Audit Committee Priorities for 2025

In an era when the business landscape is characterized by rapid changes and rising uncertainties, the need for robust governance oversight has never been more critical. As organizations strive to navigate an increasingly complex business environment, the role of the board in overseeing enterprise risk management, financial reporting, and compliance becomes paramount. This publication discusses the evolving priorities and responsibilities of audit committees (ACs) in 2025, emphasizing risk governance, technology integration, and investor expectations.

Enhanced Risk Governance and Enterprise Risk Management Integration

Today’s ACs are watching an evolving risk landscape impacted by significant geopolitical factors, continuing supply chain disruptions, global inflation, and the emergence of technology that for many companies may prove highly disruptive to their businesses. According to the BDO 2024 Board Survey of approximately 250 sitting directors, 31% identified enterprise risk management (ERM) as the governance process requiring the most significant time and effort over the next 12 months. Today's dynamic risk environment, coupled with regulatory (e.g., SEC) and stakeholder expectations, require corporate risk assessments to cover the entire enterprise, not just financial reporting. A recent Audit Committee Practices Report found that 47% of respondents assigned ERM oversight to the AC, 15% to a risk committee, and 35% to the full board. ERM is expected to be an integrated, holistic process that considers  all manner of risks to the organization (e.g., strategic, regulatory, operational, and reputational). Regardless of the express responsibilities within the board and committee charters, all board members are expected to exercise skepticism and be risk aware.

Governance Structure and Composition  

The combined structure and composition of the board plays a crucial role in risk governance. AC members have a significant responsibility in reviewing and overseeing risk factors as part of their mandate to oversee the financial reporting function, and their directive often extends to oversight of the ERM process as well. This requires well-informed directors who understand not simply financial accounting but have relevant experience and deep industry knowledge about the company’s specific risk factors and the experience to make judgments about how well management is identifying, prioritizing, and managing risks. For example, consider the adequacy of an AC that has the additional responsibility for cyber risk oversight that is composed solely of financial experts who may have no current understanding of the cyber risk landscape or impact of emerging technology on the protection of data to ask informed questions of management about risk detection and mitigation strategies.

Leading Practices for Board/Committee Oversight 

The board should be responsible for setting and clearly articulating risk appetites and tolerance thresholds and ensuring management is operating within those boundaries. There are several steps directors should take to advise management on risk and strategic priorities. These include:

• Establishing incentives to provide accurate reporting on risks to the organization
• Remaining forward thinking and open minded as the business environment rapidly changes
• Prioritizing ongoing education, including inviting experts into the boardroom (e.g., economists, cyber specialists, technologists, and others)
• Taking a hands-on approach by engaging with stakeholders, leveraging technology, and performing site visits

The AC’s oversight of ERM goes beyond oversight of management’s processes to stress testing those results to help ensure priorities are aligned, mitigation efforts are sound, and the company can be resilient against new challenges. The AC should not only review the formal ERM processes performed by management but receive further reporting and updates at an established cadence throughout the year to enhance recurrent risk conversations. The Audit Committee Practices Report indicated 49% of boards discussed ERM monthly, as opposed to the 28% and 20% who add it to the agenda semiannually and annually, respectively. Effective risk conversations have several key characteristics that include considering the company holistically, incorporating the organization’s strategy and planning processes, and collaborating with professionals throughout the organization. Additionally, these conversations may benefit from this list of questions every board should ask about risk management.

Risk Mitigation and Preparedness 

Much like our own immune systems, organizations are much better prepared to respond to risks if they are generally healthy. If the fundamentals of a business are strong and if potential shocks to the system have been considered and prepared for in advance, the business will be much better positioned to survive.  However, in today's fast-paced business environment, the speed at which risks can materialize has a significant impact on risk management, often requiring response within minutes rather than overnight. Boards should consider whether management is prepared to identify rapidly materializing risks and react swiftly to disruptions. Resilience programs such as business continuity, IT disaster recovery, and cyber incident response programs should be adequately resourced and include formal documented processes and responsibilities, scenario planning, and crisis simulations that are updated regularly.

