Audit Committees and Technology
As technology has moved from the back room to center stage, IT risks have grown enormously--but IT opportunities have grown even more. Directors with real-world experience in running IT, in mitigating cybersecurity and disaster risks, in introducing new technology-based products, could help firms avoid minefields (Technical Debt, Cybersecurity 'hygiene,' etc.) and sieze opportunities (AI, robotics, AR).
Sarbanes-Oxley, enacted after the Enron and WorldCom debacles, introduced the notion of 'Qualified Financial Experts' (QFEs) to Boards. Today every Audit Committee has a QFE--because this finance/accounting stuff is HARD.
We're ready for a parallel notion: the QTE (Qualified Technology Expert) who brings real experience with using and managing technology and can thus ask the right questions and understand the answers.
Issues for later discussion (or this will become a novella):
A QTE is different from a Digital Director (although some people have both skill-sets). And the question of whether the Audit Committee is the right venue for IT risk and opportunity governance issues is also worth asking.
In a nutshell yes, I agree with you. Audit Committees should have more knowledge regarding technology and data management, and in my opinion, also more expertise in business management and operations.
Internal Audit approach is based on risks, and therefore Internal Audit departments have to move in the direction of getting the right expertise (internal, co-sourced or external) for every type of audit included in the audit plan, therefore, the Audit Committee should reflect that shift, in order to be able to proper assess from the Board perspective the reports that reach their hands.
In my experience as Head of Internal Audit, I have always tried to diversify as much as possible the backgrounds and experiences of the audit teams, as well as their personality and soft skills. I firmly believe the more diverse teams are, the more angles you identify to analyze a problem and therefore, the better solution you can propose.
Most of the current main risks in all sector (most at least) are related to technology and data management in some form or fashion, therefore, the better equipped an Audit Committee is to gauge and really understand those issues, the better direction will set for the Internal Audit department.
Having been a creative director in a technology company where the board is predominantly made up of accountants, I feel there needs to be a radical overhaul of the way we populate boards of directors, especially non-execs.
I've written an article on the subject recently, and transcribed my thinking below...
The key word in Boardland is governance.
The archaic nature of the word simply means to rule or control! It’s not a very nurturing term, yet it is a specific requirement of a public company’s board in the UK Companies Act of 2006.
Governance tends to happen through the work of a board’s respective committees.
Of which the usual suspects are audit, finance, risk, nomination and remuneration.
The bit I actually find interesting is risk.
Because a risk committee will predominantly look at risks the company faces and the avoidance of them.
For me, there needs to be a change in attitude, risk is simply opportunity by another name. Just as disruption is invention’s consequence.
I’m not advocating that a board should be more frivolous, simply that diversity on boards goes beyond gender and race, it must include a healthy balance of risk aversion and risk taking. And that can only happen when a chairman recruits a board capable of opportunism, innovation, invention and connecting information to find new value and growth.
My point, as it always is, is invention and reinvention are the primary requirements for a business to survive and thrive (not even innovation will save you if your system itself is redundant).
So board recruitment strategy needs to change. Especially if you want your business to be the disruptor rather than the disrupted.
That means adding technologists, strategists and yes, even creative people.
Yes the more diverse the backgrounds the better.
I’ve worked for companies in which the audit committee includes the chairman, CEO, CFO and directors with audit background.
Bringing someone with a technology background can help with the internal controls over Financial reporting. Companies still rely on Excel spreadsheets to produce financial statements. As we all know, Excel is not a system and using it to produce financial statements could lead to material errors. Anyone with an IT background in the audit committee would help minimize the risks involved by recommending an IT system or report writer that automates the financial statements.
Dear Marsha, yes, I truly believe this for instance for improving the use of Big data, data analytics etc. Additionally, however, I believe that complementary compentencies within the audit committee will help as well. Too often you see many "blue" people withing the AC. Why not add a more yellow or green person in the AC, it will definitely expand the total vision and goal of the AC improving the entire reporting system. So, traditional + it-experts and data experts + diversity in competencies.
dr. Ferdy van Beest
besides Finance / Accounting, if the Audit team has a focus on HR- or Complince-topics, colleagues from the different departments are invited as guest auditors. If the focus of the audit is on Industry 4.0 / AI, related employees are part of the team. Besides topic experts, maybe even more relevant are regional colleagues to avoid cultural pitfalls.
Technology is not limited to the IT department, but will enter all areas of the company. Technology talents (natives) will be available in all parts of the organization. So naturally, this will be also for the Audit department the case.
It makes sense to me. It is beneficial to have people on board understanding technology and with relevant skills on this. It is useful to hire committee members with technology experience (e.g. cybersecurity) or work with external auditors and specialists. Experience in technology data and analytics is now a must to me. If missing the risk is to start auditing non-sense or urgent matters.