Looking Ahead to 2025

Serving on an audit committee in 2025 might be daunting even if the committee could be assured that it would not have to take on any added responsibilities in the new year. After all, even the most basic perennial responsibilities of audit committees, such as overseeing the audit of the financial statements and compliance with financial reporting requirements, are far from routine. However, no such assurance is likely to be forthcoming. In fact, as audit committees contemplate the onset of a new year, the number and complexity of new issues and concomitant responsibilities seem likely to grow.

Moreover, 2025 may be a particularly busy year. With the change in administration, we could see significant changes in regulatory priorities, financial reporting, and corporate governance. Additionally, the increasing use of generative artificial intelligence (GenAI), ongoing cybersecurity threats, and a renewed focus on enterprise risk management at a time of geopolitical uncertainty will likely keep audit committees busy. And, to the extent that companies face unanticipated risks and challenges, it seems almost inevitable that audit committees will be viewed as the default “home” for such developments.

Given this background, audit committees would be well advised to consider a wide variety of continuing and emerging issues that they may need to deal with in 2025, bearing in mind that a complete list of such issues would be far longer than can be addressed in this publication.

Regulation

A complicating factor—uncertainty

The shift in administration will almost certainly bring changes in regulatory priorities. While we won’t know specifics until the presumptive nominee to become the new Securities and Exchange Commission (SEC) chair, Paul Atkins, is confirmed and lays out the Commission’s agenda, we can speculate about what may happen.

Given statements President-elect Trump has already made about his regulatory priorities, it seems clear they are likely to differ from the Biden administration, aiming to reduce what it perceives as burdensome regulations on businesses. There is still uncertainty as to which specific rules may be changed. Additionally, the SEC’s new chair will likely have his own areas of regulatory focus that companies will need to consider going forward.

Regardless of the changes introduced by the new administration, the SEC and the Public Accounting Oversight Board (PCAOB) will still be responsible for overseeing the capital markets and the audits of public companies. Audit committees should continue to focus on their responsibilities, while also watching for regulatory developments that could affect their activities.

The SEC

While SEC rulemaking activities appeared to diminish toward the end of 2024, several significant rules were adopted earlier in the year that will require audit committee involvement in 2025 and beyond, including rules regarding climate-related disclosures and the use of projections in disclosures. The process of overseeing compliance with new rules has been complicated by the change in administration and increased judicial challenges to SEC rulemaking.

For example, the climate-related disclosures referred to above led to litigation that resulted in those rules being put on hold. This edition of Deloitte’s Heads Up includes more information on this. Given the pending litigation and statements made by President-elect Trump about his regulatory priorities, it is far from clear whether or when the rules will take effect.

However, companies may not be in a position to put off developing and implementing the controls needed to comply with the rules, even if they believe that the rules may never take effect or may differ from the rules originally adopted. Additionally, companies need to consider other climate-related rules they may need to comply with, including the EU Corporate Sustainability Directive and the California state senate bill SB-219.

In addition, the SEC has more rulemaking on its current published agenda, including consideration of disclosure requirements pertaining to human capital management, payments by resource extraction companies, and board diversity. While some of these and other rulemaking initiatives will not directly affect financial reporting or internal controls, the mere fact that they involve disclosure suggests that some audit committee oversight may be required. The audit committee should keep an eye on the SEC’s rulemaking agenda, as it is likely to evolve once the new chair is confirmed.

Finally, SEC enforcement activity has been significant throughout the year, with a particular emphasis on internal controls and disclosure controls, areas for which audit committees have significant, direct responsibility. Notably, the SEC Enforcement Division has imposed cease-and-desist orders and civil monetary penalties for internal and disclosure control failures, even in cases where no disclosure deficiency was found. It will be important to audit committees to stay apprised of the new SEC chair’s priorities to understand where enforcement actions may be focused in the coming months and years ahead.

The PCAOB

The PCAOB, created as part of the Sarbanes-Oxley Act, has launched an initiative to modernize audit standards. Similar to the SEC, we expect that the priorities of the PCAOB may shift under the Trump administration once the new SEC chair is confirmed because of the SEC’s role in overseeing the PCAOB.

One of the PCAOB’s most significant initiatives over the past year was the proposed new auditing standard called “Non-Compliance with Laws and Regulations,” often referred to as “NOCLAR.” In November 2024, the PCAOB moved this standard from 2024 to 2025 on its published agenda and issued staff guidance outlining the existing responsibilities of auditors to detect, evaluate, and communicate about illegal acts. In a public statement, the PCAOB indicated it will continue engaging with stakeholders, including the SEC, as it determines potential next steps for NOCLAR. Audit committees should continue to watch for developments in this area as they maintain oversight of compliance matters.

Audit committees should also proactively engage with their independent auditors regarding their specific inspection results, as applicable, as well as the overall inspection results of the firm, as communicated in PCAOB reports. The PCAOB periodically publishes overviews of findings that highlight deficiencies such as noncompliance with PCAOB standards and rules; insufficient testing of estimates, data, and reporting used to support audit conclusions; and other quality control criticisms. Criticisms of these inspections range from their reliance upon non-standard criteria, to the manner in which inspection reports are disseminated to and accessible by the public, to concerns that the inspection process has led some audit firms to manage inspection risk at the expense of audit quality. Audit committees should also make sure disclosures about auditor selection and oversight in the annual proxy statement provide adequate information to investors and other stakeholders.

