Download PDF

As the regulatory environment grows in complexity and organizations address new and continuing challenges, additional expectations are placed on audit committees. The scope of their responsibilities continues to expand beyond the traditional remit of financial reporting and internal controls, internal and external audit, and ethics and compliance programs.

Topics like cybersecurity, artificial intelligence (AI), and climate are now regularly showing up on many audit committee agendas, especially when it’s a matter of complying with regulatory disclosure requirements. In this report, we highlight the top five priorities—cybersecurity, enterprise risk management, finance and internal audit talent, compliance with laws and regulations, and finance transformation—that were identified by audit committee members who participated in the survey.



Beyond financial reporting and internal controls, most respondents (69%) indicated that cybersecurity will be in the top-three priority areas for the audit committee in the next 12 months,1 and 3 in 10 (30%) ranked cybersecurity as the No. 1 priority for the audit committee in that period. This is consistent with previous editions of the report, which have similarly found that cybersecurity is a top priority.

One reason could be a new U.S. Securities and Exchange Commission (SEC) regulation requiring registrants to report material cybersecurity incidents and to provide annual disclosure of cybersecurity risk management and strategy, as well as an explanation of board and management oversight processes. A recent edition of Deloitte’s Heads Up outlines the new requirements for cybersecurity disclosures.

Our survey found that 58% of audit committees have primary oversight of cybersecurity risk, and 25% responded that the full board has oversight responsibility. This is consistent with the CAQ’s 10th annual Audit Committee Transparency Barometer report, which found that 59% of S&P 500 companies indicate their audit committee is responsible for oversight of cybersecurity risk, up from 54% in 2022.

In general, oversight of cybersecurity for financial services companies was split between the audit committee (38%) and risk committee (26%). Comparatively, most non-financial organizations assign oversight of this area to the audit committee (64%) and, very rarely, to the risk committee (3%). This is likely driven by the fact that most financial services companies are required to have a risk committee.

A notable minority of respondents (24%) said their audit committee had sufficient levels of expertise. But for everyone else, the skill most frequently cited as having the potential to improve overall committee effectiveness was cybersecurity (44%). This is particularly notable given that almost half (48%) of respondents said they have some level of cybersecurity expertise on the committee. Given the importance of this topic, it’s also worth considering whether directors might benefit from external advisers or educational programs.

  • Cybersecurity continues to command focus across multiple board committees as well as the board—73% of survey respondents report discussing cybersecurity at least quarterly. Still, a certain percentage are not discussing cybersecurity as regularly; in fact, 15% discuss cybersecurity semiannually and 9% discuss it annually. Given the pervasive nature of cybersecurity risks, the role of the full board in understanding cybersecurity risk should be considered. At a minimum, the full board should determine the appropriate cadence for discussing the threat landscape and critical business risks affecting the organization.
  • New SEC requirements have increased cybersecurity disclosure requirements. Directors should strive to educate themselves on cyber-related issues and regularly engage with the CIO and/or CISO to stay informed. For some, this might also be a topic where it’s worth gathering input from an outside adviser.

Enterprise Risk Management (ERM)

Almost half (48%) of respondents indicated that ERM will be a top-three priority in the next 12 months. Interestingly, respondents were evenly split in terms of ranking ERM’s priority order—with 16% each ranking it as 1, 2, or 3. Compared to previous editions of the survey, ERM has consistently ranked among the top priorities.

Oversight of enterprise risk management—the processes used to identify, monitor, and assess risks—has been within the purview of the audit committee for many years. However, extra vigilance may be in order as the global risk landscape evolves and new types of threats emerge. Aside from general oversight, the audit committee must also assess whether the current ERM processes can handle new threats, whether those processes are efficient and effective, and whether they are supported by the proper resources.

