Cybersecurity and Enterprise Risk Management: New Report Highlights Top Priorities for Audit Committee Members

As the regulatory environment grows in complexity and organizations address new and continuing challenges, additional expectations are placed on audit committees.

Beyond the traditional remit of overseeing financial reporting and internal controls, internal and external audit, and ethics and compliance programs, many audit committees now must consider cybersecurity, artificial intelligence, climate risk, and more as part of their agendas.

The 2024 Audit Committee Practices Report, a collaboration between Deloitte’s Center for Board Effectiveness and the Center for Audit Quality (CAQ), offers insight into the changing role of the audit committee, including committee priorities, challenges, opportunities, and practices. Below are key insights from the report. 

Cybersecurity and Enterprise Risk Management Are Top Priorities Again

The Audit Committee Practices Report: Common Threads Across Audit Committees highlights the top five priorities impacting audit committees and the unique role that they play in our evolving financial reporting landscape.

A total of 266 US-based respondents participated in this year’s survey, most of whom are from public companies (74%), 81 percent of which have more than $700 million in market cap. Additionally, 61 percent of all respondents are audit committee chairs and 39 percent are committee members. Eighty-nine percent of all respondents also work for public companies with 28 percent in the financial services industry and 72 percent in the nonfinancial services industry.

Aside from financial reporting and internal control over financial reporting, the top five priority areas that are top of mind for audit committee chairs and members are cybersecurity, enterprise risk management (ERM), finance and internal audit talent, compliance with laws and regulations, and finance transformation. Cybersecurity and ERM topped the list of priorities for a second year in a row. 

Impact on Audit Quality

All members of the financial reporting ecosystem, including the audit committee, have a distinct role to play in strengthening audit quality.

The survey found that communications were front and center for respondents, with 81 percent of respondents citing communications as a top factor affecting audit quality. Industry experience was cited as the second-most critical for audit quality, with 59 percent of respondents naming it. Quality of the audit firm (53%) and technical knowledge (45%) rounded out the top four items that can impact the overall audit quality.

In an April 25 webinar about the report, a collaboration between the CAQ and NACD, Karen Golz underscored the importance of strong, frank, and open communication between the auditor, management, and the audit committee. Golz is a board member at Analog Devices, Aspen Technology, iRobot Corp., and Osteon Holdings/Exactech. Such communication leads to fewer last-minute surprises and is the “first ingredient” of audit quality.

When the audit committee fosters an environment of trust and transparency, complex issues are easier to discuss and potential disputes or matters of interpretation can be resolved. 

The Value of Internal Audit

The survey supports what we already know: internal audit continues to be a critical resource for the audit committee and the function should adopt a dynamic risk assessment. Additionally, audit committees should find ways to cultivate and promote strong relationships with both the finance and internal audit teams as well-trained, experienced internal auditors add tremendous value to the company.

The survey found positive results related to perceptions of internal audit, including the following:

• 89 percent of respondents agreed or strongly agreed that internal audit has a high level of understanding about business operations.
• 86 percent agreed or strongly agreed that internal audit is effective at assisting management in identifying new risks.
• 76 percent agreed or strongly agreed that internal audit professionals bring needed insights to stakeholders.
• 87 percent agreed or strongly agreed that internal audit plans are promptly updated in response to emergent risks.

During the webinar, Golz highlighted that there are few groups within the organization that have as much unfettered access across the company as internal audit, providing a unique opportunity to support the audit committee.

In addition to these positive findings, one other finding stood out: 79 percent of respondents agreed or strongly agreed with the statement that “At my company, there is an opportunity to extract more value from internal audit.”

Krista Parsons commented that perhaps the value is simply not being communicated to the audit committee. Parsons is managing director of Audit & Assurance Governance Services and Audit Committee Program leader with the Center for Board Effectiveness at Deloitte & Touche LLP. Parsons pointed to another consideration, which is that the internal audit’s mandate should be revisited and perhaps there is value to be extracted by reconsidering the scope of work. 

Managing Audit Committee Meetings

In addition to exploring what priorities audit committees will focus on over the next year, the survey asked a number of questions about audit committee practices and effectiveness. Eighty-nine percent of respondents felt that there is adequate meeting time to address all items on the audit committee agenda. Yet most respondents (65%) also indicated that there is at least one strategy that might improve the committee’s effectiveness.

Furthermore, there was a divide regarding the inclusion of earnings release discussions as part of meetings, with 51 percent of respondents wanting to include it in the regular quarterly meeting and 49 percent believing that it should be discussed in a separate meeting.

Lastly, the report identified the following opportunities for audit committee meeting improvement:

• Increase discussion or engagement from members during meetings (29%).
• Improve the quality of pre-read materials (28%). 
• Improve the quality of presentations during meetings (26%). 

These findings are positive, as they demonstrate a desire to improve and enhance audit committee practices and effectiveness. Golz shared that she provides the pre-read materials as far in advance as possible and sets the committee’s agenda a full year ahead. Golz highlighted that these practices of planning well in advance do not restrict teams from addressing emerging issues but do allow committee members to focus and bring all of their thoughts to the table after having time to reflect. Golz also advocated for the chair repeatedly asking for feedback, both informally and formally, so that meetings can constantly improve.

Another tip Tony Anderson provided during the webinar related to the importance of open discussions, finding ways to bring in different perspectives and ensuring that all committee members participate in the conversation, as well as of establishing a maximum number of hours to convene per meeting (he tops his meetings at 3 hours). Anderson is a board member at AAR Corp., Exelon Corp., and Marsh & McLennan Cos.; he is also the former vice chair and Midwest area managing partner at Ernst & Young. In addition, Parsons emphasized the importance of quality pre-read materials, with executive summaries that align with the main topics of the meetings.

The role of the audit committee has changed significantly since the passage of the Sarbanes-Oxley Act of 2002, with many audit committees now overseeing a variety of emerging risks and experiencing an ever-increasing workload.  Audit committees are managing through this new paradigm, and they should continue to seek out resources while learning from peers.

CAQ is a NACD partner, providing directors with critical and timely information, and perspectives. CAQ is a financial supporter of the NACD.

Vanessa Teitelbaum, CPA, is senior director, Professional Practice at the Center for Audit Quality. She joined the CAQ in 2016 and advocates for stakeholders in the audits of public companies.