Audit Committees and Technology


Historically the vast majority of audit committee members have been from the financial/accounting arena. Does it make sense to bring in more technology talent to these committees?

Corporate Governance
Board of Directors
Technology Management
Marsha Williams
51 months ago

7 answers


As technology has moved from the back room to center stage, IT risks have grown enormously--but IT opportunities have grown even more. Directors with real-world experience in running IT, in mitigating cybersecurity and disaster risks, in introducing new technology-based products, could help firms avoid minefields (Technical Debt, Cybersecurity 'hygiene,' etc.) and sieze opportunities (AI, robotics, AR).
Sarbanes-Oxley, enacted after the Enron and WorldCom debacles, introduced the notion of 'Qualified Financial Experts' (QFEs) to Boards. Today every Audit Committee has a QFE--because this finance/accounting stuff is HARD.
We're ready for a parallel notion: the QTE (Qualified Technology Expert) who brings real experience with using and managing technology and can thus ask the right questions and understand the answers.
Issues for later discussion (or this will become a novella):
A QTE is different from a Digital Director (although some people have both skill-sets). And the question of whether the Audit Committee is the right venue for IT risk and opportunity governance issues is also worth asking.

Wayne Sadin -- Transformational Technology Leader
51 months ago
Great concept Wayne - what do you think can be done to further that concept? - Marsha 50 months ago

In a nutshell yes, I agree with you. Audit Committees should have more knowledge regarding technology and data management, and in my opinion, also more expertise in business management and operations.
Internal Audit approach is based on risks, and therefore Internal Audit departments have to move in the direction of getting the right expertise (internal, co-sourced or external) for every type of audit included in the audit plan, therefore, the Audit Committee should reflect that shift, in order to be able to proper assess from the Board perspective the reports that reach their hands.
In my experience as Head of Internal Audit, I have always tried to diversify as much as possible the backgrounds and experiences of the audit teams, as well as their personality and soft skills. I firmly believe the more diverse teams are, the more angles you identify to analyze a problem and therefore, the better solution you can propose.
Most of the current main risks in all sector (most at least) are related to technology and data management in some form or fashion, therefore, the better equipped an Audit Committee is to gauge and really understand those issues, the better direction will set for the Internal Audit department.

Emilio Rubio, Ph. D.
51 months ago
Well said Emilio - what do you think can be done to increase the technology participation on a broad scale? - Marsha 50 months ago
Marsha, I guess there are multiple things that we could do on that direction. Modify the selection criteria for Board Members could be one, so there are even more varied skills set within the Board, including those experts in technologies in which the company may be interested, increase Board training in technology, create a tech Committee, nominate special tech advisers to the Board, etc... - Emilio 50 months ago

Having been a creative director in a technology company where the board is predominantly made up of accountants, I feel there needs to be a radical overhaul of the way we populate boards of directors, especially non-execs.
I've written an article on the subject recently, and transcribed my thinking below...

The key word in Boardland is governance.
The archaic nature of the word simply means to rule or control! It’s not a very nurturing term, yet it is a specific requirement of a public company’s board in the UK Companies Act of 2006.
Governance tends to happen through the work of a board’s respective committees.
Of which the usual suspects are audit, finance, risk, nomination and remuneration.
The bit I actually find interesting is risk.
Because a risk committee will predominantly look at risks the company faces and the avoidance of them.
For me, there needs to be a change in attitude, risk is simply opportunity by another name. Just as disruption is invention’s consequence.
I’m not advocating that a board should be more frivolous, simply that diversity on boards goes beyond gender and race, it must include a healthy balance of risk aversion and risk taking. And that can only happen when a chairman recruits a board capable of opportunism, innovation, invention and connecting information to find new value and growth.
My point, as it always is, is invention and reinvention are the primary requirements for a business to survive and thrive (not even innovation will save you if your system itself is redundant).
So board recruitment strategy needs to change. Especially if you want your business to be the disruptor rather than the disrupted.
That means adding technologists, strategists and yes, even creative people.

Don Smith
50 months ago
Excellent insight! What do you think it will take to change board recruitment? My experience is that many positions are filled based off existing members and their networks. Will raising awareness be the first step for change? - Marsha 50 months ago
I think it will take some highly successful and high profile early adopters Marsha. We know that boards that are both gender and ethnically diverse experience greater success through innovative and inventive practices. We just need greater diversity of skills. I really believe that accountancy and legal industries have ring fenced 'business management' as their own territories historically. - Don 50 months ago

Yes the more diverse the backgrounds the better.

I’ve worked for companies in which the audit committee includes the chairman, CEO, CFO and directors with audit background.

Bringing someone with a technology background can help with the internal controls over Financial reporting. Companies still rely on Excel spreadsheets to produce financial statements. As we all know, Excel is not a system and using it to produce financial statements could lead to material errors. Anyone with an IT background in the audit committee would help minimize the risks involved by recommending an IT system or report writer that automates the financial statements.

Janet Nicolas
50 months ago

Dear Marsha, yes, I truly believe this for instance for improving the use of Big data, data analytics etc. Additionally, however, I believe that complementary compentencies within the audit committee will help as well. Too often you see many "blue" people withing the AC. Why not add a more yellow or green person in the AC, it will definitely expand the total vision and goal of the AC improving the entire reporting system. So, traditional + it-experts and data experts + diversity in competencies.
dr. Ferdy van Beest

Ferdy Van Beest
51 months ago
Hadn't thought of it in that light, thanks for the brain candy! - Marsha 50 months ago

Dear Marsha,
besides Finance / Accounting, if the Audit team has a focus on HR- or Complince-topics, colleagues from the different departments are invited as guest auditors. If the focus of the audit is on Industry 4.0 / AI, related employees are part of the team. Besides topic experts, maybe even more relevant are regional colleagues to avoid cultural pitfalls.
Technology is not limited to the IT department, but will enter all areas of the company. Technology talents (natives) will be available in all parts of the organization. So naturally, this will be also for the Audit department the case.

Patrick Henz
51 months ago
Valid perspective for sure. I think perhaps it begs the bigger question of how to move from 'guest' participants to fully vested team members. - Marsha 50 months ago

It makes sense to me. It is beneficial to have people on board understanding technology and with relevant skills on this. It is useful to hire committee members with technology experience (e.g. cybersecurity) or work with external auditors and specialists. Experience in technology data and analytics is now a must to me. If missing the risk is to start auditing non-sense or urgent matters.

Paolo Beffagnotti
50 months ago

Have some input?