Our Purpose
Our People
Our Committees and Task Forces
CAQ Careers
Events
Press Room
Subscribe
Audit Quality
Independence
ESG
Anti-Fraud
Talent
Corporate Reporting Trends
Audit in Action
Expert Insight from CAQ and Partners
 
The Age of Generative AI: How Audit Committees Can Respond
Auditors
Explore resources for auditors to help them navigate our ever-changing financial ecosystem.
Audit Committees
Explore resources on the latest developments affecting audit committees.
Investors
Explore resources on developments in the audit profession affecting our capital markets.
Policymakers
Explore resources that help policymakers navigate the ever-changing financial ecosystem.
Academics
Explore resources and research for the classroom.
 
 
Download PDF
Key Findings


Top 3 priorities of the Audit Committee



Key Insight: Oversight of AI 


Audit committee practices and effectiveness


Quality of the independent auditor


Conclusion



  Past reports



We’re excited to publish the fourth edition of the Audit Committee Practices Report, a joint effort between Deloitte’s Center for Board Effectiveness (Deloitte) and the Center for Audit Quality (CAQ). Our goal is to provide directors— especially audit committee members—and governance professionals with insights into relevant priorities, challenges, and opportunities. In addition, the data that informs this report is reflective of leading practices to promote audit committee effectiveness.
A total of 237 respondents participated in this year’s survey, primarily on boards of US (89%) public (86%) companies with more than $2 billion in market cap (72%). Directors on boards of financial services companies made up 27% of the respondents. All demographics data can be found in the appendix.
We developed this survey four years ago to understand audit committee priorities and challenges and to obtain information on questions audit committees and governance professionals regularly ask us. Each year, we repeat some questions to understand how audit committees are evolving and identify emerging trends. We also include new questions that reflect the current environment in which audit committees are operating. New this year, we asked about participation of non-audit committee members in audit committee meetings and how audit committee members assess the quality of the independent auditor.
Outside of financial reporting and internal controls, the top three priorities of the audit committee over the next year are consistent with last year:
  • Cybersecurity
  • Enterprise risk management (ERM)
  • Finance and internal audit talent
Beyond these, there were slight changes in the remaining priorities compared to last year, as seen in the following chart.
Ranking
2025 Priorities
Change
2024 Priorities
1
Cybersecurity
Cybersecurity
2
Enterprise Risk Management
Enterprise Risk Management
3
Finance and internal audit talent
Finance and internal audit talent
4
Compliance with laws and regulations
+1
Finance Transformation
5
Finance Transformation
-1
Compliance with laws and regulations
6
ESG reporting
+1
AI governance
7
AI governance
-1
ESG reporting
8
Third-party risk
Third-party risk
9
Data privacy
Data privacy
Respondents were asked to identify the top three priority areas (beyond financial reporting and internal controls) for the audit committee in the next 12 months. The survey was open during the following periods for the current and prior years: September 16–October 11, 2024, and September 28–November 12, 2023, respectively.
Rank is determined by dividing (1) the total selections for each priority by (2) the total unique respondents indicating their audit committee had primary jurisdiction over the area. In effect, this gives less weight to cases where a respondent’s audit committee does not have primary jurisdiction of an area they selected as a top three priority. Previous analyses did not use the relative ranking methodology, so the order of items displayed for 2024 do not match what is published in the 3rd edition report.
We also found that a majority of respondents are interested in enhancing the effectiveness of audit committee meetings. When presented with various strategies to achieve this, the two most prominent areas identified were the quality of presentations during meetings and the level of discussion and/or engagement from members. These and other observations on committee effectiveness are further explored in the report.
We are confident that you, your fellow committee members, and those who work with audit committees can use this survey to benchmark your committee against others and help set priorities for the months ahead. Read on to explore the key themes and review the appendix to see responses to all questions, including a breakdown by respondents from financial services and non-financial services companies.
 
