Audit and Enterprise Risk Management Committee

The Audit and Enterprise Risk Management Committee is responsible for a range of activities related to the appointment and oversight of Internet Society’s independent auditors, the review of the independent audited financial statements, the U.S. Form 990, and the annual Conflict of Interest Disclosure Forms, and oversight of enterprise risk management.

The Internet Society Board of Trustees publishes minutes from its past Audit Committee meetings.

Audit Committee Members

Olufunke Baruwa

Nigeria

Term: 2023-2026

Appointed by: Board

Positions:
Audit Committee
Compensation Committee
Leadership Continuity Committee; Chair

Brian Haberman

United States

Term: 2024-2027

Appointed by: IETF

Positions:
Audit Committee
Compensation Committee
Governance Committee

Russ Housley

United States

Term: 2024-2027

Appointed by: IETF

Positions:
Audit Committee
Compensation Committee
IETF Nominations Committee Liaison
Leadership Continuity Committee

Charles Mok

Hong Kong

Term: 2025-2028

Elected by: Chapters

Positions:
Audit Committee
Elections Committee
Executive Committee
Governance Committee; Chair
PIR Nominations Committee

Caleb Ogundele

Nigeria

Term: 2023-2026

Elected by: Chapters

Positions:
Audit Committee
Compensation Committee
Leadership Continuity Committee
PIR Nominations Committee

Sagarika Wickramasekera

Sri Lanka

Term: 2025-2028

Elected by: Organization Members

Positions:
Audit Committee; Chair
Elections Committee; Chair
Governance Committee
PIR Nominations Committee

Audit & Enterprise Risk Management Committee Charter

As amended April 18, 2026
The Audit & Enterprise Risk Management Committee (the “Committee”) of the Board of Trustees (the “Board”) of The Internet Society (“ISOC”) has the responsibilities, duties, and authority described in this Charter.

I. Purpose

The purpose of the Committee shall be to assist the Board in fulfilling its responsibilities relating to:

• Communication among ISOC’s independent auditors, management, and the Board (including direct communication from ISOC’s independent auditors to the Committee);
• Oversight of ISOC and its subsidiaries, as management is responsible for ISOC’s financial reporting, internal controls and disclosure systems and for preparing ISOC’s financial statements, and the independent auditors are responsible for auditing those financial statements;
• Oversight of ISOC’s enterprise risk management (“ERM”) framework and significant risk exposure(s), with ISOC CEO and leadership having primary responsibility for identifying and managing risk in day-to-day operations and activities;
• Serving as the primary liaison between the Board and the CEO or CEO’s designee ensuring clear communication, alignment, and escalation of significant risks (including emerging risks, mitigation plans, and status of key risk indicators).

II. Composition

The Committee shall consist of at least three voting Trustees appointed by the Board. The Board shall designate one of the Committee members as the Chair of the Committee. When requested, the CEO or CEO’s designee will serve as a Committee liaison in an advisory capacity. All members of the Committee must be able to read and understand fundamental financial statements, including a balance sheet, income statement, cash flow statement, statement of financial position, and statement of financial activities. They should also be versed in the enterprise risk management oversight.

III. Special Conflict of Interest Rules

No members of the Finance Committee may serve on the Audit & Enterprise Risk Management Committee. All members of the Committee must be “independent,” free of conflicts of interest related to audit or risk oversight. A Committee member is “independent” if (i) the member is not an employee (including the CEO or CFO) or affiliate of ISOC or its subsidiaries or affiliates, (ii) the member does not have a relationship, which, in the opinion of the Board, would interfere with the exercise of independent judgment in carrying out the responsibilities of a member of the Committee, and (iii) the member does not receive or accept, directly or indirectly, any consulting, advisory or other compensatory fee from ISOC or its subsidiaries or affiliates, except for that which is incident to serving on the Board or the Committee.

