Canadian companies spend tens of millions of dollars a year on IT security products and services and staff. Yet a just-released global survey of corporate audit committee members that includes Canadian respondents suggests organizations here aren’t placing as high a priority on the development of cyber security strategies as those in other countries.
According to the study by consulting firm KMPG, only 31 per cent of Canadian audit committee members expressed satisfaction with time spent on cyber security issues by the board, compared to 55 per cent of respondents globally and 57 per cent in the U.S. This comes at a time when network attacks are climbing higher.
“We take that to mean Canadian audit committees think there needs to be more attention at the board level to cybersecurity issues,” Ben Sapiro, a senior manager of KPMG Canada’s risk consulting practice. Globally, organizations spend more time on average on that issue, he said. “We think Canadian companies should be doing the same.”
Yet while one quarter of U.S. respondents saw cyber security as a major company challenge that needed addressing, only one in 10 Canadian audit committee members agreed.
There are a lot of organizations unaware of their dependence on IT, Sapiro said in interpreting that result. There’s also the possibility they don’t understand the complexity of cybersecurity and its impact.
The report is based on responses from approximately 1,420 audit committee members in 34 countries, last fall. All survey respondents serve on the audit committee, or equivalent supervisory board, of at least one company. Of the 145 Canadian respondents, 53 per cent were audit committee chairs and 43 per cent serve on audit committees of companies that earn less than $250 million in annual revenue.
Audit committees have the responsibility of identifying and assessing legal, regulatory and, more recently, IT risks to the organization’s board of directors. The committees usually are made up of members of the board, plus the organization’s chief auditor/risk officer, and senior executives including the head of IT.
The report notes that the role of these committees is evolving to take on deeper responsibilities issues like judging technology risks.
“Companies across the country must evaluate whether their audit committees are able to meet the growing and changing requirements of the committee’s roles,” John Gordon, KMPG’s Canadian managing partner for audit, said in a statement. “Bridging any gaps in skills and resources will help to ensure they are able to quickly identify both traditional and non-traditional risks threatening the organization.”
In fact 38 per cent of Canadian respondents said it is becoming “increasingly difficult” to oversee the myriad of responsibilities that are now associated with their audit role.
Half of Canadian audit committee members surveyed believe economic and political uncertainty to be the greatest concern followed by operational risk (46 per cent) and government regulations (40 per cent). To tackle these emerging issues, 31 per cent of Canadian companies said their board has recently reallocated or rebalanced risk responsibilities.
While audit committees rate much of the information they receive about key risks facing the company – legal/regulatory compliance, operational risk, public policy developments – as “good” or “generally good,” many, including Canadian respondents, say information about emerging technologies, the company’s growth and innovation plans, and especially cyber security need improvement, the report says.
Audit committees also want to better understand the company’s global systemic risks and supply chain dependencies, though Canada slightly less so than their US and global counterparts.