The December 2024 Update included discussion of four papers that suggest issues on which audit committees should focus in 2025. See What Should be on the Audit Committee’s 2025 Agenda?, December 2024 Update. An additional paper is now available. In early January, the Deloitte Center for Board Effectiveness released On the Audit Committee’s Agenda: Looking Ahead to 2025 setting forth its suggestions.
Deloitte observes that serving on an audit committee in 2025 “might be daunting” and that “the number and complexity of new issues and concomitant responsibilities” audit committees face is likely to grow. With the caveat that “a complete list of such issues would be far longer than can be addressed in this publication,” Deloitte focuses on four areas:
Regulation. Audit committees should anticipate significant changes in regulatory priorities, financial reporting, and corporate governance due to the changes in Presidential and SEC administrations. While the future of the SEC’s climate change disclosure rules is uncertain, it may not be feasible for companies to delay developing controls to comply with the rules, particularly because of the need to comply with other climate disclosure regimes, such as those of the EU and California. Recent SEC enforcement has emphasized internal controls and disclosure controls, but audit committees should follow the new SEC chair’s priorities to understand where future enforcement actions may focus. The priorities of the PCAOB may also shift, and audit committees should be alert for developments, such as the future of the PCAOB’s NOCLAR proposal. Audit committees should engage with their independent auditor regarding the results of any PCAOB inspection of the company’s audit and the firm’s overall inspection results. Audit committees should also ensure that the company’s proxy statement provides adequate disclosure about auditor selection and oversight.
Technology. GenAI and cybersecurity will continue to be important audit committee challenges. Artificial intelligence impacts areas for which audit committees have responsibility, such as risks associated with AI use, especially for financial reporting and internal control purposes. Cyber-security will continue to be a top priority considering “the proliferation of breaches, the extent to which nation-state actors have become more active hackers, the greater consequences of a breach or a ransomware attack, and the regulatory environment,” including SEC disclosure requirements.
Enterprise Risk Management. Many audit committees are taking a fresh look at ERM programs to assess whether they are still effective due to the proliferation of new risks (e.g., those associated with GenAI), increased geopolitical risk, the complexity and increased inter-relationships of various risks, or simply because ERM programs may become stale or perfunctory. Audit committees might consider regularly revisiting ERM – preferably quarterly -- to be sure that management is continuously refreshing the program.
Audit Committee Effectiveness. Audit committees should consider how they can be more efficient and effective. Deloitte suggests prioritizing items on meeting agendas and using “consent” agendas to act on routine matters without discussion. Audit committees should also consider “which matters properly reside with the audit committee and, in appropriate circumstances, pushing back on responsibilities that others seek to place on the audit committee agenda.”
The report concludes with a list of questions to guide board consideration of whether to modify committee structure or the matters assigned to particular committees.
Comments