The following non-audit services may not be provided to ISOC by ISOC’s external auditors: (i) bookkeeping or other services related to the accounting records or financial statements of ISOC; (ii) financial information systems design and implementation; (iii) appraisal or valuation services, fairness opinions or contribution-in-kind reports; (iv) actuarial services; (v) internal audit outsourcing services; (vi) management functions or human resources; (vii) broker or dealer, investment adviser or investment banking services; (viii) legal services and expert services unrelated to the audit; and (ix) any other service that the Board or the Committee determines to be impermissible.

IV. Meetings

The Committee shall meet at least annually and shall hold such additional meetings as the Chair of the Committee deems necessary. The Committee may meet with ISOC’s management, independent auditors, and legal counsel as necessary to enable the Committee to perform its responsibilities and duties and to discuss any matters that the Committee or any of these persons or firms believes should be discussed. The Committee may, at its discretion, meet in executive session with or without the presence of one or both of the independent auditors or management. The Committee Chair shall report Committee activities, findings, and recommendations to the Board.

V. Responsibilities and Duties

The following shall be the principal recurring duties of the Committee in carrying out its oversight responsibility. These duties are intended as a guide, with the understanding that the Board may modify or supplement them as appropriate:

• Audit and Financial Oversight:
  • Establish procedures for the receipt, retention, and treatment of complaints received by ISOC from third parties and, on a confidential and anonymous basis, from employees regarding accounting, internal controls, auditing, legal, or regulatory compliance matters, or any other matter that would impact the integrity or reputation of ISOC.
  • Appoint and oversee ISOC’s independent auditors and review the performance and audit fee arrangements of the independent auditors at least annually.
  • Review with management and the independent auditors ISOC’s annual financial statements and other material written communication between the independent auditors and management. Directly receive and review the independent auditors’ report, which should include a discussion of the results of the audit, any management letter, any internal control deficiencies noted, any adjustments required as a result of the audit, any material audit problems, disagreements or difficulties, and responses thereto by management. Review any disagreements among management and the external auditors in connection with the annual audit.
  • ISOC’s financial statements are prepared on a combined basis with the financial statements of Public Interest Registry, a corporation in which ISOC is the sole member. Therefore, the Committee shall rely on the independent audit of Public Interest Registry, and the review of that independent audit by the Board of Directors and/or Audit Committee of Public Interest Registry. The independent auditors of Public Interest Registry may or may not be the same as the independent auditors used by ISOC.
  • Meet with financial auditors directly.
  • Present the financial audit report to the Board for its acceptance.
  • Conduct a separate post-audit review with the external auditors and management to discuss the audit, including any difficulties encountered during the course of the audit and any restrictions on the scope of work or access to required information.
  • Oversee ISOC’s timely completion and submission of compliance audit reports to funding sources.
  • Review with ISOC’s legal counsel any legal matters that could have a significant effect on ISOC’s financial statements and ISOC’s compliance with applicable laws and regulations, as well as any inquiries received from regulatory or governmental agencies.
  • Review and approve any non-audit services performed for ISOC and its subsidiaries and affiliates by ISOC’s independent auditors.
  • Review and evaluate the quality and integrity of ISOC’s financial reporting processes and internal controls regarding finance, accounting, and legal and regulatory compliance.
  • Review the U.S. Form 990 tax return in compliance for the U.S. tax code for non-profit entities, and report to the Board.
  • Review the conflict of interests submitted in accordance with ISOC’s Conflict of Interest Policy for Trustees and Officers (the “Policy”) and accompanying procedure, and provide reports to the Board as specified in the Policy.
• Enterprise Risk Management Oversight:
  • Oversee ISOC’s ERM framework, ensuring it identifies, assesses, prioritizes, and monitors significant enterprise risks.
  • Receive and review periodic risk reports, dashboards, and/or heat maps from the Risk Council.
  • Monitor emerging and significant risks and ensure appropriate escalation to the Board.
  • Coordinate with other Board committees to ensure consistent oversight of risks.
  • Receive periodic updates and reports from Internet Society related to enterprise risk management
  • Provide an annual report to the Board on its activities related to the ERM.