March 12, 2024

Audit Committees Prioritize Cybersecurity, Enterprise Risk Management in New Survey

Two-thirds of audit committee members see opportunities to improve effectiveness,

 according to Deloitte, Center for Audit Quality Survey

NEW YORK, March 12, 2024 —The “Audit Committee Practices Report: Common Threads Across Audit Committees,” a joint effort between Deloitte’s Center for Board Effectiveness and the Center for Audit Quality (CAQ), identified cybersecurity as the top priority in the next 12 months.

A total of 266 respondents participated in this year’s survey, most of whom are from US public companies (74%), and of which 81% have more than $700 million in market cap.

Respondents cited enterprise risk management (ERM) as the No. 2 priority, demonstrating a broader, more holistic view of risk. Meanwhile, trending topics like artificial intelligence (AI) governance and environmental, social and governance (ESG) reporting are receiving comparably less attention.

“We are seeing the role of the audit committee continue to evolve and adapt as demands on oversight responsibilities change with the business environment and investor expectations,” said Vanessa Teitelbaum, senior director, Professional Practice at CAQ. “Audit committees are zeroed in on one of their core responsibilities: overseeing enterprise risk programs at large. While their agenda continues to grow and expand, key areas like cybersecurity and ERM remain a central focus.”

In addition to cybersecurity and ERM, finance and internal audit talent (a new entry in this year’s survey), compliance with laws and regulations, and finance transformation rounded out the top five priorities. Although the majority of respondents view internal audit as an effective function — one that adds demonstrable value — nearly 80% believe there is an opportunity for internal audit to add even more value. Audit committees are also increasingly prioritizing compliance with laws and regulations, with more than one-third citing it as a top-three priority, a significant increase from last year.

Cybersecurity remains No. 1 priority for audit committees, followed by ERM

Cybersecurity topped the list of committee priorities by nearly 20 percentage points over ERM. Notably, 58% of respondents said the audit committee has primary oversight over cybersecurity, with 25% indicating the full board has oversight responsibility. Sixty-nine percent of respondents highlighted cybersecurity as a top concern in the next 12 months, with 3-in-10 ranking it No. 1.

The heightened focus on cybersecurity is likely due to greater disclosure requirements from regulatory agencies. The U.S. Securities and Exchange Commission (SEC), for example, is requiring new disclosures on cybersecurity risks and incidents, as well as management and strategy, including an explanation of oversight processes.

When considering what additional expertise would enhance the audit committee’s effectiveness, cybersecurity was highlighted as the top area (44%). This is particularly notable given that almost half (48%) of respondents said they have some level of cybersecurity expertise on the committee.

The evolving risk landscape and emerging risks have put an increased spotlight on ERM. Nearly half of respondents indicated that ERM will be a top focus area in the next 12 months. More than three quarters (85%) of respondents reported some level of ERM expertise on the audit committee, positioning it to effectively oversee management’s risk programs.

Opportunities for audit committees to increase effectiveness

With a growing agenda and evolving responsibilities, audit committee members see an opportunity for continuous learning and improvement and have perspectives on how they could enhance their effectiveness. Only one-third of respondents say the committee is effective as is, while the rest feel there is at least one strategy that could boost general effectiveness. Those respondents highlighted three key areas for improvement:

  • Increased discussion and/or engagement from members during meetings — highlighted by 29% of respondents.
  • Improved quality of pre-read materials — highlighted by 28% of respondents.
  • Improved quality of presentations during meetings — highlighted by 26% of respondents.

“The effectiveness of an audit committee can be distinguished by how it executes its responsibilities,” said Krista Parsons, Audit & Assurance managing director, Audit Committee Program leader, and Governance Services leader at Deloitte’s Center for Board Effectiveness. “Key to this is including the right topics on the agenda, obtaining information that enhances comprehension of these issues, and fostering candid and transparent discussions. These are among the actions that audit committee members can take to be prepared for the issues facing them today and in the future.”

About the survey

This edition of the “Audit Committee Practices Report,” like prior editions, is based on a survey of audit committee members. A total of 266 respondents participated in this year’s survey, most of whom are from US public companies (74%) and of which 81% have more than $700 million in market cap.

In its third year, the Audit Committee Practices Report added a charitable element to the survey, allowing the first 200 qualifying respondents to select from Braven and/or New Profit for a $100 donation. This led to a total of $20,000 in donations, allocated per respondent selections.

About the Center for Audit Quality

The Center for Audit Quality (CAQ) is a nonpartisan public policy organization serving as the voice of US public company auditors and matters related to the audits of public companies. The CAQ promotes high-quality performance by US public company auditors; convenes capital market stakeholders to advance the discussion of critical issues affecting audit quality, US public company reporting, and investor trust in the capital markets; and using independent research and analyses, champions policies and standards that bolster and support the effectiveness and responsiveness of US public company auditors and audits to dynamic market conditions.

About Deloitte’s Center for Board Effectiveness

Deloitte’s Center for Board Effectiveness helps directors deliver value to the organizations they serve through a portfolio of high-quality, innovative experiences throughout their tenure as board members. Whether an individual is aspiring to board participation or has extensive board experience, the Center’s programs enable them to contribute effectively and provide focus in the areas of governance and audit, strategy, risk, innovation, compensation and succession.

About Deloitte
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including nearly 90% of the Fortune 500® and more than 8,500 US-based private companies. At Deloitte, we strive to live our purpose of making an impact that matters by creating trust and confidence in a more equitable society. We leverage our unique blend of business acumen, command of technology, and strategic technology alliances to advise our clients across industries as they build their future. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Bringing more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte’s approximately 457,000 people worldwide connect for impact at



Kerry Lee Brad Jacklin
Senior Manager, Public Relations Director, Communications
Deloitte Services LP Center for Audit Quality
+1 916-298-8031 +1 202 494 9560


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see to learn more about our global network of member firms.