Krista Parsons
Audit & Assurance Managing Director, Audit Committee Program Leader, Center for Board Effectiveness
Deloitte & Touche LLP
 
Vanessa Teitelbaum
Senior Director, Professional Practice
Center for Audit Quality


Key findings


Top three priorities of the audit committee




Cybersecurity


Beyond financial reporting and internal controls, respondents identified cybersecurity as one of their top three areas of focus, with 50% ranking it as the number one area of focus for the audit committee over the next 12 months. This is consistent with results since we started publishing this report in 2022.
According to our survey, 62% of audit committees have primary oversight of cybersecurity risk, while 23% responded that their full board has oversight. This is consistent with the Center for Audit Quality’s 11th annual Audit Committee Transparency Barometer report, which found that 64% of S&P 500 companies delegate oversight of cybersecurity risk to the audit committee.
As we’ve seen in previous years, the breakdown varies among financial services and non-financial services companies, with nearly three-fourths of non-financial services companies (70%) delegating cybersecurity oversight to the audit committee. The percentage of financial services company respondents reporting that the audit committee has oversight for cybersecurity risk decreased to 41%, with 24% citing the risk committee as having primary oversight. This is not surprising given that most large financial services companies are required to have a risk committee.



How frequently is cybersecurity on the audit committee agenda? For 71% of our respondents, the answer is quarterly, with 17% reporting it is on their agenda semiannually. Just 5% discuss cybersecurity annually, and another 7% responded it’s on the agenda “as needed.”
Considering that cybersecurity is the top area of focus for audit committees over the next year, do they feel they have the appropriate skills on the committee to oversee it? Nearly a third (31%) of respondents pointed to cybersecurity as the skill most likely to enhance the audit committee’s effectiveness. In fact, half of respondents (50%) ranked cybersecurity in their top three skills most likely to enhance audit committee effectiveness in the next 12 months.



  • Receive regular updates on current cybersecurity threats, trends, and regulatory requirements, as well as cybersecurity risks, incidents, and mitigation strategies.
  • Review and assess the company’s cybersecurity policies, frameworks, and incident response plans on a periodic basis.
  • Oversee regular cybersecurity risk assessments to identify vulnerabilities and threats.
  • Assess the resilience of the company’s cybersecurity program and understand how the company would recover from an attack.
  • Consider cyberattacks reported by other entities and ask management to assess how your company would have responded to a similar incident.
  • Be prepared to comply with SEC cybersecurity disclosure requirements, which includes having a good understanding of the framework used by the company to determine materiality for purposes of reporting
Questions for audit committees to consider asking:
  1. How are new technologies affecting the threat landscape?
  2. How are new employees trained to mitigate the risk associated with phishing and other attacks?
  3. How have third parties been considered as it relates to cybersecurity?
Enterprise risk management
Consistent with our 2024 report, the clear second priority for audit committees—beyond financial reporting and internal controls— is ERM. Effective ERM is crucial for achieving organizational objectives, safeguarding the company’s reputation and stakeholder relationships, and supporting long-term success.
When asked who is responsible for oversight of ERM within their companies, our survey respondents indicated: the audit committee (52%), the full board (28%), and the risk committee (19%). Financial services companies are less likely to assign audit committees primary oversight responsibility for ERM (21%) than companies in other industries (63%). Instead, nearly half (48%) of financial services respondents delegated this responsibility to the risk committee with 8% of non-financial services companies using a risk committee for ERM oversight.



ERM is on the audit committee agenda quarterly, according to nearly half (49%) of survey respondents. Another 20% of respondents discuss ERM semiannually, and 23% discuss it annually.
When asked to rank the skills needed to enhance audit committee effectiveness over the next 12 months, 8% of respondents identified ERM as the top priority, and 27% included it in their top three.



  • Remain aware of emerging risks and ask management how they are being considered in the ERM program. To help with their oversight role, directors should request tools from management to help them understand how management is assessing risk. These tools could include the results of periodic risk assessments, key risk indicators (KRIs) that help measure key business risks and monitor how the company is doing against each risk appetite definition, and a list of emerging risks that management is monitoring.
  • Understand management’s process for updating their risk assessment outside of their usual cycle. For example, are there triggering events that would initiate an update? This dynamic approach to ERM monitoring prepares boards and management to adapt when an issue arises.
  • Consider whether your directors’ backgrounds are sufficiently diverse to offer varied perspectives, enhance risk identification, and improve the board’s oversight and support of management.


