The fourth edition of Audit Committee Practices Report: Common Threads Across Audit Committees, from Deloitte's Center for Board Effectiveness and the Center for Audit Quality, indicates cybersecurity, enterprise risk management (ERM) as well as finance and internal audit talent are the top three priorities for audit committees, just as they were in 2024. However, the report also shows a growing concentration for audit committees in the areas of AI governance, finance transformation and more. We spoke with Krista Parsons, audit and assurance managing director and governance and audit committee program leader for Deloitte's Center for Board Effectiveness, and Vanessa Teitelbaum, senior director of the Center for Audit Quality, to go deeper into the report's results.
Directors & Boards: Taking a look at the Audit Committee Practices Report, it seems the three topics that were the greatest priority in 2024 – cybersecurity, enterprise risk management as well as finance and internal audit talent – remain the top priorities in 2025. Did the report glean any information to inform you as to why those remain the top priorities?
Krista Parsons: Starting with cybersecurity, 93% of respondents included it in their top three priorities for the audit committee over the next year. While nascent technologies, like AI, can help improve efficiencies and support growth initiatives, they also introduce the organization to new vulnerabilities. There are two big reasons cybersecurity may continue to be at the top of the list.
- Evolving threat landscape. New types of threats, as well as more sophisticated threats fueled by AI, pose significant risks to organizations. These require continuous agility and vigilance by management and oversight by the audit committee or board.
- Technological advances. As organizations adopt new technologies (e.g., AI), the attack surface may expand, requiring enhanced increased diligence.
This helps explain why 50% of respondents indicated cybersecurity skills would enhance the audit committee's effectiveness.
ERM was second on the list, with 76% of respondents including it in their top three priorities for the audit committee over the next year. As businesses navigate an increasingly turbulent marketplace and geopolitical uncertainty, our report shows audit committees remain laser-focused on their role in addressing new and emerging risks. Always going back to their ERM framework to make sure management is continuously sensing and assessing risks will likely be increasingly important for audit committees in this uncertain environment.
Finally, two key responsibilities of the audit committee include overseeing both financial reporting and the internal audit organization. Ensuring both organizations have the right talent to execute on their responsibilities is critical.
The fast-paced changes we're seeing in technology will provide both groups with new tools and potential efficiencies. While these are exciting opportunities, finance and internal audit leaders will need to consider how such developments will impact their talent models – creating new roles while displacing some traditional ones.
Vanessa Teitelbaum: A challenge for any board, and particularly audit committees with their many oversight responsibilities, is keeping pace with the evolving external environment. Cyber threats aren't static. They evolve and become more sophisticated. Companies grow and change, and risk management needs to keep pace. The same can be said for talent needs. Cybersecurity, ERM and talent needs ranking as top priorities for audit committees is likely a reflection of the challenges facing audit committees.
DB: It would seem compliance with laws and regulations as well as ESG reporting have both risen in priority for 2025? What has them on the rise?
KP: The survey was conducted in September and October 2024. At that time, we saw a focus on increased regulatory oversight, which translates to more oversight of these areas by the audit committee. There were newly proposed rules on cyber disclosures and climate, and an increased focus on enforcement.
Additionally, the Public Company Accounting Oversight Board was very active in rulemaking, most notably with its proposal relating to noncompliance with rules and regulations, a rule that would have significant impacts on the oversight responsibilities of the audit committee if adopted.
Compliance will likely remain a core oversight responsibility of the audit committee. As the regulatory landscape evolves, compliance with laws and regulations along with sustainability reporting will continue to be important for companies wishing to operate globally.
For example, recently proposed omnibus legislation from the European Commission aims to reduce sustainability reporting and due diligence requirements for entities currently within the scope of the Corporate Sustainability Reporting Directive. Despite these proposed changes, many implementation steps taken to date will likely remain relevant for future reporting under the Corporate Sustainability Reporting Directive, voluntary reporting or compliance with other regulations.
The use of emerging technologies like AI may also introduce new regulations organizations are now preparing for.
VT: Although sustainability reporting requirements have matured, there are still new developments and requirements that need audit committee attention. Companies are working to comply with European Union requirements. California is working on implementing disclosure requirements for a new state law set to begin on a phased basis in 2026. What's not required today might be required tomorrow. Audit committees need to remain aware.
DB: Finance transformation and, curiously, AI governance are both priorities on the decline. Why are they falling as far as priorities, especially AI governance, which seems to be an issue constantly challenging boards? Is it different for audit committees?
KP: While other priorities outranked these this year compared to last year, the percentage of respondents who identified AI governance as a priority actually grew year over year, jumping to 35% from 20% last year. The same was true for finance transformation, with the percentage of respondents identifying it as a priority, increasing from 33% to 52%. There could also be an overlap in these responses (i.e., AI could be enabling finance transformation activities).
The percentage of survey respondents who identified the audit committee as having primary oversight of AI governance is also up from last year (from 14% to 20%), but primary oversight still mostly resides with the full board (58%).
It's worth emphasizing, while priorities around AI and finance transformation have gained traction over the last year, they still do not supersede more pressing priorities.
AI continues to be a topic I get a lot of questions about from directors. They're still trying to learn about the risks and opportunities associated with it, as well as the role they (both the board and audit committee) play in oversight.
I do think most of the oversight of AI will fall to the board, but the audit committee should keep an eye on the AI regulatory environment and disclosures about AI (e.g., risks, opportunities, use in the organization).”
VT: The change in priority in the Audit Committee Practices Report reflects increased attention on cybersecurity, ERM and talent needs more than it indicates that finance transformation and AI governance are on the decline as priorities for audit committees. It's also important to note AI governance responsibility is frequently a full board responsibility. We saw an increase in the number of audit committees responsible for AI governance, but more than half of respondents said the responsibility currently sits with the full board.