When asked who was responsible for oversight of ERM within their organizations, 47% of respondents indicated the audit committee, 35% the board, and 15% the risk committee. Financial services companies are less likely to assign audit committees primary oversight responsibility for enterprise risk (23%) than companies in other industries (54%). Instead, 43% of financial services respondents delegated this responsibility to the risk committee. More than three-quarters (85%) of respondents report some level of enterprise risk experience/expertise on the committee. This could be an indication of a high level of confidence in their committees’ ability to oversee this area, as relatively few of those who stated a need for additional expertise prioritized ERM (20%).

  • To monitor the emergence of new risks, audit committees can adapt their models, starting by considering high-impact, low-likelihood risks alongside high-impact, high-likelihood risks. Such an approach is becoming ever more valuable given that events once deemed black swans—pandemics, large natural disasters and climate disasters, and global conflict—have become more prevalent.
  • Audit committee responsibility for ERM oversight may well have increased this year, owing to the introduction of new disclosure requirements in a variety of areas. That said, ERM oversight is not restricted to the audit committee—there is ample opportunity for the board to receive periodic updates, evaluate risk appetite, and identify new or emerging risks.
  • The audit committee has a role to play in advising management in identifying and monitoring material risks and seeing that they are brought to the attention of the full board and/or appropriate committee. Directors should encourage management to assess risks on a continuous basis, instead of relying on the outdated approach of conducting a risk assessment on an annual basis and setting it aside until the next year.

Finance and Internal Audit Talent

Finance and internal audit talent is a priority for audit committees, with 37% of respondents indicating that it is one of their top-three priorities over the next 12 months; 9% suggested it’s the top issue. Forty-six percent noted that their committee addressed the topic quarterly, whereas 23% discussed the matter once in the past 12 months.

We also asked respondents to share perspectives on their internal audit functions. Overall, the majority of respondents view internal audit as both an effective function and one that adds demonstrable value. That suggests internal audit can bring the appropriate business acumen to its activities and provide dynamic internal audit risk assessments, not only in its role as an assurance provider but also to help anticipate and advise on the risks ahead. Yet almost 80% of respondents agreed or strongly agreed that there is opportunity for internal audit to add more value. This view may be more a reflection of the talent crunch and rapidly changing business environment than of any discontent with the internal audit function itself, but it is still a point worthy of consideration.

Respondents’ concern about internal audit’s talent issues is bolstered by the fact that a large percentage of them—89%—agree or strongly agree that internal audit demonstrates a high level of understanding of the company’s operations.

  • Audit committees should cultivate and promote strong relationships with both the finance and internal audit teams.
  • In addition to overseeing succession planning for both those teams, the audit committee should consider how the teams will be affected by developing and evolving technologies (e.g., generative artificial intelligence). Management should be considering if certain skills will become redundant and whether there are opportunities to upskill talent.
  • To maintain a strong finance team and work product, the audit committee should maintain regular and robust contact with the CFO to understand the ongoing changes in talent needs and roles within finance.
  • Internal audit continues to be a critical resource for the audit committee. The function should be encouraged to adopt dynamic risk assessments to stay focused on the greatest areas of risk. In addition to providing assurance, consider whether internal audit could add further value by advising on and anticipating risks ahead.

Compliance with Laws and Regulations

More than one-third (36%) of respondents cited compliance with laws and regulations as one of the top-three priorities for audit committees in the next 12 months; a significant increase from last year. Seventeen percent suggested it’s the top issue. The heightened complexity of the regulatory environment may account for the increased priority assigned to this area this year. Forty-five percent of respondents indicated their company allocated oversight of compliance to the audit committee, 37% to the board, and 5% to the risk committee.