Finance and internal audit talent


Oversight of finance and internal audit talent is the primary responsibility of the audit committee for 92% of our survey respondents. The topic is on the agenda quarterly for 38% of audit committees, semiannually for 18%, annually for 23%, and as needed for 21%.
Talent is a high priority for audit committee members, perhaps in part given the fast-paced changes in technology, including generative artificial intelligence (AI). While such technology provides exciting opportunities, finance and internal audit functions will likely continue to need highly skilled individuals to implement and utilize the technology. The use of AI may also automate routine tasks for enhanced productivity, creating new roles while displacing some traditional ones. The audit committee should understand how management is addressing evolving talent needs within their teams.





Survey respondents indicated that they continue to value the work of internal audit stating the following:
Internal audit... (n=218)
Agree or strongly agree
has a high level of understanding about business operations
89%
plans are promptly updated in response to emergent risks
86%
is effective at assisting management in identifying new risks
82%
professionals (other than the chief audit executive/internal audit director) bring needed insights to stakeholders
77%
Despite the strong views on internal audit, 82% agree or strongly agree that there is an opportunity to extract more value from internal audit. To maximize the value from internal audit, audit committees should consider enhancing collaboration and communication with internal audit teams, ensuring they are fully integrated into the risk management and strategic planning processes. Additionally, they could focus on aligning internal audit activities more closely with strategic objectives and emerging risks to maximize their impact.
In January 2024, The Institute of Internal Auditors (The IIA) released the new Global Internal Audit Standards (Standards) to elevate the quality and effectiveness of a company’s internal audit function and its activities. The new Standards aim to elevate internal audit practices globally, enhance the credibility and relevance of internal audit functions, and support internal audit activities in providing greater value to companies through improved governance, risk management, and control processes. Understanding the new Standards and their implications will help audit committees ensure their company leverages the internal audit function effectively, achieving greater value from their internal audit activities.
  • Cultivate strong relationships with both the finance and internal audit leaders.
  • Focus on succession planning for key finance and internal team members. By understanding the depth of the pipeline for key positions, potential successors to the chief financial officer, chief accounting officer, and chief audit executive can be assessed.
  • Understand the bench strength and leadership style of the finance and internal audit teams.
  • Receive periodic updates on key talent metrics, including involuntary turnover of high performers.
  • Consider the sufficiency of resource allocation to finance and internal audit functions such that appropriate investments can be made in long-term system and process improvements to support the company and high-quality corporate reporting.
  • Audit committees should understand how technology advancements may affect talent and confirm that management has plans in place to manage the risk this imposes.
  • Be aware of the IIA’s new Standards and consider how they can be leveraged to achieve greater value from internal audit. Learn more about how the Standards can have an impact on the audit committee in Deloitte’s On the Audit Committee’s Agenda: Governing a relevant, effective, and valued internal audit function.



Key Insight: Oversight of AI
While not among the top three areas of focus for the next 12 months, there has been an increase in the percentage of respondents (20%) who identified the audit committee as having primary oversight of artificial intelligence governance, up slightly from 14% in our 2024 report. For most respondents, such oversight is the responsibility of the full board (58%) with 10% allocating oversight to the risk committee. Notably, in last year's survey, 17% of respondents replied "Don't know" when asked which committee had primary oversight. This year, a smaller percentage of respondents (6%) said "Don't know"," suggesting that as AI becomes a bigger focus, boards are increasingly clarifying and defining their oversight responsibilities around it.


Audit committee practices and effectiveness
When interacting with audit committees, we frequently hear that the way they perform their duties is crucial to their effectiveness. This encompasses how they set agendas, the quality of information they receive, and their engagement with key stakeholders and each other. For this reason, a key section of the survey focused on audit committee effectiveness.
Survey respondents were presented with various strategies to enhance the effectiveness of audit committee meetings. Approximately one-third of respondents (31%) indicated that none of the suggested options would improve meeting effectiveness, implying that their meetings are already operating effectively. Conversely, 69% of respondents felt that at least one of the proposed options could enhance meeting effectiveness. This reflects a slight increase from last year, when 65% of respondents identified at least one option for improvement.



