Impact of Cyber Security on Audit Committees


In KPMG International’s 2015 Global Audit Committee Survey, the four key concerns carried over from last year are:

economic and political uncertainty and volatility
regulation and the impact of public policy initiatives
operational risk
and cyber security.

It was great to see cyber security featuring among the top concerns of audit committee members as major cyber breaches have intensified in the recent past. High profile breaches include the Sony Pictures, the Us retailers Target and Home Depot. In the year ahead, audit committees say cyber security and oversight of risk will require even more attention.

KPMG conducted another online survey in 2015 and found that ensuring good security enables companies to retain customer trust even as next-generation cybersecurity solutions emerge to deal with this challenge. Because of recent cyber attacks, tech companies of all sizes want to keep investing in developing and implementing information security and IT risk-management technologies. Three-fourths of 111 U.S. tech executives who participated in the survey said they expect their companies to spend 1 to 5 percent of their revenue on IT security over the next year.

Directors should approach cyber security as a broader business risk issue and not as a problem for internal IT teams.This approach is supported by the increasing threat and the rising impact of online security breaches. Therefore, cyber security ideally should be on the board’s agenda, with oversight by audit committees.

How can audit committees respond to cyber risk areas;
▶️ Have a training session for the audit committee members to understand cyber impact on the company and also educate the workforce about cyber risks and responsibilities.
▶️ Understand the company’s cyber security strategy and governance structure and ensure it fits into the company’s ERM program.
▶️ Understand the systems in place to protect information transferred through mobile
technologies, internet, etc.
▶️ Ensure that the company has a cyber security risk assessment process in place and there is a periodical review of management’s cyber security risk assessment. If the skills are not available internally, the audit committee should direct the company to obtain such specialist skills, to prevent future breaches.
▶️ Similar to a BCP/ DRP establish an incident response plan and test it periodically, including it’s ability to act quickly if there is a security issue.
▶️ Establish guidance on what kinds of incidents need to be reported to the audit committee
▶️ Ensure the company has the required specialist skills and expertise to prevent cyber breaches and also has enlisted a third-party specialist to be on-site for emergencies.

This may not be a comprehensive list of ‘to do’ items but should be a good starting point.


About surenraj

“Views expressed are my own”
Aside | This entry was posted in Governance and tagged . Bookmark the permalink.

One Response to Impact of Cyber Security on Audit Committees

  1. Zafar says:

    Excellent article!

    I believe that the explosion in the use of mobile devices and a strong BYOD (Bring Your Own Device) Culture has created a gap between enterprise security, audit scope and organisational data protection.

    Audit committees need to factor into their agenda topics such as

    1) scope of risk for BYOD’s (understand why they want to control)
    2) manage use of BYOD (understand how they want to control BYOD)
    3) review methods of how 1 and 2 have worked for BYOD (understand if what they have understood and done to manage these devices have worked and re-engineer non working processes)

    For example all devices authorised for use onsite at an organisation should require a central remote wipe, password policies, managed app environment and an ability to report and a mechanism to review exceptions to security policies enforced on devices.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s