Our January 7 webinar, The 2016 Audit Committee Agenda, based on our latest issue of The Bulletin, drew more than 1,500 participants. The audience was diverse and included a large number of directors and executives, so it’s not surprising that a lot of interesting and relevant questions were asked.
We promised we would get to as many questions as we could but, due to our time constraints, we were only able to answer a few in real time. Here, in the first of several posts, we want to answer some questions we did not have time to address in the live session. Jim DeLoach and David Brand, Protiviti’s IT Audit practice leader, take turns with the answers.
Q: How involved should the audit committee be in inspecting its independent auditor? (Question submitted by a new audit committee member.)
Jim: As set forth in the listing standards for U.S. exchanges, the audit committee oversees the hiring, retention and independence of the external auditor and the quality of the external audit process. So the audit committee’s job, insofar as the external auditor is concerned, is not a matter of “inspection” as it is providing oversight. As part of the hiring and retention process, audit committee members are encouraged to be mindful of the firm’s PCAOB inspection reports. These reports may have an impact on the demands and expectations issuers receive from their external auditors and, therefore, warrant the audit committee’s attention.
Furthermore, the committee should inquire of the auditor if PCAOB inspections of the firm and recent PCAOB guidance are impacting the audit approach in any significant way and, if so, how and in which areas. For a good reference on the responsibilities of an audit committee, see the standards for listed companies established by Sarbanes-Oxley and promulgated by the Securities and Exchange Commission.
Q: Does the new Financial Accounting Standards Board (FASB) lease accounting standard (requiring both financing and operating leases to be accounted for on the balance sheet) apply to both public and private companies, and are there any exceptions?
Jim: To the best of our knowledge, the new rule, which will primarily affect lessees, will apply to all companies in all industries – although the effect will be greater on companies that have previously relied on leases as a form of off-balance-sheet financing. We won’t know with certainty, however, until the FASB issues its new standard, which is expected soon.
Q: Have you seen any best practices that organizations have used to get everyone on board with the idea that cybersecurity is a business issue, not simply an IT issue?
David: The only way to get people to see that this is a business issue is to start at the top. You have to start with a clear understanding of what assets the organization wants to protect. These so-called “crown jewels” have to be defined by the business. IT can’t decide. Once the organization has decided what’s important, then the capital committee and risk management committee must decide how much they want to spend protecting those crown jewels. IT’s role is to execute the protection scheme.
Q: Our board engagement and level of understanding of cybersecurity are not aligned. How would you address this?
David: Board members are always looking for educational opportunities, and internal audit can play an important role in this process. There’s nothing to stop internal audit from scheduling an educational briefing session with the board, or hiring a third party to come in and facilitate. For additional insight, see Issue 67 of our Board Perspectives series on board risk oversight, which is devoted entirely to briefing the board on IT matters in a manner that directors can understand.
In our next installment, we’ll pick up on this thread with a discussion of whether boards should be recruiting members with cybersecurity expertise. The entire webinar can be found here.