Cyberthreats Place New Demands on Audit Committees

The Accounting Policy & Practice Report ® provides financial accounting policy makers, advisors, and practitioners with the latest news, expert insights, and guidance on emerging, evolving,...

By Amanda Iacone

Retired accountants and auditors are on the front lines of cybersecurity in corporate boardrooms where they face a learning curve, rapid technology changes, and a shifting risk landscape.

Board audit committees have expanded their traditional risk oversight role to take on the latest threat to companies’ profits and reputations. But the constant pressure of hacks and data breaches is placing new demands on these part-time directors.

The time audit committees spend addressing cyber risks has spiked in recent years as regulations have grown. The extra work also requires committee members to stay on top of best practices to effectively manage the companies they oversee, committee members told Bloomberg Tax.

“This is one of the biggest changes, if not the biggest change, in what is on an audit committee’s agenda in the past 15 years,” said Rob Fryer, a retired auditor who serves on the audit committee for Shanta Gold Ltd., a London-listed mining company. “It takes a big chunk of time.”

Regulations Add to Workload

New cybersecurity-related regulations—the European data privacy law being the latest—have added to the workload of audit committees, said Mary Beth Vitale, a veteran audit committee member who also runs training programs on governance and security for the National Association of Corporate Directors.

Five years ago, committees might have taken 15 to 20 minutes to question management about cyber risks and prevention. Today, those discussions can take an hour or more, Vitale said.

If a breach occurs, investors will want to know what questions the board asked and how much time they spent discussing prevention and known risks, said John Lanaway, who serves on the audit committee for the global manufacturing company, CNH Industrial NV.

The pace of cyberattacks has risen in the last two years. And public disclosure laws have led to greater awareness of successful breaches, said Rob Terrin, CEO and co-founder of Tail Risk Consulting in New York.

Yahoo!, Equifax Inc., and Sony Corp. have all publicly revealed breaches in the past five years. And a string of U.S. hospitals were taken offline by ransomware earlier this year.

Cyberthreats pose a top concern for boards of directors and the companies they oversee, Cindy Fornelli, executive director of the Center for Audit Quality, told Bloomberg Tax.

The center, an independent affiliate of the American Institute of CPAs, regularly fields questions from board members about how to exercise their cyber oversight role. So the center compiled a tool in response, detailing questions directors should be asking the companies they manage, the role of management, plus questions they to ask the auditors and CPAs they hire, and where to go for more information.

New Skills, Knowledge Needed

“It’s challenging the boards,” said Brian Schwartz, who leads two practices focused on governance, internal audit, compliance and risk management for PricewaterhouseCoopers LLP in Washington. “This is all new stuff that they’ve never experienced before.”

Schwartz told Bloomberg Tax that effective boards focus on risk. They ask questions to gauge whether the company has the right policies and procedures in place for any technology a company might adopt and how the company would respond to a successful breach.

Some boards opt to bring on directors with sophisticated technology skills—the type that former chief information officers bring to the table, Schwartz said.

“Even the board needs to upskill because of new technology,” Schwartz said.

The National Association of Corporate Directors doesn’t track the specific qualifications of board members. However, just 12 percent of boards reported last year that they commanded a “high level of knowledge” about cyber risks. Most—73 percent—said their boards were somewhat knowledgeable, according to association records.

Vitale, who led a streaming media service, was among the few audit committee members with a technical background when she led the committee for CoBiz Financial Inc. However, the list is growing, she said.

Committee members don’t need to become cyber experts, but they should know the basics, Vitale said.

“You need to know what a server is. You need to know what patching entails,” she said.

Fryer, a retired Deloitte LLP audit partner, admits he is “not an IT person. " But he said he reads, takes courses, and attends webinars so he is prepared to question the management team at Shanta Gold about what the company is doing to protect its financial records, customer data, and other proprietary information.

But what’s current today might be outdated in a year.

“One thing about cybersecurity, it’s a moving target,” Fryer said.

To contact the reporter on this story: Amanda Iacone in Washington at aiacone@bloombergtax.com

To contact the editor responsible for this story: S. Ali Sartipzadeh at asartipzadeh@bloombergtax.com

Copyright © 2018 Tax Management Inc. All Rights Reserved.

Try Accounting Policy & Practice Report ®