With increased automation of operations in companies, internet connectivity and reliance on IT the associated risks have also increased many folds. Questions have been raised regarding the role of the audit committee in monitoring increased IT risks. The audit committee seems to be in the best position to have oversight responsibility to monitor IT risks. In many governance structures the board of directors is responsible for the strategic direction and decisions regarding IT. However, in the absence of a specific risk management or a similar committee, the audit committee should be responsible for the oversight of IT operations and risks.
Oversight means to oversee someone or an activity. Oversee means for somebody/something to watch somebody/something and make sure that a job or an activity is done correctly. Such definitions are sometimes confusing in the context of holding an audit committee responsible to oversee IT Governance. An audit committee has to achieve this purpose while performing an non executive function.
Simply put, the Audit Committee should ensure that Management is performing ongoing assessments of all IT risks and be satisfied that these risks are adequately addressed. The CFO and CIO along with the Internal Auditor should be held responsible to provide assurance regarding design & implementation of controls to mitigate all IT risks.
How can the Audit Committee perform an ‘oversight’ role?
- Define its scope within the Audit Committee charter
- Set in place a corporate culture that’s followed by IT staff who are trained to acknowledge what could go wrong, able to recruit control conscious people and encourage sharing as well as open and honest communication.
- Ensure a proper framework like COBIT is used by the CIO and receive a comprehensive plan from the CIO comprising an assessment of the IT function, potential risks and IT controls in place. ( COBIT -Control Objectives for Information and Related Technologies is a good-practice framework created by international professional association ISACA for information technology management and IT governance. )
- Use internal audit to support oversight. Internal audit should be equipped with IT knowledge and that should be used to assess effectiveness of IT controls and how they mitigate all key risks.
- The Audit Committee may obtain an understanding of the extent of the IT-related testing and evaluation performed by external audit to get comfort on the IT risks affecting the financial reporting process.
- The audit committee may also use an independent external expert to critically review the IT risk assessment and the designated controls to ensure they’re sufficiently comprehensive and appropriate to provide the necessary assurance, based on good industry standards.
The audit committee should use all three i.e, the CIO, Internal Audit and External Audit to obtain assurance that IT is being managed and that IT risks are being mitigated properly.