Notes From the Boardroom: Vol. 4
Editor’s note: “Notes from the Boardroom” is a series of blogs from ISACA board directors providing transparency, context and perspective on how the ISACA board is carrying out its governance responsibilities. The nomination period for ISACA’s board of directors is open through 1 January 2025. Do you have relevant experience and a passion for serving the ISACA community or know someone who does? Consider nominating yourself or a colleague.
Having begun as an auditing organization in 1969 before expanding into additional domains, ISACA continues to represent IS/IT auditors around the globe. As a result, the work of the Audit Committee might be of particular interest to a large portion of our membership. Let’s dive into a few questions and cover some of my own experiences on ISACA’s Audit Committee.
What are the key responsibilities of an audit committee?
According to the National Association of Corporate Directors (NACD), audit committee responsibilities include the following four areas:
- Direct oversight of external auditors
- Oversight—including reviewing and discussing—of the financial statements prepared by management with the external auditors
- Ensuring that management has established an appropriate system of internal control over financial reporting
- Overseeing financial reporting risk, including the risk of errors or misstatements in the financial statements. The audit committee often has the broader responsibility of risk oversight, including risk that relates to strategy. The audit committee ensures a detailed discussion of risks that may affect the company. This includes a detailed discussion of risk policies and compliance.
- In the absence of a standalone Risk Committee, the Audit committee also has the broader responsibility of risk oversight and assists the Board in its oversight of management’s responsibility to implement an effective global risk management framework reasonably designed to identify, assess and manage the organization’s strategic, reputational, operational, credit, investment, market and compliance risks. The Committee’s responsibilities include approval of applicable primary risk policies and review of certain associated frameworks, analysis and reporting established by management that relates to strategy.
How do audit committees ensure objectivity and independence?
To do their work without bias or inappropriate influence, audit committee members must ensure a few conditions are in place:
- Audit committee directors must be independent and financially literate.
- Audit committee directors must meet with the external and internal auditors without management present.
- Audit committee directors must set the tone by engaging, vetting and challenging management assumptions.
Who is qualified to serve on an audit committee?
A CFO of an organization or corporate controller of a public company would make a great Audit Committee member. Members should not have bankruptcy or insolvency in their history when serving on an Audit Committee. When looking at an Audit Committee member for ISACA, an ideal candidate would have acted as a principal financial officer at an organization at least double the size of ISACA. Preferable types of organizations might be service or product related, ideally in the tech space. Ideal certifications and education include MBA and/or CPA. Ideal candidates would have also served at mature organizations and have experience with global companies and scaling organizations.
Can you tell us a bit about your role as chair of ISACA’s Audit and Risk Committee?
I joined the ISACA board in 2020 and have been audit chair all 4 ½ years. I am a CPA and have over 30 years of progressive experience in finance, operations and technology, including in education. I have been CFO, CAO and president. I have been CFO in Fortune 500 companies and am currently audit chair on three public company boards.
I am most proud of the fact that the ISACA Audit Committee operates with the same rigor and applies the best practices of large global public companies, considering the requirements for nonprofit associations are generally less rigorous than the requirements for large global public companies.