Governance Oversight Priorities  

BDO’s 2024 Board Survey identified the activities directors expect to spend the most time on next year:

Specific Governance Activities to Oversee Execution of Corporate Objectives and Goals

Specific Governance Activities to Strengthen Both Management and the Board

Conclusion

Effective risk management and resilience through ERM integration are essential for navigating the complexities of the modern business environment. By adopting leading practices, aligning with strategy, and prioritizing forward-thinking approaches, ACs can enhance their oversight capabilities and help ensure the long-term success of their organizations.

Emerging Technology and Cybersecurity

The expanded use of technology is transforming business operations, reducing costs, and enhancing human capabilities. The challenge organizations face is balancing innovation with risk management, focusing on efficiency, productivity, cybersecurity, data governance, and human capital impacts.

Governance Structure and Composition

The 2024 BDO Board Survey shows the priority emerging technology and cybersecurity have in boardrooms today. Directors identified "advancing the use of emerging technology" as the second most important strategic priority and "lagging implementation of emerging technologies" as one of the most significant risks. Cybersecurity was also in the top five strategic priorities and significant risks. Additionally, 50% of directors plan to increase investments in emerging technologies, and 41% intend to boost cybersecurity investment over the next 12 months. While some organizations may create additional board committees for technology and/or cybersecurity, many consider the AC the appropriate committee to oversee these areas, given its familiarity with the need for strong implementation and internal control environments designed to protect the integrity of information being used and generated by the company. 

As boards formalize their oversight response to evolving technology, they should consider committee capacity and expertise. According to the recent Audit Committee Practices Report, 58% of AC’s have cyber responsibility, followed by 25% retaining oversight at the full board level. Seventy-three percent of directors report discussing the topic quarterly, followed by 15% semiannually. Similar to the evolution of sustainability oversight, technology is integrated throughout the corporate environment (e.g., human capital systems, operations, supply chain management, third-party risk, and financial reporting). Collaborative oversight will be essential and may require assignment to one or more board committees depending on the significance and pervasiveness of the risks.

There is an ongoing debate about whether to bring subject matter experts onto the board or to cultivate director “generalists” supported with focused continuing education, with no definitive best practice emerging. For example, while the SEC dropped its proposed requirement to disclose whether cybersecurity expertise existed within the board, the board may determine that having a cyber expert among them may still be warranted. However, we caution about deferring responsibility for significant risks to a single board member. There is also growing support for all directors to be “technology and cyber literate,” much like they should be financially knowledgeable, with many boards encouraging directors to achieve and maintain certifications in these and other significant risk areas.

What is certain is that directors should continue to educate themselves in emerging and dynamic areas, including AI/generative AI and cybersecurity to continue to inform appropriate dialogues with management and auditors. Subject matter specialists may be invited to board and committee meetings to provide education to bolster collective board knowledge and address identified director skill and knowledge gaps, as well as serving as trusted advisors. Often, while these sessions may be requested by the board or AC chair, many boards encourage attendance by all directors and certain members of management. 

Oversight of Generative AI

Board oversight of generative AI should be considered as part of the broader ERM mandate. From recognizing strategic benefits to mitigating associated risks, the board can embrace AI by establishing a safe environment and a culture of trust that accelerates innovation while promoting long term success. The board of directors further plays a pivotal role in guiding the responsible and ethical use and strategic deployment of generative AI. The board may consider establishing a cross-functional AI team that includes the CIO, CISO, general counsel, and operations providing regular reporting to the board or oversight committee.

From an AC perspective, many finance teams are identifying efficient AI use cases to help analyze financial information, detect trends, and identify anomalies in large data sets. By the same token, auditors are incorporating AI into their auditing methodologies and tools to drive efficient and effective audits and address audit risk. 