  • As new compliance risks emerge, it’s critical for management to update the risk assessment processes and risk methodologies.
  • Open lines of communication with the board and audit and risk committees are essential and take on added meaning depending on the degree of regulation of a given industry. Heavily regulated industries, such as aviation and food services, invariably face greater compliance issues.
  • Audit committees should understand the laws and regulations the organization is subject to, management’s efforts to comply, and the risk that noncompliance poses. This can help them better assess which risks have the greatest potential for legal, financial, operational, or reputational damage.
  • In 2023, the PCAOB proposed “Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations,” or NOCLAR. This proposal has generated significant discussion among auditors, attorneys, and other stakeholders as the proposal would expand the auditor’s obligation to identify and communicate an entity’s noncompliance with laws and regulations. Audit committees should stay informed about this proposed rule and its impact as the PCAOB considers next steps.

Finance Transformation

Thirty-three percent of respondents indicated that finance transformation is in the top-three priorities for their audit committee in the next 12 months, and almost half of those respondents (15%) selected this as the top issue. The matter of finance transformation is complex given that it can be affected by a number of external forces including market shocks, industry consolidation and convergence, technology acceleration, and new regulatory requirements. These factors, along with the talent issues discussed earlier, make the audit committee’s role in overseeing finance transformation challenging.

Additionally, the rapid rise of generative AI is raising important questions about when and how to invest in appropriate technologies that may have an impact on the finance organization and the speed of transformation. It’s rather striking in that regard that 66% of respondents indicated their audit committee has spent insufficient time in the past 12 months discussing AI governance. Beyond that, the regulatory frameworks for AI are still in the works while some companies explore various use cases for AI—from financial planning to financial close and financial risk sensing.

  • Audit committees should understand emerging finance technologies and how they are being considered and implemented within the organization. Absent any immediate adoption of technologies such as generative AI, management should work with the board to outline governance structures and controls for new technologies.
  • Finance transformation may require new skills and expertise in the finance organization and therefore is naturally linked to the talent issues previously discussed.
  • Audit committees have an important role to play in a company’s successful finance transformation by supporting the finance team and helping to understand the resources needed—both human and technological.

Audit Committee Practices and Effectiveness

Beyond understanding what priorities audit committees will focus on over the next year, we asked a number of questions about audit committee practices and effectiveness. Eighty-nine percent of respondents feel there is adequate meeting time for addressing all items on the audit committee agenda. Yet most respondents (65%) also indicated there was at least one strategy that might improve the committee’s effectiveness. Of those believing there were opportunities for improvement, three areas emerged.

Increased discussion and/or engagement from members during meetings—29% of respondents identified this as an area for improvement

  • Audit committee members are accountable for reading all materials in advance of meetings so they come to meetings informed and prepared to participate in discussions.
  • In addition to reading the materials, committee members should stay informed on emerging risks, regulatory shifts, and industry events, understanding how they may have an impact on the organization. This level of engagement throughout the year, not just in advance of meetings, is important as organizations navigate increasingly complex reporting requirements and rapidly evolving changes in the external environment on multiple fronts. This will allow for more robust discussions during meetings.
  • Open dialogue and candid discussions are critical for audit committees to operate effectively. It is important for committee members, management, and auditors to feel comfortable posing questions and openly expressing their views.
  • Audit committee members should focus on constructive challenge with questions to management and auditors such as: Where were the hard calls? What were the gray areas? What keeps you up at night?
  • Committee members should follow up if they don’t get satisfactory answers.

Improved quality of pre-read materials—28% of respondents identified this as an area for improvement

  • Pre-reads should be comprehensive, but not exhaustive, with respect to operational details.
  • The audit committee chair should consider assigning a single point of contact to coordinate pre-read materials and address committee members’ questions as they review pre-read materials.
  • Meeting materials should be aligned to priority areas, with executive summaries for each section highlighting critical issues and discussion points, key metrics, and decisions needed.
  • The materials should clearly identify the nature of the information being presented (e.g., informational, decision needed) and what actions are expected of the committee.
  • The materials should contain not only information on past performance but also insight on future issues of importance.
  • Publishing pre-read materials on a portal is a leading practice, and all materials should be provided to the committee with sufficient time to review prior to the meeting.

