Cybersecurity is top-of-mind for Audit Committees and CFOs in the New Reality

The challenges from the COVID-19 pandemic continue to permeate the healthcare industry. While the focus for healthcare organizations continues to be on vaccine rollout and pandemic mitigation, priorities among financial and accounting executives are beginning to shift.

According to KPMG's most recent survey of over 50 leading health system Chief Financial Officers (CFOs) and Audit and Compliance Committee Chairs, there’s a push-pull happening between the CFO’s forward-looking focus on risks and opportunities, and ongoing blocking and tackling audit committees must address. That is on top of the need for continued vigilance around the risks brought about from a dispersed workforce, ongoing migrations to the cloud, and accelerated digital transformation driven by emergent and varied technologies.

The question becomes, what is behind these sometimes-conflicting priorities and what does it mean for organizations required to plan for ongoing uncertainty while mitigating financial risk?

CFOs and Audit and Compliance Committee chairs share high prioritization on cybersecurity.

Boards today are doing more to monitor cyber security effectiveness, having amassed greater IT expertise on board and relevant committees in order to fill knowledge gaps. For audit and compliance committees, internal controls will always have a place within the audit; data governance and compliance with privacy laws and regulations continue to be a priority for compliance committees.

Healthcare information is extremely valuable to hackers, and IT systems are vulnerable to ransomware attacks due to the number of entry points available to attackers across a variety of disparate systems. Complicating this issue, major supply chain disruptions led CFOs and committees to pay even closer attention to the risks associated with third-party products and services, both within the context of cyber security and other strategic/operational areas.

One major trend this past year was the importance of a holistic approach to data governance -- one that encompasses the processes and protocols around integrity, protection, availability, and use of data. KPMG,’s recent report, Thriving in an AI World finds cybersecurity breaches to be the greatest potential risk of AI adoption for industry respondents, with the healthcare industry focused on privacy violations as the foremost concern. 

As a baseline, organizational leaders must be asking questions around their systems’ cyber security preparedness, and whether a plan has been documented and communicated throughout the system and to the Board. Consider: Do you pay the ransom or not, how would you handle payroll, documentation of patient care, and other access needs? Do you have the appropriate plans, resources and partners to weather such an attack? Being without access to your systems can be costly to your organization. Healthcare systems should consider whether or not to have cyber insurance and what level of coverage to carry.

Outside of cybersecurity, CFOs and Audit Committee Chairs have divergent focuses.

For CFOs, other top priorities include longer-term strategies, like cost reduction and working capital management and planning for uncertainty. For audit and compliance committee chairs, these are rivaled by internal controls and managing physician relationships -- a reflection of their lens of risk, compliance, and controls. One of the greater challenges from these differences in priorities is that, as KPMG notes in our report on the 2021 healthcare and audit agenda, “The events of last year have put significant pressure on employees, management, the audit and compliance committee and the board to balance competing priorities.”

Organizations should channel competing priorities into operational strengths.

Because CFOs and Committee Chairs focus on different strategic areas, they may identify unique gaps in preparedness. As we found in the December 2020 Pulse Survey, some of the audit and compliance committee chair’s top priorities were at the bottom of the list of CFO priorities.

Looking at examples of internal controls -- very much the wheelhouse of committee chairs -- our survey suggests these differences are because these strategic areas were deemed by CFOs to be well-managed. CFOs may also be focused on the guidance of third parties, like government regulators, and external expectations of health systems’ cyber controls. Part of this variance is the unique lens of different roles; committee chairs see smaller gaps between importance and preparedness, but CFOs see significant gaps in longer-term strategic areas, like Digital Transformation, Changing Care Delivery Models, and Reinventing Work/the Workplace -- reflecting the strategic planning often relegated to the CFO role.

Overall, these disparate views focus on opportunities -- for CFOs and audit and compliance committee chairs to communicate clearly about their differing priorities and unique gauges of preparedness in their strategic areas. By keeping open lines of dialogue, leadership can turn these differences in perception into complementary strengths, creating a stronger foundation for the organization’s future.

For more information or to arrange an interview with Marc Scher, contact Libby Langsdorf.

Additional resources

Download this article
Click here to download a PDF version of "Cybersecurity is top-of-mind for Audit Committees and CFOs in the New Reality"



Marc Scher

Marc Scher

Partner, National Audit Leader, Healthcare, KPMG US

+1 949-885-5402

Related content