As the digital revolution continues to evolve, audit committees are paying more attention than ever to emerging technologies. This is especially true in the cybersecurity and AI spaces.
Though both technologies can boost data safety and staff productivity, they come with some concerns and the need for an improved approach. If your business is currently investing (or planning to invest) in these technologies, the audit committee must understand its role in ensuring the business is protected from every angle.
Outside of financial controls, cybersecurity has become the number one concern for corporate boards and audit committees.
In fact, 63% of companies cite it as the most important area of focus over the next 12 months.
There are several reasons for this, including:
- Changing regulatory compliance
- A shifting threat landscape
It is crucial that boards and audit committees understand the importance of cybersecurity.
They must have access to the proper tools to help the company address cybersecurity and evaluate its progress in this area.
Why Cybersecurity Is Important
Nearly every industry has existing regulations that require businesses to protect sensitive data. These include the:
- Health Insurance Portability & Accountability Act (HIPAA) in healthcare
- Sarbanes-Oxley Act (SARBOX) in the financial sector
- Payment Card Industry Data Security Standard (PCI DSS) in retail
- Family Educational Rights and Privacy Act (FERPA) in education.
Lately, there has been a renewed regulatory focus in this area. This is because of a new proposed SEC rule that would require more robust disclosure from companies around cybersecurity incidents and risk management strategies.
When companies don’t follow these regulations, they open themselves up not only to possible fines and penalties but also to the possibility of losing customer trust. With the average cost of a data breach now up to $4.45 million, not having cybersecurity oversight is too much of a financial risk.
What Boards Are Currently Doing
Most boards (53%) currently delegate cybersecurity oversight to the audit committee — the number rises to 60% for companies in nonfinancial services.
Just over 40% of board members believe that audit committee members have adequate cybersecurity experience and expertise to conduct their oversight duties.
However, those who don’t have this expertise aren’t letting a lack of knowledge stop them — 43% of audit committees met with subject matter specialists outside of management within the last 12 months. In fact, cybersecurity ranked second only to finance controls in areas where audit committees seek outside perspectives.
Some Areas for Focus & Improvement
While it’s good news that boards are finally paying attention to cybersecurity risks, there is room for improvement regarding oversight. Boards should ask for regular updates about threats, risks, and mitigation efforts.
Because of the costly nature of data breaches, audit committees should approach cybersecurity oversight with the same discipline as financial reporting. They should engage with the chief information security officer to elevate the discussion among C-suite members. They should also ask senior management to produce metrics to evaluate the company’s cybersecurity effectiveness.
For many years, AI tools were only for high-level STEM researchers and data scientists. However, AI has recently become capable of integration into everyday life and business. As of 2023:
- 33% of companies have used it in at least one business function.
- 40% of organizations will increase their use of AI because of technological advancements.
- More than 25% of boards already have it on their agendas.
The rise of generative AI tools across every industry is undeniable. From customer service chatbots to automated journalism, AI is the future. As such, it needs to be a topic of discussion for the audit committee.
Why Audit Committees Are Paying Attention
The premise of AI is that it uses the information people feed it to get smarter. AI tools are “trained” by very large datasets, many of which are obtained by scraping data. Consequently, there is an underlying concern that some datasets could contain personal or sensitive information.
If AI tools were to use this information in their output:
- It could result in unnecessary exposure at best.
- Sensitive information could end up falling into the wrong hands at worst.
With both regulatory compliance and customer trust on the line, audit committees must find a way to address these data privacy concerns.
Additionally, AI is supposed to be an objective, mechanical approach to answering questions and making decisions. However, researchers are finding that some AI outputs mirror existing societal biases.
If businesses are using AI to create products, offer services, or make hiring decisions, audit committees must make sure the tools they use aren’t discriminating or introducing bias into those decisions. The use of AI, similar to cybersecurity, requires both expertise and oversight.
The Future of AI Audits
Audit committees and boards must commit to investing only in AI technology that aligns with the business’s strategic mission. Additionally, committee members need to focus on building an ethical use framework that addresses:
- Quality and reliability
- A protocol for responding to potential bias and discrimination
While AI has great potential, it also comes with serious risks that can put the company’s credibility, reputation, and good standing on the line. Audit committees need to figure out where the happy medium is between keeping up with the latest technology and ensuring that the business is protected at all costs.
New Technology Brings Risks & Opportunities
Cybersecurity has become a top concern for audit committees for many good reasons. It’s important that boards get this piece of the technology puzzle right, especially with the company’s reputation and good standing on the line.
As more audit committees seek out expertise in this area, they should:
- Engage the CISO
- Arrange for regular updates
- Ask for metrics that can be used to evaluate the company’s risk mitigation plan.
Many of the same principles apply to artificial intelligence. Though AI technology has come a long way, many companies still have concerns about data privacy and possible biases in the data.
Investing in AI technology isn’t a bad thing, but it’s best not to get carried away with unnecessary tools. Businesses must work toward a viable model that allows them to properly assess risk and create a framework for addressing it so that the most important thing — the business itself — is never in jeopardy.
About Boardroom Pulse
Boardroom Pulse is the C-suite’s trusted source for current, forward-thinking, and deeply insightful news and information focused on corporate governance practices and the latest developments in the business world.
Driven by a mission to elevate corporate governance standards and empower modern business leaders, Boardroom Pulse consistently publishes comprehensive, timely news, stories, analyses, and related content to encourage dialogue, amplify best practices, and continue to promote exemplary corporate governance and leadership in C-suites nationwide.
That’s why more and more executive directors, board members, CEOs, and other executives turn to Boardroom Pulse to understand the complexities of the business world, build a stronger foundation for sustainable success, and refine corporate governance for a better future.
Be part of a rapidly growing community that values excellence, integrity, and continuous improvement in corporate governance.
Monthly Unique Visitors
Monthly Page Views