Regulators from government to industry are also keenly focused on the role that emerging technologies play in shaping business opportunities and risks to consumers and stakeholders. We encourage the AC to remain attentive to developing rules and regulations that may impact how their business chooses to integrate and use technology and the impact those choices may have on their stakeholders. 

AI Oversight in Financial Reporting and Use by the External Auditor

With disclosure demand increasing, it is anticipated that stakeholders will expect similar information around technology governance and oversight to what they are receiving about cybersecurity. Directors should not only confirm the company has processes around technology risk management, strategy, and governance that are operating effectively, but also that the governance oversight is established, documented, reviewed, and revised frequently. 

A recent report The Rise of Generative AI In SEC Filings, states that almost two-thirds of Fortune 500 companies mention AI in their annual report on form 10-K, 11% specifically reference generative AI, and more than half have a risk factor citing AI. ACs should ensure consistent and balanced messaging on emerging technologies, considering the materiality to their business when making public disclosures, while also anticipating stakeholder demand for details on process and governance oversight.

Underlying the financial statements, ACs should evaluate the impact of technology, including generative AI use in the financial reporting function. Three increasingly interdependent elements — technological efficiency, regulatory compliance, and talent — impact both corporate finance teams and audit engagement teams. Data governance challenges can increase the risk for potential reporting issues, errors, or unreliable insights.

The PCAOB has started “limited outreach” to understand audit firm and public company perspectives on the integration of generative AI in audits and financial reporting. Findings suggest that the integration is falling behind operational and customer-facing areas for many companies, which was further supported by BDO’s recent Board Survey results. Similarly, while some audit firms have started to incorporate generative AI into their audits, it remains primarily for administration and research as firms proceed cautiously in their testing and vetting of innovative technologies.

Meanwhile, stakeholder demand for adoption is high. BDO’s inaugural Audit Innovation Survey revealed that senior finance leaders say tech-savvy auditors increase trust and influence auditor selection, while acknowledging continuing challenges in audits as technology is implemented. More than two-thirds (69%) of respondents say established data governance and internal data management are a barrier to a smooth audit experience. ACs should continue to engage in discussion with external auditors, as well as internal auditors, around their use of technology, the associated benefits, and risks.

The CAQ recently released a resource providing an overview of the technology and regulatory environment along with audit considerations for companies deploying generative AI. They also included sample use cases that may be useful for the AC in the evaluation and oversight of their own company’s generative AI deployment.

Investor Expectations of Audit Committee Effectiveness

The AC’s effectiveness is vital for robust corporate governance and investor confidence. While ACs are often assigned expanding responsibilities, they must not fall behind on the traditional mandate of their role. It is important to clearly define and regularly review the AC's responsibilities and associated charter to ensure compliance with requirements, along with assessing the capacity and experience around expanded oversight responsibilities.

Oversight of Internal Audit

Leveraging IA effectively can provide significant insights into the company's operations and risk management processes, including emerging and high-priority areas such as AI, cybersecurity, and controls around non-financial data (e.g., sustainability metrics). The Institute of Internal Auditors has issued new Global Internal Audit Standards, effective January 9, 2025. These standards are designed to guide the professional practice of internal auditing and serve as a basis for evaluating the quality of the IA function by those in oversight roles (e.g., ACs). While not mandatory, the standards offer 15 guiding principles and essential conditions (i.e., activities of the board and senior management) that enable effective internal auditing. ACs can facilitate indispensable value from their IA function in several ways, such as:

• Aligning expectations with the IA mandate
• Setting clear IA authority, roles, responsibilities, and scope of services
• Building an open and trusting relationship
• Understanding the risk assessment process
• Equipping IA with adequate resources and tools
• Promoting the IA function
• Assessing the performance of the Chief Auditing Executive (CAE) and IA function
• Requiring the maintenance of a current IA charter for approval

Best practices for the oversight of IA include regular reports to the AC to ensure continued alignment on audit strategy and goals, along with timely resolution of identified deficiencies before they become material issues. The PCAOB has also taken interest and added a mid-term project to consider updates to Auditing Standard 2605, Consideration of the Internal Audit Function. See the BDO Internal Audit Webinar Series and upcoming BDO in the Boardroom Podcast for discussions around emerging topics and best practices within the IA function.

