Audit committees and IT: appearing on the audit radar


Few boardroom members outside of the high-tech industry would claim to be
information technology experts.

But for CFOs, CIOs and other senior managers responsible for IT and making
sure that corporate information is accurate, reliable and secure, working
through the audit committee can be a natural and extremely valuable catalyst for
strong IT governance.

Directors may not be asking many pointed questions about IT. Many say they
don’t have the knowledge or background to dig deeply into the issue. But that
doesn’t mean they aren’t intensely interested in the company’s information risks
and IT governance practices.

Indeed, oversight of IT risk and governance was cited by many audit committee
members as a major agenda priority for 2007, according to a recent survey by
KPMG’s audit committee institute.

Almost a third of the 1,300 audit committee member respondents said they were
satisfied with the amount of audit committee time devoted to the oversight of IT
risk, reflecting the challenges of overseeing what has long been viewed as a
mysterious ‘black box’ back-office function.

With IT budgets growing and information technology becoming ever more
important and increasingly complex, IT governance is likely to remain high on
audit committee agendas in the years ahead.

Fortunately, ACI meetings in the UK show many audit committees continuing to
grow more confident in their oversight of core financial reporting issues, and
increasingly viewing other issues, IT risk included, through a more
sophisticated ‘risk lens’.

Clearly, audit committee responsibilities for oversight of IT-related risks
will be for the board to determine and will vary by company.

Some may focus on IT risks from a financial reporting perspective only, while
others may consider compliance-related risks, including privacy, security,
outsourcing and business continuity and some may broach the issues of IT
strategy and investments.

The ACI survey found that two thirds of audit committee members say that they

have primary oversight responsibility for issues relating to IT compliance and
controls. Half of them say they take responsibility for oversight of business
continuity issues and 45% for information security/privacy ­ but one in five say
they have primary oversight responsibility for none of these.

Regardless of what precise responsibilities are delegated to the audit
committee, IT risk is likely to be somewhere on the audit committee’s radar,
both as a source of potential risk to the company’s operations and
competitiveness and with major financial reporting and disclosure implications.

Increased focus on IT governance by the audit committee will lead to
increased scrutiny of management’s IT governance practices and, very likely,
higher expectations.

But the audit committee’s oversight work can be a valuable source of
objectivity and insight for both the board and management and can directly
support an organisation’s IT governance efforts.

Many audit committee members say they want ­ and need ­ to know more about IT
and information risks. Such a focus can bring an important, independent
perspective to the company’s consideration of IT risks ­ whether financial,
regulatory or strategic.

The organisation’s IT professionals can help enhance the board’s appreciation
of the
issues by educating them and discussing IT matters in plain English.

Directors who understand basic IT terminology, but who focus squarely on
information risks in a business context, are better positioned then to add real
value to the discussion.

The complexity of IT systems can result in major ‘disconnects’ in the IT
governance process. Language barriers between the company’s IT department and
the board can hamper clear and robust discussions of IT issues, often resulting
in fragmented IT governance policies and practices without clear accountability
or enforcement.

Establishing the right tone at the top and setting clear expectations for IT

governance practices, standards and responsibilities can help get everyone on to
the same page.

The audit committee’s expectation for high-quality information and focus on
internal controls can also help the IT department concentrate on ensuring that
the information flowing in and out of the company’s IT systems is what the
company, its business units and the board need.

From a privacy and security perspective, the audit committee can serve as a
catalyst for ensuring that robust discussions are taking place on the key risks
to corporate and customer information.

Given the legal, financial and reputational implications of security breaches
or lost
information, management should welcome the scrutiny an audit committee can

This scrutiny can also generate important insights into the company’s
business continuity and disaster recovery plans with respect to information
systems and availability.

Always ask the fundamental questions about critical IT projects.
A major IT project delay or failure may have significant financial reporting and
disclosure implications.

By staying aware of the status of critical IT projects, the audit committee
can help maintain overall awareness of project milestones, potential problems,
and significant budget issues and, potentially, return on investment.

Organisations might differ in how IT oversight responsibility is aligned
among the board, audit committee and other standing committees, such as an IT
committee or
risk committee.

Nevertheless, there is a broad consensus among audit committee members that
the experience and insights of the board and audit committee can act as
important catalysts, if not powerful partners, in the organisation’s efforts to
manage IT risks and make the most of IT investments.

Both are fundamental goals of effective IT governance.

Five keys areas of IT risk

Business focus: the risk that IT effort and expenditure is
not aligned to the strategy of the organisation and does not provide the
expected level of business benefit at all times.

Security training and awareness: as IT systems become more
complex, the responsibility on the end user increases. But too often IT training
and awareness lacks impact and users are not aware of their own

Legislation and regulation: regulations such as Basel II,
MIFID and the combined Payment Card Industry standard have made many
organisations re-assess their IT controls.

Information assets: understanding where an organisation’s
information assets sit – whether that be in paper form, on servers, a
Blackberry, USB memory stick or even extending across to other organisations –
is a key challenge for organisations.

Access and identity management: ensuring that users have
access to all of the information they need to do their jobs but no more.

Timothy Copnell is director of the KPMG sponsored audit
committee institute in the UK

Related reading

aidan-brennan kpmg
The Practitioner
Life Belt with Computer Folders