5 minute read 19 Jan 2018
Businessman with laptop

How audit chairs view cyber breaches, digital strategy and committee effectiveness


EY Americas

Multidisciplinary professional services organization

5 minute read 19 Jan 2018

Members of the audit committee leadership network discuss issues affecting them today.

In April 2018, members of the Audit Committee Leadership Network in North America (ACLN) and the European Audit Committee Leadership Network (EACLN) met in London for the 13th annual Audit Committee Leadership Summit.

During the summit, members uncovered lessons learned from cyber breach responses, digital transformation and strategy, and audit committee effectiveness.

Click here to read the full report

Integrating innovation efforts

Members and guests discussed how companies that have successfully transformed their businesses do not separate digital strategy from business strategy; they integrate their strategies instead. To pursue a more integrated approach, companies can:

  • Transform the core business first and then consider future business opportunities
  • Create an environment that gives employees the freedom to experiment while ensuring that digital innovation can be scaled
  • Be willing to cannibalize the core business
  • Develop new capabilities
  • Track the return on digital investments using new metrics and a portfolio approach
New risks and new approaches to oversight

Members and guests touched on the risks the board should track and delegation of the responsibility of certain risks.

  • The high-level strategic risks associated with digital transformation are the responsibility of the board.
  • It should also be aware of the implementation risks associated with improving the core business and developing new business models, and the control risks arising from new business processes that affect the governance and controls around operations, security, and privacy and reporting.
  • Some boards have a strategy committee that looks at digital transformation in detail, while the audit committee can be responsible for the risk framework around transformation.
  • There is also a case for boards having a dedicated technology and innovation committee.

Audit committee effectiveness 

Improving effectiveness is a perennial challenge for audit committees, so it is important to follow good practice in the areas of assessment, information and onboarding.

Assessing the audit committee and its chair

Most boards conduct periodic assessments of their performance. Evaluation of the audit committee is either part of this process or a separate self-evaluation. Data comes from self-assessment questionnaires, formal one-on-one conversations and informal discussions following meetings.

The assessment process should gather information from fellow board members, the management team and the external auditor. Honesty and openness are key.

Some audit committees get help with their evaluations from third parties, which bring an independent perspective. The chair is typically assessed as part of the overall audit committee assessment.

From the evaluation, audit committees are able to recognize and monitor issues, and identify underperforming members or chairs.

Keeping the audit committee up to date and informed

Audit committees must stay abreast of a wide range of new and changing standards, regulations and guidance.

Members discussed the importance of gathering information on important changes from different perspectives by reading official documents and speaking to key internal and external stakeholders. These stakeholders include the head of reporting, the general counsel, operational leaders, the external auditor, and regulators.

Shareholder input can also be valuable on issues such as compensation and governance.

Members highlighted how time pressures may mean that complex topics, such as blockchain and cybersecurity, are best discussed in additional “deep dive” meetings or by a separate committee altogether.

Onboarding new audit committee members

Onboarding is critical in equipping a board member with the knowledge to take on audit committee responsibilities. The process can include:

  • Meetings with key executives
  • Shadowing an existing audit committee member
  • Training provided by the external auditor
  • Training provided by professional board member associations

It is also sensible to groom a future audit committee chair well in advance of a transition. Members who do not come from a financial background can broaden the perspective of the audit committee, and the committee can improve its effectiveness by reaching out to others for help.


Audit committees are shifting their focus from preventing a cyber attack to minimizing the collateral damage. They are also taking steps to maximize their digital strategies and improve their effectiveness. 

About this article


EY Americas

Multidisciplinary professional services organization