CFOs can expect to see more cybersecurity experts on their audit committees. Audit committee members increasingly say they need that expertise around the table to better manage this growing responsibility, according to a report by The Center for Audit Quality and Deloitte.
Almost 100% of audit committees have members with finance and accounting expertise but only 35% have members who are strong in cybersecurity, the report finds. And yet cybersecurity is the fastest-growing risk focus for the committees.
“Audit committees are being challenged by increased complexity in their core responsibilities, as well as scope creep across other areas within their organizations,” says Audit Committee Practices Report, released this month.
Almost 55% of audit committees have cybersecurity as part of their responsibilities, 60% say it's an agenda topic at least quarterly and 69% say they expect to spend more time on it in the coming year. And almost two-thirds call it their top risk focus.
Not surprisingly, 41% say they need additional expertise on it in their committee, more than any other risk area. That means committees will be looking at who they should be adding as members and inviting to make presentations at meetings.
“Make sure you’re hearing from the right people,” says the report. “Consider having the chief information security officer (CISO), or the equivalent, present … on a regular basis. Given the pace of developments in the cybersecurity space, it’s also appropriate to get periodically an outside-in perspective. Asking your external auditor or other advisors to present with your CISO is a natural option.”
The report, which looks broadly at what audit committees are focused on, is based on input from almost 250 committee chairs and members of mostly large public companies in the United States.
In addition to the growing focus on cybersecurity, it finds the committees increasingly concerned with all types of fraud and security risks, environmental, social and governance (ESG) reporting, and supply chain issues, while continuing to focus on their core finance and control responsibilities.
Among the findings:
- 98% say audit quality is the same or better than the prior year
- 21% say meetings will return to in-person when COVID-19 conditions make that possible
- 62% say they’ll hold hybrid meetings, some in-person and some virtual, while 27% say they’ll hold hybrid meetings in which some people will attend in-person, others virtually
- 97% expect to spend as much time or more on core financial reporting and control issues in the next year
- 74% say they’ve updated their internal controls to account for remote work
- 42% say fraud risks have increased
- 42% say their committee oversees enterprise risk management, compared to 20% of risk committees
- 19% say supply chain issues fall into the jurisdiction of the audit committee
- 10% said ESG falls into that jurisdiction