Now is the time for annual external and internal audit planning to be on every audit committee’s calendar. Audit committee members consider evolving threats, new business opportunities, ongoing challenges, and regulatory expectations. Cybersecurity remains a significant topic of concern. Debate continues over the role of the board and the audit committee, including governance and oversight responsibilities. Today, among the most critical responsibilities of the committee are the oversight and approval of audit plans, including those relating to cybersecurity threats.

Thank you for reading this post, don't forget to subscribe!

Understanding the Organization’s Approach to Cyber Threats

The scope of cybersecurity varies across organizations. Some define the scope as a limited role restricting cybersecurity to Internet-related activities; others include all forms of information and technology risk. From an audit governance perspective, technology audits have evolved from the “all-inone” general controls review to a more specific and nuanced approach that divides cybersecurity concerns into multiple audits or limited reviews. This approach allows organizations to target evolving threats and emerging risks that could lead to the more effective identification of more severe exposures.

The key for audit committee members is to ensure that they have a current and complete understanding of the cybersecurity threat landscape, and use that knowledge to help management and auditors navigate their organizations around the pertinent business risks. Many opportunities exist for audit committee members to understand the evolving threat landscape better and provide ongoing commentary on the threat landscape. Niche think tanks such as Gartner; academic cybersecurity research centers, including MIT and Carnegie Mellon; and government agencies, including the Cybersecurity Infrastructure and Security Agency (CISA), can be sources of reputable information to enhance a committee member’s knowledge to engage management.

Audit committee members will find that the technology risk assessment performed by management and the IT audit plan risk assessment conducted by internal audit provide a trove of information on how the organization views its risk posture, gaps, and remediation priorities. Understanding commitments made by the organization to protect customer or partner information can also inform efforts. Validating the representations to insurance companies, which can play a critical role in helping the organization transfer some cybersecurity risk, should also be an assurance the audit function provides to the committee.

The above considerations should facilitate audit committee members’ preparation for meetings where audit plans or results are discussed. Although the internal perspective is essential, an awareness of the challenges faced by competitors and how they approach governance, risk management, and evolving cyber threats is vital. Reputable publications, including those provided by larger public accounting firms, can be sources of critical questions that committee members should consider as they approach the annual plan approval meeting.

Emerging Threats Requiring Attention

Popular current cybersecurity-related topics committees that audit committees are assessing during the current year’s planning activities are discussed below.

From a financial audit and reporting perspective, the SEC’s adoption of final rules requiring disclosure of material cybersecurity incidents and periodic disclosure of a regis-trant’s cybersecurity risk management, strategy, and governance in annual reports (“Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”, deserves attention. Although focused on public companies, many private companies could benefit from using these guidelines as a general benchmark. To help the profession, the Center for Audit Quality and the AICPA jointly issued “What Management Needs to Know About the New SEC Cybersecurity Disclosure Rules (” The publication provides critical considerations that organizations should incorporate when responding to cybersecurity events and establishing an appropriate cybersecurity risk management framework. At a minimum, the audit plan should consider these publications and assess the organization’s ability to comply.

Covered entities (i.e., any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies) under New York State’s cybersecurity law ( face heightened regulatory expectations with recent amendments to the original 2017 law. Although larger entities (Class A) are required to perform annual audits, entities of all sizes could benefit from an annual assessment of the law’s critical requirements. Noncovered entities could also benchmark their activities against the best practices in the law’s provisions.

The promise of artificial intelligence and other emerging technologies continues to excite executive management. Many organizations try to balance anticipated benefits with perceived threats, even though both may not be fully understood. Committee members may be unable to forecast how technology may impact the organization’s future; yet, they can help ensure appropriate project management governance policies reflect this ever-changing environment. This includes the prudent use of funds to invest in new initiatives and technologies while ensuring adherence to corporate governance expectations.

Unfortunately, few organizations perform a full cyber incident response audit until it’s too late, and a breach occurs. Even when completed, it typically receives a lower audit risk rating due to lack of immediacy. Many organizations focus their energy on cyber preventive efforts. From a risk management perspective, this position is understandable. But in the event an organization suffers a security breach or malware attack, it is vital that it knows how to manage the breach to minimize damage. The Federal Emergency Management Agency (FEMA), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), recently published “Planning Considerations for Cyber Incidents” (, which combines operations recovery with cyber threats. Audit committee members can question management on the tools and resources used to develop the plan. Unfortunately, the response plans for many organizations are only a few pages long, do not provide the requisite guidance, and are not tested at least annually.

Many audit committee members remain frustrated with the core cyber risk mitigation controls of configuration management and vulnerability assessment. Despite efforts by many organizations to remediate this critical exposure, it continues to be a topic of discussion at many audit committee meetings. Business-focused executives are frustrated because the “repair and done” philosophy, so often employed in resolving business challenges, does not appear to work for cyber risk. Unfortunately, this topic will continue to challenge organizations. Governance activities should include periodic reports to the audit committee confirming the organization’s compliance with its configuration and patch management policies, including prioritized remediation commitments for out-of-compliance situations.

Policies are critical to an audit committee’s effectiveness, and their ability to help an organization achieve its mission should be periodically assessed. Through policies, the board communicates expectations and upward communication requirements. Since the COVID-19 pandemic, organizations have experienced dramatic changes in technology and work alternatives. Some of these policies have existed for a few years, and some were rapidly developed and implemented to respond to the realities necessitated by COVID-19; the latter focused on resolving tactical challenges rather than providing guidance from a strategic perspective. The audit committee should take a strategic view and critically assess the effectiveness of technology-related policies, taken as a whole, through the audit function.

Some organizations manage cloud risks as a general vendor management concern, focusing on contacts, service levels, insurance, and related matters. They tend to misunderstand the nature of shared responsibilities between the organization and the service provider in the cloud. Complicating matters is the fact that the cloud is a relatively new yet highly complex technology resulting in technical exposures that the organization and service provider may not be familiar with. The audit plan should consider efforts toward assessing the organization’s governance over the cloud in order to mitigate potential security breaches and data losses.

Plan for the Unknown

There is little doubt that cybersecurity threats will continue to increase. Audit committees must ensure that management addresses and mitigates prior attacks, and efforts should also be made to prevent new ones. Basic security hygiene, monitoring industry developments, ensuring adequate backup, and testing response plans are critical to positioning the organization for minimal potential damage. The audit plan should provide the needed flexibility, facilitating the reallocation of audit resources as needs arise.

Joel Lanz, CPA, CISA, CISM, CISSP, CFE, is a visiting assistant professor at SUNY–Old Westbury and provides infosec management and IT audit services through Joel Lanz, CPA, P.C., Jericho, N.Y. He is a member of The CPA Journal Editorial Advisory Board.