In an time where deepfakes, synthetic identity fraud and fake documents pose an increasing threat to businesses, audit committees are ramping up cybersecurity oversight — yet financial and nonfinancial firms are taking vastly different approaches. With CFOs balancing software costs, regulatory demands and risk mitigation, their role in these discussions is crucial. As data remains the most valuable commodity for businesses, warding off bad actors has become a team effort.
While challenges persist in areas such as talent, communication, audit quality, and risk management, audit committees are increasingly focused on cybersecurity, according to Deloitte and the Center for Audit Quality’s most recent Audit Committee Practices Report. Nearly three-quarters (71%) of audit committee members surveyed said they discuss cybersecurity quarterly. CFOs should be aware of how audit committees approach the issue, particularly in the context of software costs and a complex regulatory landscape.
Cybersecurity oversight
Findings indicate that although nearly two-thirds (62%) of committees oversee cybersecurity, the number is skewed due to differences between financial and nonfinancial service companies.
Overall, nearly two-thirds of all audit committees oversee cybersecurity, but the trend is stronger in nonfinancial services companies. Only 41% of financial services committee members said they oversee cybersecurity, compared with 70% of nonfinancial services committee members, who say their company delegates data protection oversight to them.
Nearly a quarter (24%) of financial services respondents said they delegate cybersecurity responsibility to a risk committee, an asset many nonfinancial companies lack. As data’s importance grows, risk committees in nonfinancial service companies may become more common.
Enterprise risk management duties
As the CFO role evolves to take a more risk-conscious approach, the audit committee leads risk management in just over half (52%) of respondent organizations. The full board of directors is responsible in just over a quarter (28%) of cases, followed by the risk committee.
CFOs should note the difference in approach between financial and nonfinancial services companies. Only 21% of financial services companies delegate this duty to audit committees, while nearly half (48%) assign it entirely to the risk committee.
Collaboration, succession planning and improving effectiveness
As audit committee demands grow across organizations, members believe there is still more value to be extracted from their participation. Survey respondents advise audit committees to collaborate with internal auditors and, presumably, the CFO to ensure both teams “are fully integrated into the risk management and strategic planning processes.”
To prevent disruption, they also recommend companies develop succession plans for key leaders, including the CFO, CEO, chief accounting officer and chief audit executive.
To improve effectiveness within the committee, members identified their top priorities as increasing discussion and engagement with all members (21%), improving presentation quality during meetings (18%), enhancing the quality of pre-read materials (14%) and ensuring committee members are better prepared in advance.
