The Accounting Policy & Practice Report ® provides financial accounting policy makers, advisors, and practitioners with the latest news, expert insights, and guidance on emerging, evolving,...
Retired accountants and auditors are on the front lines of cybersecurity in corporate boardrooms where they face a learning curve, rapid technology changes, and a shifting risk landscape.
Board audit committees have expanded their traditional risk oversight role to take on the latest threat to companies’ profits and reputations. But the constant pressure of hacks and data breaches is placing new demands on these part-time directors.
The time audit committees spend addressing cyber risks has spiked in recent years as regulations have grown. The extra work also requires committee members to stay on top of best practices to effectively manage the companies they oversee, committee members told Bloomberg Tax.
“This is one of the biggest changes, if not the biggest change, in what is on an audit committee’s agenda in the past 15 years,” said Rob Fryer, a retired auditor who serves on the audit committee for Shanta Gold Ltd., a London-listed mining company. “It takes a big chunk of time.”
New cybersecurity-related regulations—the European data privacy law being the latest—have added to the workload of audit committees, said Mary Beth Vitale, a veteran audit committee member who also runs training programs on governance and security for the National Association of Corporate Directors.
Five years ago, committees might have taken 15 to 20 minutes to question management about cyber risks and prevention. Today, those discussions can take an hour or more, Vitale said.
If a breach occurs, investors will want to know what questions the board asked and how much time they spent discussing prevention and known risks, said John Lanaway, who serves on the audit committee for the global manufacturing company, CNH Industrial NV.
The pace of cyberattacks has risen in the last two years. And public disclosure laws have led to greater awareness of successful breaches, said Rob Terrin, CEO and co-founder of Tail Risk Consulting in New York.
Yahoo!, Equifax Inc., and Sony Corp. have all publicly revealed breaches in the past five years. And a string of U.S. hospitals were taken offline by ransomware earlier this year.
Cyberthreats pose a top concern for boards of directors and the companies they oversee, Cindy Fornelli, executive director of the Center for Audit Quality, told Bloomberg Tax.
The center, an independent affiliate of the American Institute of CPAs, regularly fields questions from board members about how to exercise their cyber oversight role. So the center compiled a tool in response, detailing questions directors should be asking the companies they manage, the role of management, plus questions they to ask the auditors and CPAs they hire, and where to go for more information.
“It’s challenging the boards,” said Brian Schwartz, who leads two practices focused on governance, internal audit, compliance and risk management for PricewaterhouseCoopers LLP in Washington. “This is all new stuff that they’ve never experienced before.”
Schwartz told Bloomberg Tax that effective boards focus on risk. They ask questions to gauge whether the company has the right policies and procedures in place for any technology a company might adopt and how the company would respond to a successful breach.
Some boards opt to bring on directors with sophisticated technology skills—the type that former chief information officers bring to the table, Schwartz said.
“Even the board needs to upskill because of new technology,” Schwartz said.
The National Association of Corporate Directors doesn’t track the specific qualifications of board members. However, just 12 percent of boards reported last year that they commanded a “high level of knowledge” about cyber risks. Most—73 percent—said their boards were somewhat knowledgeable, according to association records.
Vitale, who led a streaming media service, was among the few audit committee members with a technical background when she led the committee for CoBiz Financial Inc. However, the list is growing, she said.
Committee members don’t need to become cyber experts, but they should know the basics, Vitale said.
“You need to know what a server is. You need to know what patching entails,” she said.
Fryer, a retired Deloitte LLP audit partner, admits he is “not an IT person. " But he said he reads, takes courses, and attends webinars so he is prepared to question the management team at Shanta Gold about what the company is doing to protect its financial records, customer data, and other proprietary information.
But what’s current today might be outdated in a year.
“One thing about cybersecurity, it’s a moving target,” Fryer said.
To contact the reporter on this story: Amanda Iacone in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: S. Ali Sartipzadeh at email@example.com
Copyright © 2018 Tax Management Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)