We are continuing our Q&A series stemming from our January 7 webinar on the 2016 Audit Committee Agenda. We’ve been exploring audit committee priorities for 2016, based on the findings published in the latest issue of The Bulletin. This four-part Q&A blog series provides our responses to some of the many interesting questions from our 1,500 webinar participants that we were unable to address during the webinar itself. Jim DeLoach and David Brand address the questions below.
In our first installment, we touched on the relationship between the audit committee and independent auditors, new rules on lease accounting, and board-level engagement with cybersecurity. Cybersecurity is a top concern for audit committees right now, and it should be. For additional insight, see Issue 67 of our Board Perspectives series, which is devoted entirely to briefing board members on IT matters in a manner that directors can understand.
Q: Are you seeing cybersecurity experts being added to the audit committee?
David: Generally speaking, no. Organizations face a broad and ever-changing spectrum of risks. For that reason, boards and audit committees should be staffed with people from a variety of backgrounds who stay well-informed on the current risk landscape and emerging risks, and know where to go and whose advice to seek to educate themselves as needed – through the CIO, CISO, or independent cybersecurity experts. An exception to this, of course, would be technology companies, or organizations where technology is the centerpiece of the business strategy, and in such cases we see some boards setting up a separate technology committee. But from a purely risk oversight perspective, no.
Q: Do you see differences between cybersecurity risk and data privacy risk, and should a risk profile have both? Or do you see in the industry that these risks are combined?
David: Although there tends to be a heavy focus on cybersecurity these days, it is important to remember that information – including personally identifiable information (PII), non-public financial information, drug formulas, customer lists and price sheets – often exist in non-electronic formats, including paper printouts on people’s desks. Cybersecurity deals exclusively with electronic data that’s housed in computer systems. Data privacy risk encompasses information in all forms, and is therefore both distinct from, and inclusive of, cybersecurity risk.
It’s a misnomer to say if a company is doing cybersecurity, it has achieved data privacy. Data privacy is related to cybersecurity, but broader than cybersecurity.
Jim: Let me add that our 2016 Top Risks Survey report, which will be released in March, reports on cybersecurity risk and privacy/identity management risks separately, and both were highly rated in our global survey results.
Q: Do you have a toolkit available for auditing cyber risks?
Jim: The National Institute of Standards and Technology (NIST) has developed and publicized a cybersecurity framework that has become the de facto standard for control areas that need to be addressed. That’s the best place to start in the public domain.
Q: Why don’t more organizations use data analytics to support internal audit?
Jim: Good question. It’s hard to pin down the why. Improved data analytics has been one of the top-rated capabilities and needs in our annual survey of chief audit executives for the past ten years. If you are asking whether your organization should be investing in analytics to keep pace with an increasingly complex environment, the answer is yes.
We’ll pick up with this discussion of technology in Part 3 of this series. The archived version of the webinar can be accessed here.