Forty percent indicated that the committee’s effectiveness would be enhanced by improving the quality of presentations during meetings. This was third (26%) in 2024, suggesting audit committee members are less satisfied with the presentations they are receiving this year. A few tactics to consider for enhancing the quality of presentations include:
  • Advise presenters to begin their presentation where the pre-reads end;
  • Encourage presenters to limit the number of slides presented during meetings;
  • Discourage presenters from flipping slides; and
  • Encourage management to highlight key changes from the prior period, significant judgments, and close calls when presenting financial information.
The next two opportunities to enhance effectiveness are increasing discussion and/or engagement from members during meetings (34%) and improving the quality of pre-read materials (29%).
These three opportunities are inter-connected. In addition to these recommendations, presenters should consider including executive summaries for each report. Further, the audit committee should encourage presenters to allocate the majority of their allotted time to discussion rather than prepared remarks (e.g., one-third of the time for prepared remarks and two-thirds for discussion).
Establishing effective processes for agenda setting, information management, and meeting conduct is critical, as audit committees are challenged to cover everything on their agenda. While most respondents (88%) agree or strongly agree there is sufficient time to cover agenda items, 12% disagree or strongly disagree. The average amount of time allocated to quarterly audit committee meetings is two hours and 28 minutes, which is down slightly from two hours and 44 minutes in 2024. For committees that find it challenging to get through their agenda in the allotted time, they may consider extending the meeting or implementing strategies to improve time efficiency.
Other than the noted concern regarding the ability to cover all agenda items, respondents are overwhelmingly satisfied that their expertise is leveraged effectively, meetings are an efficient use of their time, audit committee members ask challenging questions, and the audit committee effectively addresses disagreements between management and the external auditor.



Another topic often raised by audit committees relates to the participation of non-committee members in audit committee meetings. New this year, we asked if there are established practices to allow non-committee member participation. Overall, 82% responded that non-committee members are allowed to attend audit committee meetings, while 8% indicated that non-committee members are not allowed to attend the meetings. Additionally, 10% said there is no established practice around this, suggesting an opportunity to formalize a clear practice around who can attend meetings.



In companies where non-committee members are permitted to attend audit committee meetings, there is a relatively equal split in how they participate with 49% being observers and 46% being active participants. When non-committee members actively participate, the audit committee chair will need to manage the discussions to ensure meetings are effective and efficient.



Regarding the availability of audit committee meeting materials to non-committee members, 81% of respondents make them available to all board members, while 10% do not. Additionally, 9% either lack an established practice or are unaware of it, again suggesting an opportunity to clarify the practice around sharing committee materials.


Quality of the independent auditor


One of the audit committee’s core responsibilities is oversight of the independent auditor. A variety of factors may go into an audit committee‘s assessment of audit quality. When asked to identify which three factors are most important when making this assessment, four areas rise to the top (n=222):
Considerations
%
Previous experience working with the auditor
53%
The audit firm's overall reputation
53%
Audit quality indicators
53%
Value provided beyond the audit
50%
Lower on the list are a formal evaluation process (42%) and use of metrics and trend analyses (15%). 
When considering how to assess audit quality, audit committees should focus on understanding the key metrics that drive it. They should actively engage with their audit engagement partners to discuss various factors that could affect the quality of the company’s audit, including engagement staffing, audit milestones, and the risk assessment that informs the audit strategy. Additionally, audit committees should provide information on how they oversee their independent auditor in their annual proxy statement disclosure. See examples and leading practices in the CAQ and Ideagen’s 2024 Audit Committee Transparency Barometer.


Conclusion
The fourth edition of the Audit Committee Practices Report underscores the evolving priorities and challenges faced by audit committees, with cybersecurity, ERM, and finance and internal audit talent remaining at the forefront. This year‘s survey again highlights the importance of effective meeting management and provides additional insights on the participation of non-committee members in meetings and the critical role of the independent auditor. 
By leveraging the insights and data presented in this report, directors and governance professionals can benchmark their practices, address emerging risks, and enhance the overall effectiveness of their audit committees. We hope this report serves as a valuable resource in navigating the complexities of audit committee responsibilities and fostering robust governance practices.
Download the full report PDF including methodology and a detailed appendix of all survey questions and responses.
Download PDF
Download Past Reports
2024
2023
2022
Related Resources
The latest news and
resources from the CAQ.
Stay Connected.
Stay connected to the CAQ
Questions?
555 13th Street NW, Ste 425 E
Washington, DC 20004
202-609-8120
info@thecaq.org
TwitterFacebookYoutubeLinkedin
MembershipAnti-Fraud CollaborationYour Privacy RightsPrivacy PolicyTerms and Conditions
Copyright © 2025 Center For Audit Quality. All rights reserved.