Improved quality of presentations during meetings—26% of respondents identified this as an area for improvement

  • Limiting the number of slides or pages presented during meetings can help the committee focus on key messages and takeaways while also allowing adequate time for questions and discussion.
  • To promote dialogue, presenters should assume that everyone has read the pre-read materials (i.e., the discussion begins where pre-reads end) and should be discouraged from presenting and reviewing each slide during the meeting.
  • Presenters should generally limit presentations to one-third of the allotted time, leaving two-thirds of the time for discussion and questions.
  • Management and others presenting financial information should highlight key changes from the prior period, as well as balances involving judgment, to focus the discussion on areas that warrant the audit committee’s attention. They should also identify areas involving close calls or more subjectivity.

Additional Observations

Only 14% of respondents said that ESG reporting was overseen by the audit committee. Forty percent indicated that the nominating and governance committee had oversight of ESG reporting, while 30% said the board did. The bulk of respondents said the audit committee devoted adequate time (69%) to this topic over the past year. Interestingly, a notable minority felt that ESG reporting was an area where the committee spent too little (17%) or too much (11%) time.

Of note, last year’s survey identified ESG disclosure and reporting as among the top-three audit committee priorities, with 39% indicating it as such—behind cybersecurity (63%) and ERM (45%). This year, only 22% of respondents included ESG reporting in their top-three priorities for the next 12 months, dropping it to sixth on the list, behind cybersecurity, ERM, finance and internal audit, compliance with laws and regulations, and finance transformation. ESG reporting was the only item where any material proportion of respondents (11%) said the committee spent too much time (the next highest, at 3%, was compliance with laws and regulations).

This drop may be attributed to several factors, but considering the number of new and proposed climate rules, audit committees should keep an eye on this area. For example, two California laws, effective in late 2023, established the first industry-agnostic U.S. regulations that require the corporate reporting of greenhouse gas emissions and climate risks, among other things. For its part, the SEC issued proposed rules in March 2022 that would impose significant new disclosure requirements for public companies in both registration statements and annual reports; however, those proposals generated intense opposition and have yet to be adopted. Finally, in the summer of 2023, the European Commission adopted the European Sustainability Reporting Standards that will provide supplementary guidance for companies and increase the breadth of nonfinancial information they report. All these developments seem to have prompted a need to reassess ESG strategies and measurement processes, matters that this year appear to be more in the hands of the board than the audit committee. Last year, 34% of respondents indicated ESG disclosure and reporting was under the audit committee’s oversight versus just 14% this year.

Communications were front and center when it came to audit quality. Eighty-one percent of respondents cited communications as a top factor affecting audit quality, most of whom ranked it as the top factor (50%). Industry experience was cited as second-most critical for audit quality, with 59% of respondents naming it. When the audit committee fosters an environment of trust and transparency, complex issues are easier to discuss and potential disputes or matters of interpretation are resolved.

Respondents do not expect to have high turnover on their audit committees this year. About 16% of respondents expect their audit committee chair to rotate. More (32%) anticipate rotating one or more members. These numbers increased considerably from the prior-year. While the nominating and governance committees may hold formal responsibility for board succession practices, the audit committee chair should provide input into the process, considering the skills and expertise needed on the audit committee to effectively carry out its responsibilities.

Audit committees are well aware of the need for the right kind of expertise to execute their oversight responsibilities. When asked what additional expertise would enhance the audit committee’s effectiveness in the next 12 months, almost one-quarter of respondents indicated they have the expertise they need. Of those suggesting they needed additional expertise, cybersecurity and technology ranked the highest (44% and 40%, respectively), with ERM (20%) and climate risk (19%) rounding out the top four areas. As the audit committee’s role further expands, it is essential for boards to monitor the committee members’ skill sets so that they have appropriate expertise to effectively carry out their oversight responsibilities.

Download the full report PDF for detailed survey results, survey demographics and methodology, and more!

Download PDF

Related Resources

The latest news and
resources from the CAQ.

Stay Connected.

Stay connected to the CAQ