Audit committee cheatsheet for IT and cyber professionals

Seems like everyone drops what they are doing to respond to audit committee requests. Just what is this influential committee and who gets to serve on it?

committee audit conference

As an IT or cybersecurity professional or even if you are a vendor (sorry I meant solution provider) who is climbing the organizational ladder (or just trying to stay employed), sooner or later you will cross paths with the audit committee – whether appearing in person or helping your boss prepare for a meeting (and his attempts to climb the ladder or stayed employed).

This can be a great opportunity to showcase your contributions and value to the organization, and can serve as an opening for additional budget and career opportunities. But before you make your play, you should know who you are playing with. Here are some “street-smarts” that will help you navigate and understand some of the basic roles of the players are in the “playground.”

So what exactly do they do?

Generally, each audit committee’s objectives will vary by organization. An “Audit Committee Charter” is used to define what the audit committee’s role is at the particular organization. Many companies, especially publicly-traded and large not-for-profits, will include a copy of the charter on their website. Generally, the committee is composed of independent directors who monitor the integrity of financial information, the hiring and oversight of the CPA firm performing the annual financial statement audit, the hiring and performance of the internal audit department and general compliance with laws and regulations.

[ ALSO: Reflections on the 2016 external audit season ]

In some companies the committee is also responsible for risk oversight, although as the risk function has evolved, some companies have established a separate risk committee. Because of the above responsibilities and their expertise in monitoring risk and controls, a number of companies assign cybersecurity oversight – especially testing effectiveness of the cybersecurity program to this committee.

Who are these people?

Appointed by the full board or nominating committee, the audit committee is usually comprised of three to six outside (non-management) directors. Typically, directors have experience in executive management functions at other companies (like other CEOs or CFOs), represent key investors or investment groups (finance and attorney types), have significant insights or relationships with key stakeholders (can refer business to the organization) or provide relevant subject matter expertise (technology).

Given the rapid evolution and complexity of business models, audit committees sometimes appoint “associate” members who can supplement existing committee knowledge and who can represent the committee’s interests and concerns. Generally, for publicly-listed companies, at least one audit committee member should be designated as a financial expert – someone who has the appropriate background to understand and if needed question the integrity of the financial statements. One audit committee member is also designated as the chair of the committee. And yes, if you look at your organization’s filings with the SEC you can see their bios, why they chosen, and their compensation.

How often do they meet?

Frequency of meetings is driven by the business need - and is well known among executives in advance (imagine the effort required to coordinate schedules). In “normal” times, most committees will meet at least quarterly. Usually the committee will have an “annual calendar” to help ensure that mandatory committee activities (e.g., legal and regulatory requirements) are scheduled, monitored and completed. Depending on the company, meetings last for approximately one to three hours. Some committees employ sub-committee meetings to delve into areas requiring more attention (like technology).

How is the meeting conducted?

Audit committee members are provided with an agenda and reading materials prior to the meeting (typically one to two weeks) so that actual meeting discussions can focus on high level summary presentations and discussion of “exception” or items of concern. Either the CFO or the Chief Auditor will serve as the committee’s liaison with management taking care of administrative issues or other committee member needs. Both of these will attend the meeting as well as executive management.

[ MORE AUDIT INFO: Answers to audit committee questions that will keep you employed ]

The chair of the committee will ensure that agenda items are appropriately addressed. The chair will also manage the pace of the meeting. Reports from the auditors – especially recommendations to improve internal control are discussed. Issues requiring resolution are monitored until completed. The focus is on ensuring things get fixed – not validating excuses or encouraging silo mentality which is very much frowned upon at this level. Honesty is key as any sense of lying at this level will result in loss of confidence in the presenter and will probably eventually result in separation from the organization.

Executive sessions - where the real story gets told

Perhaps one of the most important but lessor known activities performed by the audit committee is when they meet separately with the CFO, head of internal auditing and the external auditors and management is not present. It is in these sessions that the individuals can share their concerns about management and audit committee members can question these individuals without the presence of bosses. These sessions are used by audit committee members to make the necessary inquiries that enable them to fulfill their fiduciary responsibilities and corroborate any impressions and understandings.

This is where auditors – both internal and external – have the opportunity to provide informal impressions on the job management (and information security) is doing. So remember, it’s not just what auditors write about, but also what they are thinking.

Copyright © 2016 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline