Developing cyber security strategies are not a high priority for audit committees of many Canadian firms and as a result these organizations lag behind their international counterparts on cyber security issues, according to a recent global survey conducted by consulting firm KPMG.
KPMG’s 2014 Global Audit Committee Survey Report – The Canadian Perspective queried 145 respondents and found that only 31 per cent of Canadian audit committees were satisfied with the time spent by the board on cyber security issues compared to 55 of respondents globally and 57 per cent in the United States.
The situation could be a boon to channel partners that specialize in cyber security consultancy and managed services.
Audit committees are tasked with identifying and assessing risk continues to grow and evolve, expanding beyond traditional areas such as legal and regulatory compliance, anti-bribery and corruption and financial to now encompass information technology – including cyber security. The report is based on responses from approximately 1,420 audit committees in 34 countries between September and November 2013. Of the 145 Canadian respondents, 53 per cent were audit committee chairs and 43 per cent serve as audit on audit committees of companies that earn less than $250 million in annual revenue.
Release of the survey results come at a time when cyber threats such as data breaches, advance persistent threats and the recent Hearthbleed bug continue to rise.
“The results suggest that Canadian audit committees are not well equipped to deal with these issues,” John Gordon, Canadian managing partner for KPMG Canada, told CDN. “This raises the opportunity for audit committees to examine carefully if they have the right skill and resources that understand these risks.”
For instance, he said, as the role of the audit committee continues to evolve and grow, only half of those surveyed in Canada believe internal audit’s role should extend beyond the traditional responsibilities of financial reporting and controls to include other major risks and challenges facing the company. This compares to 66 per cent in the US and 70 per cent globally.
The reason for the disparity, according to Gordon lies in the size a maturity of Canadian companies.
“Compared to U.S. and European firms, Canadian companies are more likely to be mid-market and newer companies, “ said Gordon. Many Canadian audit committees have not gotten around to developing comprehensive cyber security strategies or do not have resources to hire audit committee members that have expertise in cyber security issues.
As the audit committee’s role evolves to take on deeper responsibilities for risk, a “disconnect” is emerging between skills that were traditionally required and those that are now needed to effectively minimize company risk. Only 28 per cent of Canadian survey respondents are satisfied internal audit currently has the skills and resources to be effective in the role they envision.
While Canadian audit committees may be slow to pick up on the implications of cyber threats but Ben Sapiro, senior manager of KPMG Canada’s risk consulting practice, said he sees a “movement” in the right direction.
For many years because cyber threats were associated with impact on individual users and mischief caused by hackers that only sought fame. Today, hacking has become a big business.
“The nature of cyber security has changed and now more firms are taking notice,” said Sapiro. ”Now cyber threats are making a material and financial impact on companies.”
He said this could be an opportunity for companies in the channel that provide cyber security audit and consulting services as well as expertise in external intrusion control, malware and risk management.
KPMG suggests companies take the following steps to optimize the audit committee’s workload, agenda and skills:
- Ensure the committee has the time and expertise for major categories of risk “beyond the core”
- Consider whether risk oversight responsibilities need to be re-balanced
- Leverage additional resources and expertise from internal and external auditors and third-party experts – particularly in the areas of risk and emerging technology
Companies should also recognize that internal audit is most effective when it is focused on the critical risks to the business: operational risks and related controls – not just compliance and financial reporting risks.
“Bridging any gaps in skills and resources will help to ensure they are able to quickly identify both traditional and non-traditional risks threatening the organization,” Gordon said.