Equifax became the poster child for cybersecurity disasters when hackers breached its systems in 2017, exposing the Social Security numbers of 146 million people, about half the U.S. population. Not only did its CEO and senior executives lose their jobs, the company paid a settlement with multiple agencies as high as $700 million.
A U.S. Senate subcommittee investigation found that Equifax had discovered more than 1,000 critical, severe and moderate IT vulnerabilities during a 2015 audit that had not been patched. The company failed to conduct any follow-up audits before the 2017 breach. As the Equifax breach showed, proper cybersecurity governance is paramount to the functioning of a successful company and the audit committee has, for better or for worse, found itself at the vortex of such high-profile, reputation-busting risks.
“The entire board is looking for the committee not just to manage the audit, but the broader risks the company faces,” says Phyllis Deiso, the national SEC practice leader for RSM US, a tax, audit and consulting services firm. That means the proper functioning of an audit committee is critical. DirectorCorps interviewed several individuals who serve on the frontlines of audit and corporate governance to find best practices for audit committees.
Manage the Audit Committee Effectively
It may be that the audit committee can’t handle all the risks of the company. Some publicly traded companies such as BNY Mellon Corp. or General Motors Co. use a risk or technology board subcommittee to spread responsibilities. When risk is the sole domain of the audit committee, however, companies need to manage that effectively.
Audit committee chairpersons should ensure that the audit committee’s calendar reflects the priorities of the company. The audit packet can become stuffed with information that can be challenging for members to read. The board chair needs to ensure that the audit package is readable and that members have enough time to read it beforehand so they can ask pertinent questions. Staff often spends countless hours preparing board reports, but few on the audit committee stop to ask if they need all that information.
“We add more and more to the audit package,’’ says John Behringer, RSM’s national consulting co-leader for financial institutions. “Can we take some of that out?”
Executive summaries followed by a full report for reference can help. “Especially as you grow as a company, if you haven’t taken a fresh look at the audit committee packet in three years, you’re probably overdoing some things and underdoing others,” says Kara Baldwin, an audit partner for Crowe.
Baldwin and Deiso agree that an effective audit chairman or another appropriate person on the committee should meet periodically with management and the external auditor to make sure the committee’s needs and meetings are managed effectively. This isn’t to circumvent the work of the committee, but to make sure the committee’s hours are best spent.
Continually Assess the Audit Committee’s Skills
It’s not just the time spent. The people on the audit committee are essential to a highly successful committee. The best committees continually assess the skills they need. Publicly traded companies must make sure they have at least one financial expert on the audit committee. But technology and cybersecurity governance are increasingly sought-after skills as well. In some cases, audit committees are hiring a chief information security officer to advise the committee separate from management, Behringer says.
Deiso suggests the audit committee needs to continually address the skills needed to serve on the committee. Most boards struggle with a need for director tenure and a need to refresh the skills of the board members. Deiso suggests a skills matrix for the audit committee, which is a diagram that spells out skills needed and which board members have them. That helps the committee’s leadership assess opportunity areas for more training or new members. There is a variety of training available from the Center for Audit Quality, and the Public Company Accounting Oversight Board recently offered a list of items for audit committees. Speakers can come to the board and give training sessions.
Board training often is conducted at the 50,000 feet level, Behringer says. When it comes to managing IT risks, there tend not to be many board members who can provide that level of expertise. “Boards have to think about how they are going to manage that,” he says.
At the end of the day, audit committees need to make sure they can provide a credible and effective challenge to what their members see and hear, whether it’s a challenge to management, to internal audit or to the company’s outside auditors, Behringer says.