Oversight of Financial Reporting

The AC plays a vital role in overseeing financial reporting quality and controls. Recent studies from Ideagen Audit Analytics and the Center for Audit Quality indicate that the number of financial restatements filed by SEC-reporting companies is at or near historic lows, likely the result of continued diligence around emerging risks and robust internal control environments. The AC should remain vigilant in these areas and sensitive to the impact macroeconomic and geopolitical factors will have on their companies, including but not limited to: political elections and potential changes in legislation, geopolitical and economic indicators ( e.g., inflation, interest rate changes, supply chain disruption, changes in tariff policies, war impacts) along with human capital matters associated with cultivating and retaining a skilled finance workforce. 

Regulatory Landscape

The regulatory landscape is continually evolving, with robust SEC and PCAOB rulemaking agendas, enforcement actions, inspection findings, and litigation continuing to make headlines. The AC must stay informed about these changes and ensure compliance with new regulations, consider priority regulatory areas, and monitor the impact of legislation, as well as an upcoming transfer of executive power in the U.S.

The PCAOB has prioritized transparent communication and continues to issue Investor bulletins, audit focus, and spotlight publications that ACs are encouraged to monitor. Some recent examples include the PCAOB’s information about their inspection activities that include observations, inspection activities from the past year, and inspection priorities for the upcoming year that can inform ACs in their oversight of the financial reporting and audit processes. The SEC also releases examination priorities and makes public recent comment letters issued to registrants. 

Fraud Risk

Fraud risk evaluation and oversight are critical components of the AC's responsibilities, and the current environment constitutes a heightened risk for organizations, including digitally enabled fraud. The PCOAB recently paused its significant proposed Noncompliance with Laws and Regulations (NOCLAR) auditing standard, but ACs should continue to stay informed and involved in this and other rule and standard setting. See the 2024 BDO Board Survey and the PCAOB’s recent Spotlight for discussion around solidifying a culture of compliance. 

Board’s Actions to Prevent and Detect Fraud

Disclosure

Recent SEC enforcement has focused on the adequacy of company disclosure controls under Exchange Act Rule 13a-15 and emphasized the need for comprehensive disclosure controls. The Division of Corporation Finance also continues its Disclosure Review Program. ACs should be aware of cited trends — e.g., misleading non-GAAP measures and ransomware attack disclosures — to ensure their company’s own alignment with regulatory expectations.

Companies may consider maintaining a well-structured disclosure committee, which includes diverse management representation from various departments such as accounting, finance, IT, cyber, sales, and general counsel. ACs should monitor the disclosure committee's recommendations to ensure transparency and regulatory compliance. Additionally, the AC should discuss disclosure of material judgments to understand exclusions and evaluate the necessity of included information.

Disclosure alignment should be a priority in AC discussions, ensuring company-wide collaboration and consistency across sources that broadly include (but are not limited to) financial statements, MD&A, earnings releases, proxy statements, company websites, sustainability reporting, and marketing materials. ACs should frequently scrutinize noted comment letter areas and emerging risks, as applicable, such as:

• China-related matters
• Non-GAAP measures
• Critical accounting estimates
• MD&A
• Revenue recognition
• Financial statement presentation
• Market disruptions
• Cybersecurity
• Supplier finance programs
• Inflation
• Other related rules (e.g., pay for performance)

The AC should inquire about the rigor for how disclosures outside the financial statements (such as those related to earnings releases and sustainability reports) are verified for accuracy and consistency, including reviewing presentation slides and management's commentary, while overseeing internal controls around non-financial metrics.

