Audit committee imperative | KPMG | CA
Share with your friends
Illuminated Subway Tunnel

Audit committee imperative

Cyber: An audit committee imperative

Cyber security is no longer just an IT problem – it's a significant business risk. In the age of disruption and mounting online risks, digital security is a responsibility all departments must bear. That includes audit committees who need to become more flexible in their approach, dynamic in their execution, and in-tune with today's cyber risk environment.

Audit committees aren't the only line of defense, but they are critical nonetheless. With IT and information security professionals on the frontlines, it falls to audit committee members to support their efforts by building awareness around threats to their financial functions, promoting best practices, and making sure their organization is taking appropriate actions to shore its cyber defenses.

Serving that role means asking the fundamental questions: How effective is our organization's cyber strategy at identifying and addressing cyber risks? Is it relying on the right information to oversee and understand those risks? Is it addressing all of its data privacy and security obligations? Does it have a game plan in place to manage a cyber crisis when an incident occurs?

Third party risk must also be part of the conversation. Organizations are extending their digital footprints via cloud, blockchain, and other networked technologies and becoming more vulnerable to third-party risks as a result. Again, audit committees would do well to ask how the organization is tracking the use and security of its sensitive data among its external partners and how it is evaluating the integrity of the tools and software they themselves use.

The pace of change demands a nimble approach. Audit committees must evolve beyond their traditional approach to address disruptive technologies and cyber risk in real time. And while there may be knowledge and skill gaps around the topic of cyber, now is the time to collaborate with industry peers and consultants to build internal capabilities. Only then will audit committees fulfill their much-needed role in an organization's cyber posture.

What should Audit Committees be asking?

  • How effective is my organization's cyber risk strategy? Is it focused on the right areas? Is it being tested?
  • How does my organization's cyber posture compare to others in the industry? Where are its gaps?
  • When a cyber incident occurs, how will it respond? How will it recover?

Looking for more insight? Read the next article in our Accelerate series: Internal controls are moving beyond SOX