An article in the October 2012 CPA Journal outlined 10 questions audit committees should be asking about information technology (IT) risks and which “red flags” to look for in responses from management (Jeff Krull and Kevin Rich, “Information Technology Risks: 10 Questions Every Audit Committee Should Ask,” Although a lot has changed in the cybersecurity and IT risk landscape during the past 10 years, many of the same problems persist. The purpose of this article is to provide updated guidance for audit committee members looking to enhance the monitoring of their organization’s IT environment.

The 2022 Deloitte Center for Board Effectiveness Guide highlights that while audit committees typically provide oversight over financial reporting and the related internal controls; risk; independent and internal auditors; and ethics and compliance efforts, they are increasingly responsible for other functions, such as cybersecurity and environmental, social, and governance (ESG) reporting.

The nature of audit committee responsibilities for public companies comes from a variety of sources including SEC rules, requirements imposed by listing exchanges such as the New York Stock Exchange (NYSE) or Nasdaq, and pronouncements from the PCAOB (“Audit Committee Guide: Requirements, oversight responsibilities, and effectiveness strategies,” Deloitte Center for Board Effectiveness, 2022). Although private organizations are not subject to these regulations, audit committees still play an important role in providing independent assessment of financial governance and risk management (“How Audit Committees Can Improve the Performance of Private Companies,” EY, 2019).

Audit Committees Still Have Trouble Overseeing IT Risk

The adoption of digital technologies creates opportunities for organizations to improve the efficiency of business processes, but it can also have tangible consequences for risk management efforts by audit committees (“Emerging Technologies: An Oversight Tool for Audit Committees,” Center for Audit Quality, 2018). Factors such as increased digitalization of operations, disruption of business activities from ransomware attacks, and increased sophistication of cyber criminals are some of the reasons the SEC recently adopted standardized guidelines for the disclosure of cyber risk management practices (“Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” Securities and Exchange Commission, 2023). A 2022 Deloitte/Center for Audit Quality (CAQ) survey of audit committee members from publicly traded companies suggested that 62% of respondents identified cybersecurity as one of the top risks to focus on in the current year (“Audit Committee Practices Report: Common Threads Across Audit Committees”).

A 2020 survey by Spencer Stuart found that only 13% of company boards have a standing committee focused on risk. In the absence of a formal risk committee, many organizations delegate oversight of the risk management function to the audit committee (“2020 U.S. Spencer Stuart Board Index”). Despite the likely need for audit committees to provide IT oversight, only 35% and 54% of respondents to the 2022 Deloitte/CAQ survey stated their audit committee had expertise in cybersecurity and technology, respectively. As a result, cybersecurity (41%) and technology (31%) were the two areas identified most often by respondents as where expertise was needed to enhance audit committee effectiveness.

The Current IT Risk Landscape

Although current techniques and tools are certainly different than in 2012, many of the questions identified in the authors’ earlier article are still relevant to today’s audit committees. The sections below present the original questions and red flag responses, along with a current update and next steps.

1. How Many Times Has the Company Been “Hacked” This Year?

Cybersecurity breaches continue to be prevalent; a recent survey identified 188 breaches disclosed by 169 public companies in 2021 (“Trends in Cybersecurity Breach Disclosures,” Audit Analytics 2022). Data breaches are often quite costly, as highlighted by an average cost of $4.35 million found in a survey of 550 impacted organizations (“Cost of a Data Breach,” IBM Security and Ponemon Research, 2022).

Original red flag response: “We haven’t been hacked.”

Update and next steps: Hacking continues to be a major risk, although many breached organizations are now aware of security breaches because they typically suffer effects from ransomware or financial theft. The 2022 Audit Analytics report also suggests that breaches involving ransomware (i.e., malware designed to hold systems hostage in exchange for meeting specific demands) grew from 10% to 24% in the last 10 years.

Leading practices suggest that organizations implement a “zero trust” architecture that assumes hackers have already compromised the organizational network. This approach results in continuous security evaluation, as each stage of a digital interaction between users, data, and resources requires validation. Nevertheless, 59% of the breached organizations in the 2022 IBM/Ponemon survey did not deploy a zero-trust architecture.

An equally important question involves how organizations know that they have been hacked. The 2022 IBM/Ponemon survey suggests that organizations required an average of 277 days to identify and contain the investigated data breaches, implying there is room for improvement. One solution involves network monitoring tools that maintain and review detailed audit logs of data accessed by specific users.

2. How Many People Can Access Sensitive Data?

Unauthorized access continues to be a major issue, and it is the leading category of breach disclosed in the 2022 Audit Analytics survey at 41% (roughly double the 21% from their 2011 survey). Strong access controls allow for a preventive approach to managing IT risk rather than the “detect and react” approach often followed.

