While most audit committee members agree that IT governance and risk is one of their top oversight priorities this year, there is far less agreement as to what the audit committee’s oversight role should be. According to surveys conducted during the Audit Committee Institute’s (ACI) recent Roundtables, there is significant room for improvement of IT governance (by management) and its oversight (by the board, including the audit committee).
Today, few audit committee members outside of the high-tech arena would claim to be tech-savvy. Yet audit committee members, along with CIOs and CFOs, are responsible for ensuring information technology and assets are used effectively and that corporate information is accurate, reliable, and secure. For these reasons, the audit committee can and should be a catalyst for strong IT governance.
What can audit committees do to help bring the proper focus to IT governance and risk? We offer some suggestions.
■ Focus on information rather than technology. Clearly, IT is complex, and many audit committees may lack IT expertise. But a “language barrier” compounds this problem, say audit committee members. Technology officers and other experts tend to talk about the technology rather than the information. As a result, directors may be reluctant to dig in and ask questions, and it is the information that is important, not the technology and gadgets. By focusing more on the information, and the risks to the information, audit committees can avoid some of the language barriers that creep in when they discuss the technology.
■ Understand how management mitigates risks to information. Companies have a critical reliance on information not only for financial reporting purposes, but also for managing virtually every aspect of the business. And the risks to this information are many, including poor information quality, privacy and security, outsourcing, and business-continuity and disaster planning. Strategic demands for “better” information pose new risks, such as critical IT project management. An important question for boards to ask is how management protects the company against each of these risks and ensures that the company’s information is accurate and reliable. Based on our recent surveys, audit committee members are not entirely confident that their companies’ policies and procedures for managing and mitigating these critical information risks are effective.
■ Ensure that IT governance is an imperative. Given the company’s critical reliance on information, IT governance—the framework and processes to manage and oversee information, mitigate technology risks, and address technology strategy and investments—is an imperative. The IT governance process is typically fragmented, and responsibilities for IT governance are typically spread throughout the organization. The audit committee can play an important role in establishing the right “tone at the top.”
■ Clarify the audit committee’s role in IT governance. Boards need to consider how best to align their oversight responsibilities for IT governance and risk. Nearly 20 percent of the participants surveyed said that their audit committee’s oversight responsibilities are unclear. And some audit committees, by default, have oversight responsibility for all IT governance.
Responsibilities for oversight of IT-related risks will vary by audit committee: Some may focus on IT risks from a financial reporting perspective only; others may also have oversight responsibility for compliance-related IT risks (including privacy and security) as well as outsourcing and business-continuity risks; and some may even broach the issues of IT strategy and investments.
As a source of potential risk to the company’s operations and competitiveness, and with major financial reporting and disclosure implications, IT governance should be high on the audit committee’s agenda.
