Canada - English
Audit Point of View

Tackling Technology Risks 

Emerging Issues in an Evolving Landscape

 

Today's always on, constantly connected society delivers exceptional benefits to both individuals and businesses. But it also comes with a price, particularly for companies heavily reliant on complex technology systems. For proof, look no further than the recent breach that compromised credit card data for 40 million Target customers that contributed to the resignation of the company's chief technology officer and its CEO.

Audit committee members understand that technology can pose grave risks to organizational reputation and profitability. What they may struggle with, however, is defining the parameters of those risks-and assessing at which point audit committee involvement becomes necessary.

The tipping point

Given the extent to which organizations today rely on technology, IT intersects with the audit committee's mandate to oversee risk management undertakings more often than many may think.


If a global company's IT systems go down as the result of a natural disaster or other unanticipated business disruption, both sales and productivity losses can mount alarmingly. If a company's online platform crashes or it becomes the victim of a cyber-attack, it often suffers both reputational and financial losses that can affect its financial reporting. Similar losses can also result if social media policies are not enacted and enforced.


To complicate matters, during the recent economic downturn, many companies curbed their capital spending-including their IT project spends. As a result, these companies may be overly reliant on aging systems that lack the capacity to keep pace with the evolving demands of ecommerce. This presents risks of its own.

Managing the risks

Of course, most companies have adopted various risk mitigation strategies related to IT. For example, companies involved in major IT projects most often require budget approval from the board before proceeding. Management also generally adopts processes designed to minimize IT risk.


So what should audit committees be doing? At the very least, audit committee members should understand the mitigation processes that management has implemented and relies on. At organizations exposed to higher risks, audit committees may need to commit to a higher level of involvement and oversight. This may include:


  • Asking the right questions. To understand where technology risk might affect financial reporting, audit committees must remain abreast of a company's IT risks and related initiatives. In addition to asking the company's CIO or head of technology to share information about any contemplated IT projects, audit committee members should ask about the company's technology strategies, including their related costs, and learn how management is mitigating any identified risks or threats.
  • Adding IT to audit committee agendas as a standing item. Beyond simply inviting IT management, as well as external experts and advisors, to speak to the committee on an annual basis, audit committee members at organizations undergoing major technology initiatives or that are particularly exposed to IT risk should raise these issues at each meeting to ensure they remain abreast of emerging risks.
  • Attracting audit committee members with relevant expertise. Companies that frequently engage in complex IT projects may want to include someone with specialized IT expertise on the audit committee or at least bring in an external expert for a defined term during a period of technology transition.

 

Tackling Technology Risks

Handling the workload

Given the growing scope of the agenda, many audit committees are leery of adding more items to the list. That's fair. After all, IT does not represent the same level of risk for all organizations. Before including it as a standing agenda item, it makes sense for audit committees to assess the extent to which their organization may be exposed to these risks by asking the following questions:


  • How heavily dependent is the company on IT?
  • Are we embarking on major system change?
  • If systems go down, what disaster recovery plans do we have in place?
  • What security measures exist to prevent a data breach or cyber-attack?
  • Can our systems continue to render accurate financial reports in the face of a technological disruption?
  • Does the company have appropriate expertise to mitigate IT risk?

 

As companies evolve, the risks that audit committees must review change as well. To ensure appropriate financial oversight, audit committees should determine if their exposure to IT risk is rising and take steps to mitigate those risks before they cause a material impact to the company's financial statements.

  • John Desjardins, Business Unit Leader, Audit

Be first to know

Get the latest information from KPMG.

 Contact us

John A. Desjardins

John A. Desjardins

Partner, Audit, Business Unit Leader, Audit, GVA

604-691-3103

Share this

 

Follow us

Where Does the Board Sit?