Original red flag response: “We have SOX controls.”

Update and next steps: Organizations should subscribe to the concept of “least privilege,” which bases a user’s access on the minimum permissions necessary to perform their job. In addition to individual user access, organizations should apply least privilege to networks, devices, programs processes, and services. Many organizations are moving towards the adoption of “single sign-on,” so users do not need to remember multiple credentials. This transition creates opportunities for a holistic evaluation of user access across systems. Organizations should also make sure to periodically review all user access to ensure privileges remain consistent with the principle of “least privilege.”

Another best practice involves classifying data into categories (such as personal, public, sensitive, and confidential) to help identify which data may be more sought after by bad actors, and therefore should have stronger controls.

3. What is the Definition of a Successful IT Project?

Successful IT projects continue to be those that meet user needs, but do so on time and within budget.

Original red flag response: “A system that does what it is supposed to do.”

Update and next steps: Many organizations continue to struggle with managing large-scale IT projects. The past 10 years have seen a significant shift towards third-party managed systems and Software as a Service (SaaS) deployments. Although working in a SaaS model has many benefits, it increases an organizations’ reliance on vendors for a successful outcome. Organizations should make sure they appropriately apply due diligence procedures when evaluating potential partners.

4. Are Laptops and Other Portable Devices Encrypted?

Lost or stolen devices can provide a gateway for intruders, and the 2022 IBM/Ponemon survey suggests that lost devices account for 5% of initial breaches. One tool to combat this is encryption, which involves using an algorithm to encode data so that only those with the proper key can access it. This is important not only for data security at the device level, but also for data in transit.

Original red flag response: “It costs too much.”

Update and next steps: Organizations should ensure they have a formal process that allows the IT department to identify resources that require protection via encryption. The cost of device level encryption continues to fall, especially for mainstream devices. Furthermore, organizations should also encrypt data in transit via the use of a virtual private network (VPN), which masks a device’s IP address and creates a protected network connection between resources. Use of a VPN is essential in a work from home environment or when employees are utilizing public Wi-Fi.

5. Are Strong Password Policies Enforced?

Passwords continue to be a valuable tool used to authenticate users, but they can create exposure when improperly managed. Verizon’s 2022 Data Breach Investigation Report (DBIR) finds that roughly 80% of web application breaches are from stolen credentials related to weak passwords (“Data Breach Investigation Report,” Verizon, 2022).

Original red flag response: “Our users will just write them down.”

Update and next steps: Organizations should start by implementing the best practices for passwords established by The National Institute of Standards and Technology (NIST). Furthermore, organizations should be utilizing multifactor authentication, where users must provide two (or more) verification factors to gain access to a resource. In alignment with the NIST guidance, organizations should check for commonly used passwords and restrict their use. Moving more applications towards single sign-on solutions should also help with reducing the number of passwords users need to remember. Some organizations also provide their users with security password managers to make it easier to maintain secure and hard to guess passwords.

6. Has a Disaster Recovery Plan Been Tested Recently?

Evaluating disaster recovery plans helps organizations assess how well they will respond to a cybersecurity crisis. The 2022 IBM/Ponemon survey states that although 73% of companies impacted by a data breach had an incident response plan, only 37% tested it on a regular basis.

Original red flag response: “We haven’t tested it.”

Update and next steps: A test of the disaster recovery plan is primarily a critique of the incident response (IR) team. As a result, having clear guidelines in terms of composition, responsibilities, decision making, and communication plans (including a “playbook” for potential events) for the IR team is essential. Furthermore, the rise of ransomware creates the need to also ask, “How do we know the hackers couldn’t delete our backups?” One useful tool is “immutable” backups that cannot be modified after creation. Finally, organizations should review their disaster recovery plans to ensure they have realistic objectives amidst a crisis.

7. Are Service Providers Keeping Data Safe?

Organizations often share sensitive information with a host of third parties, such as vendors, outsourcing providers, independent contractors, and joint venture partners. These relationships create a tangible risk of reputational damage, given that the 2022 Verizon DBIR found that business partners were involved in 39% of investigated breaches.

Original red flag response: “We get a Statement on Auditing Standards (SAS) 70 report,” or “It’s in our contract.”

Update and next steps: This continues to be a critical question, with vendor risk management growing in importance. Although device level controls are still important, 45% of the breaches investigated in the 2022 IBM/Ponemon survey were in the cloud. Organizations should implement robust vendor risk management programs that include obtaining assurance that vendors implement strong cybersecurity controls. One method may be to require vendors to provide a Service and Organization Control (SOC) 2 report. SOC 2 reports are examinations performed by a CPA firm that provide third-party assurance surrounding the design and implementation of key security controls. By obtaining a SOC 2 report from their vendors, organizations can gain insight into the security posture of their vendors with the comfort that they have been tested by an independent party.

