Emerging Issues in an Evolving Landscape
Today's always on, constantly connected society delivers exceptional benefits to both individuals and businesses. But it also comes with a price, particularly for companies heavily reliant on complex technology systems. For proof, look no further than the recent breach that compromised credit card data for 40 million Target customers that contributed to the resignation of the company's chief technology officer and its CEO.
Audit committee members understand that technology can pose grave risks to organizational reputation and profitability. What they may struggle with, however, is defining the parameters of those risks-and assessing at which point audit committee involvement becomes necessary.
Given the extent to which organizations today rely on technology, IT intersects with the audit committee's mandate to oversee risk management undertakings more often than many may think.
If a global company's IT systems go down as the result of a natural disaster or other unanticipated business disruption, both sales and productivity losses can mount alarmingly. If a company's online platform crashes or it becomes the victim of a cyber-attack, it often suffers both reputational and financial losses that can affect its financial reporting. Similar losses can also result if social media policies are not enacted and enforced.
To complicate matters, during the recent economic downturn, many companies curbed their capital spending-including their IT project spends. As a result, these companies may be overly reliant on aging systems that lack the capacity to keep pace with the evolving demands of ecommerce. This presents risks of its own.
Of course, most companies have adopted various risk mitigation strategies related to IT. For example, companies involved in major IT projects most often require budget approval from the board before proceeding. Management also generally adopts processes designed to minimize IT risk.
So what should audit committees be doing? At the very least, audit committee members should understand the mitigation processes that management has implemented and relies on. At organizations exposed to higher risks, audit committees may need to commit to a higher level of involvement and oversight. This may include:
To understand where technology risk might affect financial reporting, audit committees must remain abreast of a company's IT risks and related initiatives. In addition to asking the company's CIO or head of technology to share information about any contemplated IT projects, audit committee members should ask about the company's technology strategies, including their related costs, and learn how management is mitigating any identified risks or threats.
Beyond simply inviting IT management, as well as external experts and advisors, to speak to the committee on an annual basis, audit committee members at organizations undergoing major technology initiatives or that are particularly exposed to IT risk should raise these issues at each meeting to ensure they remain abreast of emerging risks.
Companies that frequently engage in complex IT projects may want to include someone with specialized IT expertise on the audit committee or at least bring in an external expert for a defined term during a period of technology transition.
Given the growing scope of the agenda, many audit committees are leery of adding more items to the list. That's fair. After all, IT does not represent the same level of risk for all organizations. Before including it as a standing agenda item, it makes sense for audit committees to assess the extent to which their organization may be exposed to these risks by asking the following questions:
As companies evolve, the risks that audit committees must review change as well. To ensure appropriate financial oversight, audit committees should determine if their exposure to IT risk is rising and take steps to mitigate those risks before they cause a material impact to the company's financial statements.