that information pipeline for issues of data security, privacy, and emerging technologies.
My first question is whether the audit committee is even the best group to oversee IT risks. The people who serve on these committees tend to hail from financial backgrounds, as Regulation S-K and various listing standards require; or they might be CEOs at other companies, well-versed in strategy and risk management. Those backgrounds are critical for traditional audit committee jobs, to be sure. But questions of possible exposure to cyber-thieves in Asia, or the strategic risk of letting your resellers promote products via Twitter, or how to set the objectives of a two-year IT project to address your GRC needs in the globalized business world—they're substantively different than tussling with your audit firm over fees or internal control testing.
Audit committee members were candid enough to admit as much: 43 percent of KPMG survey respondents said it was “increasingly difficult” to carry out their duties thanks to new risks piling onto their plates, and another 7 percent flat-out said their committees don't have enough time or expertise. Unfortunately, only 26 percent say their boards have rebalanced all those risks across various committees, and frankly—what other committees could field these issues anyway? Regulators sometimes force companies to create new risk committees as part of misconduct settlements, but until Regulation S-K requires a new committee to focus specifically on IT risks, the audit committee is kinda stuck.
Compliance and audit executives, then, should start by asking themselves one question: how can I help the audit committee clarify its information needs?
This won't be easy, because lots of the help they need lies beyond what compliance or internal audit typically provide. Take data security as one example. The compliance officer might be able to discuss the litigation and regulatory consequences of a data breach, which will help the board set its risk tolerances for security. The audit executive might be able to test IT security protocols, which will help the audit committee determine whether management of IT risks is working.
But the IT risks that worry the audit committee the most now are more about reputation and protection of assets: Will we get hacked and end up on the front page? Will our intellectual property get stolen and passed around the Internet for all to see? The compliance officer plays a role in explaining the consequences, but the CIO or head of IT is the one who knows best whether a breach might happen. In the new world of IT risks, having a strong, collaborative relationship between compliance and IT will be all the more important. Neither side will be able to help the audit committee properly without the other.
There's likely to be a lot of that in the future, as more and more business processes are transformed thanks to the power of IT: more efficiencies, but also more risks—with compliance officers there to explain some of the consequences, and audit executives testing risk-management efforts, but the CIO and someone else explaining what the odds of the risk actually are. You might have marketing and the CIO talk about sales agents working via tweet; or the CIO and the head of personnel discussing the “gamification” of performance reviews. Plus, we'll still have plenty of IT risks borne primarily by the compliance officer, when you want to install that sweeping GRC software suite to manage regulatory compliance for the next few years.
So audit committees are indeed uneasy about IT risks—and perhaps we all should be, too.