I recently saw the results of a PwC survey on where IT oversight resides at the board of directors’ level. In more than 50% of the companies it was with the audit committee, while 25% had it with the entire board and 8% had no oversight at the board level at all. It’s hard to imagine a business that does not use IT today. We may laugh at the commercials, but even the neighborhood kids’ lemonade stand is often publicized on Facebook (even if it is on Mom’s page). So, putting the 8% who live in the dark ages aside (and the 17% who didn’t even know what IT stood for?) I wondered about the implications of having IT oversight with the audit committee by 2/3’s of the companies who had board level oversight.
Using the audit committee seems to be a natural outgrowth from the way IT has been handled historically. CFO’s were often the officer that IT reported to before CIO’s started proliferating. In addition, boards often first deal with IT when something goes wrong – either with an access breach or a system failure which then impacts the financial results. Either way, the knee jerk reaction is IT is a “control problem” and that is what audit committees are supposed to handle. And of course, as is their nature, audit committees will treat IT as a control and compliance issue. Do our general IT controls work well enough for pass muster for the audit of our controls? Do we have the right protocols in place to comply with the HIPPA regulations over access? Are we doing enough to prevent breaches of our systems and the unauthorized release of sensitive customer information in order to prevent reputational damage from the next hacking attack?
These are all very important issues, but the problem is that in today’s world where business models can be disrupted by the next drunk college student writing code in his or her dorm room at two in the morning, IT can’t be viewed solely or even predominantly as a “control issue” (or is that an issue to be controlled). The use of IT is, or should be, a critical strategic issue for every company, and critical strategic issues should be the domain of the entire board of directors.
Am I saying that the entire board should be dealing with the minute details of IT? Of course not. In fact, that is what management is supposed to do, but the entire board should be very interested in any organization’s IT strategy, plans, risks and opportunities. The problem with sending IT oversight to the audit committee is that the risks will get a lot of attention while the other three areas will get less then they deserve or need. The solution for the twenty-first century company is to rethink who has responsibility for IT oversight at the board level. Maybe this is a case where the majority has it wrong.
The AICPA Board met last week. November is the first Board meeting for newly elected members of the Board, but while this was not my first board meeting it still included a first for me. It was my first meeting as Chair of the Audit Committee. It was also the beginning of my last year on the Board. It’s hard to believe I am entering the last year of my service on the Board. While I am now the experienced “old hand,” looking around the board room I am confident that we will continue to be led by talented people with a deep passion for the profession. The Board once again covered a tremendous number of topics from private company financial reporting, to peer review, to activities in the EU related to the “Green Paper” recommendations, to updates from our government and employee benefit plan audit quality centers, as well as an update on the current banking and insurance industry issues and audit risks. As usual I will highlight a few of the areas covered.
The Audit Committee functions just like most audit committees. The Director of Internal Audit reports directly to the audit committee; we are responsible for the engagement and relationship with our external auditor – JH Cohn; and we are very focused on risks and controls not only over financial reporting, but increasingly over compliance and operations. The AICPA has a great Director of Internal Audit. Her department not only provides support to the external auditor, but also audits the CPA Exam process as well as other key internal processes. Audit areas are determined based on a risk analysis and are approved by the audit committee on an annual basis. I could spend this whole blog talking about the audit committee, but instead I will reference you to the AICPA Audit Committee Toolkit. We use this toolkit extensively to help run our audit committee and ensure that we are utilizing best practices in our governance process
The CPA exam was successfully launched internationally earlier this year and additional changes have also been implemented. The exam continues to be one of the preeminent professional examinations and the latest changes are designed to continue to keep it there. For example, the test questions continue to evolve to be even more like the real world. I will go into more detail in a future blog on all of the changes, so be on the lookout for it.
EU Green Paper
I know some of you would question why the AICPA Board spends time covering proposals related to auditing in the European Union. The simple answer is that activities in the EU are providing impetus to PCAOB proposals in areas like mandatory auditor rotation, dual auditing and independence. For example, one of the EU proposals is to ban auditing firms from doing anything other than audits. This is beyond the notion of no client consulting work. It would include no tax work, no valuation work, and other areas of critical knowledge in order to perform an effective audit. Simply put, in this global world, nothing goes on that doesn’t eventually work its way back to impacting the U.S. and therefore the U.S. CPA. The Board is simply taking its responsibility to ensure the long term prospects of the U.S. CPA by looking at things going on in the rest of the world.