Thomson Reuters Tax & Accounting News

Featuring content from Checkpoint

Back to Thomson Reuters Tax & Accounting News

Subscribe below to the Checkpoint Daily Newsstand Email Newsletter

Audit Committees May Find Themselves Forced to Monitor Computer Threats

June 27, 2014

Corporate directors are increasingly having to address computer threats and hacking attacks. The growing risks because of technology are putting pressure on directors who sit on audit committees to take responsibility for computer risks. Some audit committees don’t like the idea and are trying to inform regulators and other directors about more suitable ways to address computer theft and spying.

Computer threats and hacking have quickly become some of the biggest issues a company faces.

Corporate boards are increasingly paying attention to the risks, and now regulators, including the PCAOB and its Standing Advisory Group (SAG), are debating whether audit committees should have explicit responsibility for overseeing computer and network security.

Some directors who sit on audit committees would rather take a pass.

“The notion that this is an issue for auditors and audit committees, I think, is misguided,” said Michael Cook, a former chairman and CEO of Deloitte & Touche LLP who chairs Comcast Corp.’s audit committee, during a SAG meeting on June 25, 2014. “This is a responsibility at almost every company of the full board.”

Cook said every company is different, and the kinds of risks companies have are different.

“There’s all kinds of different things that can be a risk of a cybersecurity attack; we always have information technology risk in the financial reporting area,” he said. “This is a different form of it, maybe it magnifies it a bit. But business continuity, data recovery, these are not new concepts. The audit committee had a responsibility for them before, and the audit committee will have responsibility for this after in a significant way. But to engender this discussion where this becomes the responsibility of auditors, and we are going to have that responsibility at the audit committee level, in my mind, is again just not the right place to be. These are enterprise-wide risks that need to be dealt with by the full board.”

Charles Elson, chair of the corporate governance center at the University of Delaware, said he agreed with Cook. But in his view, it’s inevitable that audit committees will be given the responsibility.

“I think that directors are fearful [of] liability,” he said. It is “identified not necessarily as a financial issue, it’s more operations. On the other hand, what bucket do you put it in? Typically when you don’t know the bucket to put it in, you give it to the audit committee.”

Dennis Beresford, a SAG member who chaired the FASB from 1988-1998 and is now a professor of accounting at the University of Georgia, agreed with Cook’s assertion that the full board has the overall responsibility for security. Yet other board members might delegate the task to a committee.

“When there’s a risk committee, as is the case for a minority of larger companies, it would logically go to that committee,” he said in a subsequent telephone interview. “But otherwise the audit committee is probably the logical place to assume that oversight. Nearly every audit committee newsletter that I see from the major accounting firms and law firms has been dealing with this issue.”

Robert Herz, who chaired the FASB from 2002-2010 and now teaches at Columbia Business School, called computer security a broader and deeper operational risk issue.

“While the audit committee might look at certain aspects of it that relate to security to the financial reporting systems and what internal auditors are doing about that, it’s a much broader issue,” Herz said.

Some large companies may have a separate technology or risk committee that may be qualified to give the issue an in-depth review and explain significant problems to the full board. But the audit committee won’t be looking at the full range of the issues, Herz said.

But many company boards don’t have separate committees for technology or risk. Most companies have three committees — governance, compensation, and auditing.

For them, there’s a tendency to say, “Well, it’s not nominating and corporate governance, it’s not compensation,” Herz said. “They kind of say, ‘well, the audit committee seems the most logical one of them.'”

Tagged with →