The SEC recently disbanded their Climate and ESG Task Force stating the priorities were determined to be well integrated into overall company strategy and risk management. Additionally, the SEC’s new climate rules remain stayed and the issuance of anticipated new human capital rules are in question given the pending U.S. election transition. However, ACs should not lose focus as jurisdictions globally and locally are moving forward with significant reporting requirements that may impact a broad group of U.S. companies and will require significant action by management and oversight of the AC. ACs should discuss the emerging ESG disclosure landscape and company controls that are in place to monitor compliance as well as stakeholder sentiment, remaining attuned to verifiable data that reflect actual practices and do not mislead investors.

Oversight of the External Auditor

Audit quality stems from the AC’s ability to exercise professional skepticism, including challenging assessments and estimates made by auditors and management. It is considered a best practice to build a strong professional relationship with their external auditors, which includes frequent, transparent communications about the audit, including: 

• Auditor independence
• Scope, status and conduct of the audit, 
• Audit team and the audit firm including engagement team members’ experience, supervision and review, 
• Firm structure and potential impact on audit quality
• Recent inspection results at the engagement level and at the firm level, and
• Firm’s system of quality control 

See the PCAOB’s recent Audit Focus: Audit Committee Communications for reminders and common deficiencies in this area. 

SEC’s Office of Chief Accountant Paul Munter released this statement on the recent increase in deficiency rates found in audit inspections and the importance of the role of the AC in ensuring high-quality audits.

The PCAOB has been active in its rulemaking intended to support the AC’s responsibility in oversight of the auditing function and selection and retention of auditors. This includes the recently adopted standards regarding the audit firm’s system of quality control, required firm reporting, and firm and engagement metrics, which at the time of publication are still awaiting SEC approval. Directors should remain knowledgeable about auditing standards and how those standards may impact the AC’s and management’s engagement with the auditors. Similarly, they should carefully consider proposed standard setting regarding the scope and procedures of financial statement audits, such as the PCAOB’s (NOCLAR) rules. A recent roundtable briefing paper may further impact how the auditor engages with the company, along with the types of controls and additional information that may become a required component of public company audits in the future.

In September 2024, the PCAOB issued a spotlight focused on recent inspection deficiency findings with respect to auditor independence requirements and highlighted considerations for the AC particularly around its responsibility for the pre-approval of audit firm services, including but not limited to:

• ACs are required to consider whether any services provided by the audit firm may impair the audit firm’s independence in advance.
• ACs should consider whether the public company’s policies and procedures require that all audit and non-audit services are brought before the AC for pre-approval. 
• ACs should consider whether their auditor has implemented processes to identify prohibited relationships. 
• If the AC pre-approves services using pre-approval policies and procedures, the AC should consider whether the pre-approval policies and procedures are sufficiently detailed as to the particular services to be provided so that the AC can make a well-reasoned assessment of the impact of the service on the auditor’s independence. 
• Independence is a shared responsibility between the entity under audit, its AC, and its auditor. It is important for the company to have policies and procedures to proactively alert auditors to proposed or pending merger and acquisition activity that could have an impact on auditor independence.

BDO is poised to release an audit committee pre-approval guide aid in early 2025 to be posted within the practice aid section of the BDO Center for Corporate Governance.

As the regulatory environment continues to advance at a quick pace, ACs are being encouraged by regulators, auditors, and other stakeholders to be more engaged in the rulemaking and standard-setting process, as well as to remain active in the community establishing and discussing best practices. The PCAOB continues to be especially active in their board outreach and annually publishes high-level observations and key takeaways from their conversations with AC chairs.

Conclusion

The AC’s effectiveness is crucial for maintaining investor confidence and ensuring robust corporate governance. By fulfilling its mandate, adapting to evolving risks, overseeing the external and internal audit functions, evaluating significant risks (including potential fraud and emerging risks), and staying informed about regulatory changes, the AC can significantly contribute to the company's success and the delivery of high audit quality to the markets.