Register  |  Update details
Softworld
R E L A T E D   C O N T E N T
Similar articles
KnowledgeBANK
News centre
More from Accountancy Age
ADVERTISEMENT

Audit committees and IT: appearing on the audit radar

Tim Copnell, Accountancy Age, 11 Oct 2007

Audit committees are becoming increasingly interested in IT risk, which is good news for the finance and IT functions

Few boardroom members outside of the high-tech industry would claim to be information technology experts.

But for CFOs, CIOs and other senior managers responsible for IT and making sure that corporate information is accurate, reliable and secure, working through the audit committee can be a natural and extremely valuable catalyst for strong IT governance.

Directors may not be asking many pointed questions about IT. Many say they don’t have the knowledge or background to dig deeply into the issue. But that doesn’t mean they aren’t intensely interested in the company’s information risks and IT governance practices.

Indeed, oversight of IT risk and governance was cited by many audit committee members as a major agenda priority for 2007, according to a recent survey by KPMG’s audit committee institute.

Almost a third of the 1,300 audit committee member respondents said they were not
satisfied with the amount of audit committee time devoted to the oversight of IT risk, reflecting the challenges of overseeing what has long been viewed as a mysterious ‘black box’ back-office function.

With IT budgets growing and information technology becoming ever more important and increasingly complex, IT governance is likely to remain high on audit committee agendas in the years ahead.

Fortunately, ACI meetings in the UK show many audit committees continuing to grow more confident in their oversight of core financial reporting issues, and increasingly viewing other issues, IT risk included, through a more sophisticated ‘risk lens’.

Clearly, audit committee responsibilities for oversight of IT-related risks will be for the board to determine and will vary by company.

Some may focus on IT risks from a financial reporting perspective only, while others may consider compliance-related risks, including privacy, security, outsourcing and business continuity and some may broach the issues of IT strategy and investments.

The ACI survey found that two thirds of audit committee members say that they
have primary oversight responsibility for issues relating to IT compliance and controls. Half of them say they take responsibility for oversight of business continuity issues and 45% for information security/privacy ­ but one in five say they have primary oversight responsibility for none of these.

Regardless of what precise responsibilities are delegated to the audit committee, IT risk is likely to be somewhere on the audit committee’s radar, both as a source of potential risk to the company’s operations and competitiveness and with major financial reporting and disclosure implications.

Increased focus on IT governance by the audit committee will lead to increased scrutiny of management’s IT governance practices and, very likely, higher expectations.

But the audit committee’s oversight work can be a valuable source of objectivity and insight for both the board and management and can directly support an organisation’s IT governance efforts.

Many audit committee members say they want ­ and need ­ to know more about IT and information risks. Such a focus can bring an important, independent perspective to the company’s consideration of IT risks ­ whether financial, regulatory or strategic.

The organisation’s IT professionals can help enhance the board’s appreciation of the
issues by educating them and discussing IT matters in plain English.

Directors who understand basic IT terminology, but who focus squarely on information risks in a business context, are better positioned then to add real value to the discussion.

The complexity of IT systems can result in major ‘disconnects’ in the IT governance process. Language barriers between the company’s IT department and the board can hamper clear and robust discussions of IT issues, often resulting in fragmented IT governance policies and practices without clear accountability or enforcement.

Establishing the right tone at the top and setting clear expectations for IT
governance practices, standards and responsibilities can help get everyone on to the same page.

The audit committee’s expectation for high-quality information and focus on internal controls can also help the IT department concentrate on ensuring that the information flowing in and out of the company’s IT systems is what the company, its business units and the board need.

From a privacy and security perspective, the audit committee can serve as a catalyst for ensuring that robust discussions are taking place on the key risks to corporate and customer information.

Given the legal, financial and reputational implications of security breaches or lost
information, management should welcome the scrutiny an audit committee can provide.

This scrutiny can also generate important insights into the company’s business continuity and disaster recovery plans with respect to information systems and availability.

Always ask the fundamental questions about critical IT projects.
A major IT project delay or failure may have significant financial reporting and disclosure implications.