While the PCAOB may experience shifts in its regulatory approach under a new administration, maintaining audit quality will remain critical, and audit committees will continue to play an important role.

Technology

No discussion of audit committee activities in 2025 would be complete without a discussion of technology, from the impact of GenAI to the continuing threat of cybersecurity incidents, and beyond.

Artificial intelligence (AI) and GenAI

AI and GenAI seem to be the “bright, shiny objects” of the day, raising a broad array of questions for boards broadly, as well as audit committees. While still evolving, both AI and GenAI have already influenced many areas for which audit committees have responsibility, such as risks associated with their use and their functionality and reliability for financial reporting and internal control purposes. Additionally, internal audit and finance organizations are using or exploring the use of AI to create efficiencies within their organizations, which are, in turn, affecting talent.

Given the newness of some of these topics, oversight at the board level hasn’t been fully defined in all organizations, with many still trying to decide if the full board or a specific committee should have primary oversight of it. Regardless of where oversight falls, the audit committee will still likely play a role when considering its use in the internal audit and finance organizations.

These and other aspects of GenAI oversight will need to be considered in an uncertain regulatory environment and at the same time that audit committees are continuing to learn about the capabilities and risks associated with GenAI—somewhat like building a plane while flying it.

Cybersecurity

Cybersecurity has been a key topic on audit committee and board agendas for several years, and it remains a top priority. There are several reasons for this, including the proliferation of breaches, the extent to which nation-state actors have become more active hackers, the greater consequences of a breach or a ransomware attack, and the regulatory environment—specifically, the timing and extent of disclosure mandated by SEC rules adopted in 2023.

Oversight responsibility for cybersecurity typically resides with the audit committee, presumably as a component of the audit committee’s role vis-à-vis risk. Although some companies have created board-level committees to oversee technology, their number is small—only 17% of the S&P 5001 —and it is not clear how many of those committees actually oversee cybersecurity risk as opposed to overseeing the implementation and use of technology generally.

Regardless of where oversight for cybersecurity risk falls, boards and audit committees should continue to focus on this risk, especially considering the current geopolitical environment. Directors should understand the threat landscape, as well as the policies, procedures, and technologies management has in place to prevent, detect, and respond to cybersecurity threats.

Enterprise risk management

Similar to cybersecurity, enterprise risk management, or ERM, has been “around” for quite a while, and we see a majority of audit committees having responsibility for overseeing it. However, experience suggests that many audit committees are taking a fresh look at their companies’ ERM programs to assess that they remain effective. The impetus for the fresh look may be the proliferation of new risks (such as those associated with GenAI), increased risks of various types (such as geopolitical risk), the complexity and increased interrelationships of various risks, or perhaps just the realization that long-standing ERM programs may become stale or perfunctory if not refreshed from time to time.

Whatever the reason, audit committees are more frequently considering the following questions, among others, in evaluating their ERM programs:

• While ERM oversight is clearly in the audit committee’s wheelhouse, can other committees (or the full board) play greater roles in the program? For example, some companies have followed a “distributed risk” model, in which each board committee is assigned responsibility for oversight of certain risk areas. In some cases, the assignment is formal to the point of being specifically mentioned in the committee charters.
• Is the ERM program working? Have there been instances in which unanticipated risks arose or were significantly greater in magnitude than anticipated?
• Where do emerging risks reside, and what is the process for considering them? For example, is the list of key risks reviewed frequently enough?
• Are there any existing or new tools (such as GenAI) that can improve the ERM process and help identify risks that may be coming down the road?

In addition, an audit committee might consider revisiting the ERM program on a regular, periodic basis to satisfy itself that management is continuously refreshing the program. And, given the pace of change and the proliferation in and growth of risks, a quarterly review, rather than an annual one, may be prudent.

Audit committee effectiveness

Given the number and importance of their responsibilities, audit committees would be well advised to consider how they could be more efficient and effective. Tools such as prioritizing critical items on meeting agendas, the use of “consent” agendas (in which routine matters can be acted upon by consent with little or no discussion), and other time optimization techniques are a good start. Other initiatives could include more careful consideration as to which matters properly reside with the audit committee and, in appropriate circumstances, pushing back on responsibilities that others seek to place on the audit committee agenda.

Interestingly, while audit committees spend significant amounts of time addressing the use and risks of technology (including GenAI), there is little evidence that they or the boards of which they are a part have employed technology to help make them more effective. This is one area in which GenAI may provide some help.

Additionally, the need for ever-greater effectiveness and efficiency is likely to place more responsibility on the committee chair, who will need to take the lead on the approaches outlined above and to build a consensus on innovations such as the use of technology to enhance committee effectiveness.

The topics discussed in this edition of On the Audit Committee’s Agenda represent a small portion of the audit committee’s responsibilities, but they illustrate that none of those responsibilities can be dismissed or minimized, despite the seemingly constant addition of new issues and priorities. Those new matters also suggest that audit committees need to be vigilant about their composition and leadership through succession planning and robust self-assessment to ensure they have effective and efficient representation at the table to address the committee’s critical tasks.