While it is clear that the role of the external auditor is important and that the audit committee is charged with their oversight, it is unusual to see advice on how that oversight should be discharged.
From a recent survey by Protiviti, the information on how many organizations had to issue a cyber-security disclosure is interesting. Apparently, this generally resulted in an increase on SOX compliance hours – although the reason for a significant increase is not clear.
Sometimes I revisit my compliance roots in the world of Sarbanes-Oxley – a place much more concerned with financial reporting than corporate ethics and culture, I know. Yet lessons from one group that can help the other still abound.