top of page
  • Writer's pictureDaniel Goelzer

Cybersecurity and ERM Are Top Audit Committee Priorities. ESG, Not So Much

The Center for Quality (CAQ) and the Deloitte Center for Board Effectiveness have released their third annual survey of audit committee practices and priorities, Audit Committee Practices Report: Common Threads Across Audit Committees (2024 Practices Report).  As was the case last year, cybersecurity and enterprise risk management (ERM) topped the list of audit committee concerns.  Finance and internal audit talent was third, while environmental, social, and governance (ESG) reporting, the third-highest concern last year, fell to sixth place.  In terms of ways of improving audit committee practices and effectiveness, “increased discussion and/or engagement from members during meetings” and “improved quality of pre-read materials” were the two most frequent suggestions.  Many survey respondents also thought their committee would benefit from additional cybersecurity expertise.  For a discussion of last year’s survey results, see Scope Creep is Affecting Audit Committee Composition and Focus, January 2023 Update.


Audit Committee 2024 Priorities

The CAQ and Deloitte surveyed 226 audit committee members, 74 percent of whom served on the board of a U.S. company.  Eighty-one percent of respondents’ companies had a market capitalization of $700 million or more.  Respondents were asked to identify the three most important topics, risks, or issues for their audit committee in the next 12 months (apart from financial reporting and internal control.)  The top five responses were:

  • Cybersecurity.  Sixty-nine percent of respondents indicated that cybersecurity will be one of the three highest priority areas for the audit committee in the next 12 months, up from 63 percent last year.  Thirty percent ranked cybersecurity as the committee’s number one priority.  Most companies assign cybersecurity oversight to the audit committee:  Fifty-eight percent of respondents said their board delegates cybersecurity oversight to the audit committee (up from 53 percent last year), while 25 percent said cybersecurity is a full board responsibility, and 11 percent said it is assigned to the risk committee.  However, only about a quarter (24 percent) believe their audit committee members have appropriate cybersecurity expertise, down sharply from 41  percent in the prior survey.  Cybersecurity was the skill most frequently cited as having the potential to improve audit committee effectiveness. The 2024 Practices Report observes, “Given the importance of this topic, it’s also worth considering whether directors might benefit from external advisers or educational programs.”


  • Enterprise risk management. Forty-eight percent of respondents indicated that ERM will be a top  priority in the next 12 months, up from 45 percent last year.  Forty-seven percent said that the audit committee was responsible for oversight of ERM, while 35 percent cited the full board, and 15 percent the risk committee. Financial services companies are less likely to assign ERM oversight to the audit committees; 43 percent of financial services respondents stated that the risk committee had ERM responsibility. However, in contrast to cybersecurity, audit committees seem generally to believe they have adequate ERM expertise.  Eighty-five percent reported some level of enterprise risk experience/expertise on the committee. The 2024 Practices Report advises directors to “encourage management to assess risks on a continuous basis, instead of relying on the outdated approach of conducting a risk assessment on an annual basis and setting it aside until the next year.”


  • Finance and internal audit talent.  Thirty-seven percent of respondents believed that finance and internal audit talent will be a priority for their committees in the coming year, although only 9 percent see it as the top issue.  Forty-six percent noted that their audit committee addressed the topic of talent quarterly last year, and 23 percent discussed it once.  Most respondents view the internal audit function as both effective and adding value, and 89 percent agree or strongly agree that internal audit demonstrates a high level of understanding of the company’s operations. However, almost 80 percent of respondents agreed or strongly agreed that there is opportunity for internal audit to add still more value.


  • Compliance with laws and regulations.  Thirty-six percent of respondents cited compliance with laws and regulations as one of the top three audit committee priorities in the next 12 months, and 17 percent thought it would be the top issue.  Forty-five percent of respondents indicated their company placed legal compliance oversight with the audit committee (37 percent cited the full board and 5 percent to the risk committee). The 2024 Practices Report notes that “heightened complexity of the regulatory environment may account for the increased priority assigned to this area this year.”


  • Finance transformation.  Thirty-three percent of respondents indicated that finance transformation will be one of the three top priorities for their audit committee in the next 12 months, and 15 percent  selected it as the top issue.  The implications of the rapid development of artificial intelligence are intertwined with questions about the future of the finance function, and two-thirds of respondents indicated their audit committee spent insufficient time last year discussing AI governance. The 2024 Practices Report states:  “Audit committees should understand emerging finance technologies and how they are being considered and implemented within the organization. Absent any immediate adoption of technologies such as generative AI, management should work with the board to outline governance structures and controls for new technologies.”


In the prior CAQ/Deloitte survey, audit committee members identified ESG reporting as one of their top three priorities.  This year, however, ESG reporting fell to sixth place, with only 22 percent of respondents including it among their priorities.  Indeed, 11 percent said that their audit committee spent too much time on ESG. 


Audit Committee Practices and Effectiveness


In addition to providing their views on audit committee priorities, respondents were asked about ways committees could enhance their practices and effectiveness.  Sixty-five percent indicated there was at least one strategy that might improve their committee’s effectiveness.  For those respondents who believed that there were opportunities for improvement, suggestions (and the percentage of respondents that supported them) included:


  • Increased discussion and/or engagement from members during meetings (29%).


  • Improved quality of pre-read materials (28%).


  • Improved quality of presentations during meetings (26%).


  • Improving the level of committee member advanced preparation for meetings (15%).


  • Improving management of the agenda during meetings (10%).


  • Increasing the length of existing committee meetings (10%).


  • Increasing the total number of committee meetings (5%).


Comments: The 2024 Practices Report survey results can serve as a benchmarking resource to aid audit committee members in understanding what their peers are doing and whether there are priorities and  practices other audit committees are considering that they may wish to employ. 


The high priority respondents assigned to cybersecurity oversight is not surprising, given the increasingly dangerous cyber threat environment and the publicity that surrounds the issue. Also, the SEC’s new cybersecurity disclosure requirements are likely to cause many audit committees to become enmeshed in difficult disclosure judgments around cyber breaches.  See SEC Adopts Cybersecurity Disclosure Rules, August-September 2023 Update.  Committees that believe – as many apparently do – that they lack sufficient expertise in this field might want to consider the suggestion in the 2024 Practices Report that they retain external advisers or participate in educational programs to enhance their knowledge.


Regardless of their views about the inherent importance of the topic to the company’s business, audit committees may find that ESG reporting, at least as to climate, will be a more pressing issue in the next 12 months than they currently anticipate. During the past year, there has been something of an ESG backlash, and the drop in the prioritization of the issue revealed in the CAQ/Deloitte survey is understandable.  However, the recent adoption of extensive climate-related reporting requirements by the SEC, the state of California, and the EU may force audit committees to spend time on climate disclosure reporting challenges, despite the importance of the other issues competing for committee time and attention.  See SEC Adopts Landmark Climate Change Disclosure Rules in this Update and California Outflanks the SEC on Climate Disclosure and E.U. ESG Disclosure Requirements Will Affect Many U.S. Companies, both in the October 2023 Update.

23 views0 comments

Recent Posts

See All

PCAOB Reworks the Foundations of Auditing

The Public Company Accounting Oversight Board has adopted a new auditing standard, AS 1000, General Responsibilities of the Auditor in Conducting an Audit, and related amendments to other auditing sta


bottom of page