By staying aware of the status of critical IT projects, the audit committee can help maintain overall awareness of project milestones, potential problems, and significant budget issues and, potentially, return on investment.

Organisations might differ in how IT oversight responsibility is aligned among the board, audit committee and other standing committees, such as an IT committee or
risk committee.

Nevertheless, there is a broad consensus among audit committee members that the experience and insights of the board and audit committee can act as important catalysts, if not powerful partners, in the organisation’s efforts to manage IT risks and make the most of IT investments.

Both are fundamental goals of effective IT governance.

Five keys areas of IT risk

Business focus: the risk that IT effort and expenditure is not aligned to the strategy of the organisation and does not provide the expected level of business benefit at all times.

Security training and awareness: as IT systems become more complex, the responsibility on the end user increases. But too often IT training and awareness lacks impact and users are not aware of their own responsibilities.

Legislation and regulation: regulations such as Basel II, MIFID and the combined Payment Card Industry standard have made many organisations re-assess their IT controls.

Information assets: understanding where an organisation’s information assets sit – whether that be in paper form, on servers, a Blackberry, USB memory stick or even extending across to other organisations – is a key challenge for organisations.

Access and identity management: ensuring that users have access to all of the information they need to do their jobs but no more.

Timothy Copnell is director of the KPMG sponsored audit committee institute in the UK

M A R K E T P L A C E
Sponsored links
F I N A N C E   J O B S
Group Financial Controller
South East, Isle of Wight, United Kingdom | Pearl Centre Holdings
Pearl Centre Holdings is an established, family-owned business in the retail and leisure sector and seeking to recruit a Group FC based on the Isle of Wight. Reporting into the Directors of the business, Group ... more >
Management Accountant
Worthing, United Kingdom | Environment Agency
Management Accountant, Worthing, Up to £34,000 plus benefits From reducing flood risk to regulating industry, everything we do here at the Environment Agency relies upon sound financial management. Without the expertise and support of accountancy ... more >
Financial Controller
St Albans, Hertfordshire, United Kingdom | Michael Page Finance
  Global healthcare company with a reputation for innovation and excellence are looking to recruit a Financial Controller to support the UK business. Role description Reporting in to the UK Managing Director, this is a ... more >
Management Accountant Provider Services
Solihull, West Midlands, United Kingdom | Solihull NHS Care Trust
The Organisation Solihull NHS Care Trust has been established as a way of providing the most joined-up health and social services possible, directly to 212,000 patients registered at 31 GP practices. The Trust is forward ... more >
More Jobs in Finance
ADVERTISEMENT
Job zone
Job of the week
Related jobs
Search for a job
 
Try our Advanced search
ADVERTISEMENT

Useful links: About us . Privacy policy . Terms & conditions . Site map . Bookmark this site . Advertise
Business & Finance websites:
Accountancy Age Finance news, business, practice, public sector, tax, surveys
Best Practice Business advice, business commentary
Financial Director Business news, Interviews, Finance guides, audit fees survey
Management Consultancy management consulting news, management consultants league table
Jobs & Recruitment websites:
Accountancy Age Jobs Accountant jobs, jobs in finance, audit jobs, cima jobs, acca jobs, corporate finance jobs, management accounting jobs, finance director jobs, finance recruitment agency directory, Top 50 accountancy firms, accountant salary survey
Computing Careers IT jobs, Programmer jobs, Developer jobs, IT manager jobs, Project manager jobs, SAP jobs, Oracle Jobs, Java Jobs, IT recruitment agency directory, Top IT Employers 2005
Inquirer Jobs Software Engineer Jobs, firmware developer jobs, electronics engineer jobs
Other titles in the Incisive Media network:
Business Technology websites: BusinessGreen . Computing . Computing Business . CRN . The Inquirer . IT Week . vnunet.com
Consumer Technology websites: Active Home . Computeractive . Gizmodo . PC Magazine . PCW . WebAct!ve . What PC?
© Incisive Media Ltd. 2008
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503