8. Does the Organization Have Any Assets Not Controlled by the IT Department?

A recent survey found that 39% of remote workers worldwide used personal devices to access work data (“Head in the Clouds: How Remote Working Behaviours Are Exposing Organisations to Cyber Risk,” Trend Micro, 2020). The concept of “Bring Your Own Device” (BYOD) allows employees to do work on their personal smartphones, but often without the benefit of the organization’s IT security features.

Original red flag response: “We don’t know” or “Yes.”

Update and next steps: Organizations should adopt a robust BYOD policy, including strict mobile data management (MDM) controls over those devices, including enforcing encryption and allowing for a remote wipe of data from the device. Additionally, organizations should consider whether a “thin client” option may provide a more secure means of allowing users to access data remotely without providing them the ability to exfiltrate data from the environment.

9. Has the Organization Performed and Documented an IT Risk Assessment?

IT risk assessments help organizations identify and assess threats (both internal and external) to data and assets that could impact operations.

Original red flag response: “We haven’t.”

Update and next steps: The NIST Cyber Security Framework (CSF) is a freely available and widely accepted framework for evaluating cybersecurity controls and risks. Organizations should evaluate their environment against the NIST CSF on an annual basis and catalogue unmitigated risks for tracking and mitigation.

10. Is There Adequate IT Coverage from an Internal Audit Perspective?

A report by the Institute of Internal Auditors (IIA) suggests that while cybersecurity (85%) and information technology (61%) were widely identified as “high-risk” areas, they received less attention than compliance, operational, and financial reporting work in internal audit plans (“2022 North American Pulse of Internal Audit,” IIA, 2022). This implies a possible disconnect between risk levels and audit coverage. At the same time, a KPMG report suggested that there is a shortage of professionals with the skills necessary to tackle emerging and evolving risks (“Technology Internal Audit: 2022 and Beyond,” KPMG, 2022).

Original red flag response: “We haven’t evaluated it.”

Update and next steps: Technologies such as robotic process automation (RPA), artificial intelligence (AI), and blockchain are changing the scope of IT procedures from an internal audit perspective. This means that it will be even more important for the internal audit function to monitor how emerging technologies impact risk levels.

New Questions

While the authors’ primary focus is to provide an update on items for audit committee members to consider based on our 2012 article, we suggest the following two questions based on current trends.

11. Do We Have Concerns with Cybersecurity Insurance?

Cybersecurity insurance products are designed to cover losses associated with data breaches and ransomware attacks, as well as business interruption costs associated with these events. As the likelihood and severity of cybersecurity breaches increases, insurance providers are quickly adjusting their offerings. One report indicates that premiums increased 50% in the past year for “best-in-class” organizations, and as much as 100% to 300% for organizations lacking adequate security controls (“Cyber Market Conditions,” Gallagher, 2022). This comes with additional difficulty obtaining policies through greater underwriting scrutiny.

Additional Resources

SEC Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

National Institute of Standards and Technology (NIST), Digital Identity Guidelines:

National Institute of Standards and Technology (NIST), Cybersecurity Framework:

Red flag response: “No.”

Next steps: As insurers get more sophisticated in their underwriting of cybersecurity policies, many organizations may face more scrutiny and potential cost increases. Organizations should take this as motivation to put more focus on their own cybersecurity risk management procedures.

12. Has Remote Work Introduced Any New Risks?

The COVID-19 pandemic accelerated the move to remote work, and many organizations have allowed employees to remain remote indefinitely even as the pandemic pressures have eased. A recent article found that 25% of all professional jobs in North America will be remote by the end of 2022 (Bryan Robinson, “Remote Work is Here to Stay and Wil Increase Into 2023, Experts Say,” Forbes, 2022).

Red flag response: “No.”

Next steps: Unless a company was remote pre-pandemic, it is unlikely that shifts to remote had no impact on security risk. Organizations should outline clear policies on remote work, train users on how to secure their remote office environment, and implement VPN technologies to secure connections. In addition, some organizations may have opened up access to allow more personal devices early in the pandemic. Those that did should reconsider whether this opened-up access should be restricted, even if it means replacing personal device access with corporate-owned devices.

Jeff Krull, CPA, CISA, CITP, is a partner, cybersecurity services leader at Baker Tilly US LLP, Philadelphia, Pa.
Kevin Rich, PhD, CPA, CFE, is the chair and Charles T. Horngren Professor of Accounting at Marquette University, Milwaukee, Wisc.