When we hosted our webinar, “Setting the 2015 Audit Committee Agenda,” on February 10, we knew we were tackling a hot topic.
After all, the task has become so much more challenging. Not only are audit committees dealing with crowded agendas, but they’re also addressing issues that are infinitely more complex.
Navigating an organization through a rapidly evolving business environment means setting clear priorities and establishing a risk management framework that asks the right questions at the right time to yield effective solutions.
The webinar emphasized the importance of finance and audit functions expanding beyond their traditional roles and becoming true strategic partners. It also discussed the impact of technology – and the audit committee’s responsibility to understand it.
During the webinar, we received an overflow of insightful questions. We wanted to share some of them because they address critical topics that may be relevant for many of you. We’ve included the actual questions from webinar participants, along with our answers, below.
It’s one of the ways we’re promoting Internal Audit Awareness Month. For additional information about the month-long campaign, visit The IIA’s website.
Q. How do you report on internal audit’s data analytics efforts to the audit committee? To what level do you report results?
A. If the analytics were conducted as part of a specific audit, they should be reported as part of that audit. If you are doing more continuous monitoring – or broad-based analytics that are not directly tied to a specific audit – it is typically helpful to create a dashboard for the committee. It should include information such as testing criteria, testing frequency and the exception rate. You may also want to include some commentary detailing how management addressed the exceptions.
Q. We are nonprofit but are looking for the correct place for governance of IT (and information security) to reside – audit committee or legal and compliance committee? Thoughts?
A. The governance of IT as well as the IT compliance function should reside with the CIO. Assurance that these processes are happening is provided by internal audit. Because IT controls are pervasive, we often see the audit committee take ownership of the technology risks from an oversight perspective. Information security is typically aligned with the business and reports to someone outside of the IT organization. Again, assurance over the security function is provided by internal audit.
Q. What are the top 3 to 5 technology risks (i.e., security around confidential information such as social security numbers)?
A. Most surveys I have seen list some combination of the following as top IT risks: cybersecurity, cloud computing, mobile devices, mobile applications and social media.
Q. Can you give me a more specific example of how you make cybersecurity a “business issue” versus an “IT issue”?
A. Cybersecurity is the processes and systems in place to protect whatever data an organization deems worthy of shielding. This could include customer lists, pricing information, trade secrets, drug formulas, non-public financial information, etc. Understanding what is important to protect and where it resides in the organization is a business issue. The IT component only comes into play when technologies need to be deployed to protect the relevant information.