top of page
Search

Common Threads 2025: Audit Committee Top Priorities are Still Cybersecurity and ERM

Writer: Daniel GoelzerDaniel Goelzer
Feb 285 min read

Updated: Mar 3

The Center for Audit Quality (CAQ) and the Deloitte Center for Board Effectiveness have released their annual survey of audit committee practices and priorities, Audit Committee Practices Report: Common Threads Across Audit Committees (2025 Practices Report). As was the case last year, cybersecurity, enterprise risk management (ERM), and finance and internal audit talent topped the list of audit committee concerns. In terms of improving audit committee effectiveness, 21 percent of respondents thought that the most impactful step would be to increase committee member discussion and engagement during meetings, while 18 percent believed that improving the quality of meeting presentations would have the most impact. For an overview of last year’s survey results, see Cybersecurity and ERM Are Top Audit Committee Priorities. ESG, Not So Much, March 2024 Update.

 

The CAQ and Deloitte surveyed 237 audit committee members, 86 percent of whom served on the board of a public company. Fifty-seven percent were audit committee chairs. Seventy-two percent of respondents’ companies had a market capitalization of $2 billion or more. Directors on boards of financial services companies made up 27 percent of the respondents. The survey consisted of fourteen questions related to audit committee priorities and practices and six questions related to respondent demographics to the companies on the boards of which they served. The detailed survey results are presented in appendices to the 2025 Practices Report, including breakouts of the results for respondents on audits committees of financial services firms. Some highlights of the 2025 Practices Report are described below.

 

Top Audit Committee 2025 Priorities

 

Respondents were asked to identify the top priorities of their audit committee over the next 12 months, apart from financial reporting and internal control.  The top three priorities – which are unchanged from last year -- are:

 

  • Cybersecurity.  Fifty percent of respondents identified cybersecurity as the top audit committee focus area this year, and 93 percent included it as one of the top three priorities.  The survey found that 62 percent of audit committees have primary oversight responsibility for cybersecurity risk, while 23 percent assign responsibility to the full board.  Seventy percent of non-financial services companies' audit committees have cybersecurity oversight responsibility, while, at financial services companies, 41 percent of audit committees have oversight of cybersecurity risk.  Financial services companies are required to have a risk committee, and those committees often have primary cybersecurity oversight.  For 71 percent of respondents, cybersecurity is on the audit committee's agenda quarterly. Many committees would like to increase their expertise in this area: Thirty-one percent of respondents pointed to cybersecurity as the skill most likely to enhance the audit committee’s effectiveness.


  • Enterprise risk management.  The second highest priority for audit committees is ERM. Thirty-three percent of respondents thought this was their committee’s first priority, and 76 percent included it in the top three.  Fifty-two percent of respondents indicated the audit committee has responsibility for ERM, followed by the full board (28 percent), and the risk committee (19 percent).  Nearly half of the financial services companies in the survey assign ERM oversight to the risk committee.  ERM is on the audit committee agenda quarterly for 49 percent of survey respondents.  Audit committees appear to be more comfortable with their ERM expertise than with their cybersecurity knowledge. Only eight percent of respondents identified ERM as the top skill needed to enhance committee effectiveness, while 27 percent included it in their top three.

 

  • Finance and internal audit talent. Twenty-five percent of respondents said that financial and internal audit talent is the top priority for their audit committee during the next 12 months and 65 percent cited this topic as among the top three.  For 92 percent of respondents, the audit committee has primary oversight of finance and internal audit talent.  The topic is on the quarterly agenda for 38 percent of audit committees.   Most respondents gave the work of their internal audit team high markets.  For example, 89 percent thought that internal audit “has a high level of understanding about business operations,” and 82 percent thought it “is effective at assisting management in identifying new risks.”  Nonetheless, 82 percent agreed or strongly agreed that there is an opportunity to extract more value from internal audit. The 2025 Practices Report references the Institute of Internal Auditors’ new Global Internal Audit Standards and suggests that ‘[u]nderstanding the new Standards and their implications will help audit committees ensure their company leverages the internal audit function effectively, achieving greater value from their internal audit activities.”  See Deloitte Has Suggestions for Audit Committee Support of the New Internal Audit Standards, November 2024 Update.

 

Beyond these top three priorities, there were some changes in the ranking that survey respondents assigned to other topics. The chart below shows the top nine audit committee priorities and how their rankings in 2025 and 2024 reports compare.   


                

Source:      Audit Committee Practices Report: Common Threads Across Audit Committees, 4th edition (February 2025)

 

 

Audit Committee Practices and Effectiveness

 

Survey respondents were presented with five strategies to enhance audit committee effectiveness during meetings.  Sixty-nine percent thought that at least one of these strategies could improve effectiveness; conversely, 31 percent indicated that none of the suggested options would improve their meetings. The strategies, and the share of respondents that thought each strategy was the most impactful or among the top three that would enhance meeting effectiveness, are:

 

  • Improve the quality of presentations during meetings (most impactful-18%, among top three-40%).

 

  • Increase discussion and/or engagement from members during meetings (most impactful-21%, among top three-34%).

 

  • Improve the quality of pre-read materials (most impactful-14%, among top three-29%).

 

  • Improve the level of committee member advanced preparation for meetings (most impactful-10%, among top three-18%).

 

  • Improve management of the agenda during meetings (most impactful-6%, among top three-17%).

 

Eighty-eight percent of respondents agreed or strongly agreed that their committee had sufficient time to cover meeting agenda items, while 12 percent disagreed or strongly disagreed. The survey found that the average quarterly audit committee meeting is two hours and 28 minutes, down from two hours and 44 minutes last year.

 

Quality of the Independent Auditor

 

Respondents were given a list of factors and asked to identify the three most important considerations for assessing the quality of the company’s independent auditor.  These factors, along with the percentage of respondents that identified each as the most important or among the top three, are:

 

  • Previous experience working with the auditor (most important-29%; among top three-53%).

 

  • The audit firm’s overall reputation (most important-17%; among top three-53%).

 

  • Audit quality indicators (most important-18%; among top three-53%).

 

  • Value provided beyond the audit (most important-15%; among top three-50%).

 

  • A formal evaluation process (most important-18%; among top thiree-42%).

 

  • Use of metrics and trends analysis (most important-1%, among top three-15%).

 

  • None of the above are top factors (3%).

 

Audit Committee Takeaways

 

The 2025 Practices Report survey results can serve as a benchmarking resource to aid audit committee members in understanding what their peers are doing and whether there are priorities and practices other audit committees are considering that they may wish to employ.

 

The top priorities identified in the 2025 Practices Report are priorities for most audit committees. In addition to the survey findings, the report includes suggestions for audit committees in addressing these priorities. For example, concerning cybersecurity, the report lists six “audit committee considerations” and three questions for audit committees to consider in connection with cybersecurity oversight.  The report also provides audit committee considerations for ERM and talent oversight.  Examples include:

 

  • Consider cyberattacks reported by other entities and ask management to assess how your company would have responded to a similar incident.

 

  • Understand management’s process for updating their risk assessment outside of their usual cycle.  For example, are there triggering events that would initiate an update? This dynamic approach to ERM monitoring prepares boards and management to adapt when an issue arises.

 

  • Receive periodic updates on key talent metrics, including involuntary turnover of high performers.

 

Committees may find the CAQ/Deloitte suggestions useful as they consider their approach to these topics.

 
 
 

Recent Posts

See All

Comments

bottom of page