At the end of each year, many accounting and consulting firms present their views on the issues on which audit committees should focus during the coming 12 months.  Below are four of these papers.

• EY Center for Board Matters, What audit committees should prioritize in 2025.

• KPMG Board Leadership Center, On the 2025 audit committee agenda.

• Protiviti, Setting the 2025 Audit Committee Agenda.

• PwC Governance Insights Center, Approaching the 2024 year-end financial reporting season.

For last year’s audit committee agenda suggestions, see What Should be on the Audit Committee’s 2024 Agenda?, January 2024 Update.

These papers approach how audit committees should set their agendas at different levels of generality, and each firm has a unique perspective on how audit committees should direct their time and attention.  However, there are many common themes. Some frequently mentioned 2025 audit committee agenda topics, along with examples of suggestions, include:

Cybersecurity trends and related governance. (EY, KPMG, Protivit)

• Protiviti: “Audit committees should receive regular updates from those responsible for managing what has become many organizations’ perennial top risk – cybersecurity. * * *  Typically, effective governance would entail setting expectations of the internal audit function to provide independent assurance regarding the effectiveness of the people, processes and technology that have been put into place to manage cybersecurity risks.” 

Company use of generative artificial intelligence.  (EY, KPMG, Protiviti)

• EY: “Audit committees should assess whether training, governance and operational strategies are evolving to address the complexities of AI — including considerations around responsible use of AI and robust data protection. Given the dynamic cybersecurity landscape, audit committees should stay attuned to evolving oversight practices, disclosures, reporting structures and metrics and understand implications of how the company is staying in compliance with requirements.”

• Protiviti: “There are numerous data privacy and security-related concerns to navigate with AI usage, and regulatory scrutiny will catch up eventually.  The committee must act to understand the organization’s investments and adoption levels while considering the effectiveness of corresponding risk management activities to ensure responsible AIU deployment. “

Climate reporting and other sustainability disclosures. (EY, KPMG, Protiviti)

• EY: “US companies with operations in the EU should continue to consider their obligations under the EU Corporate Sustainability Reporting Directive (CSRD) and EU Corporate Due Diligence Directive (CS3D).  * * *  [A]udit committees should understand how management teams are planning to comply, including whether adequate processes, controls and technologies are in place to provide quality reporting.”

• KPMG: “Given these near-term demands and growing consensus around common, comparable reporting standards— likely in accordance with the standards of the International Sustainability Standards Board, which incorporate the Task Force on Climate-related Financial Disclosures standards and Greenhouse Gas (GHG) Protocol -– audit committees should closely monitor the state of management’s preparations for new climate reporting frameworks/standards.”

Internal audit areas of focus. (EY, KPMG, Protiviti, PWC)

• KPMG: “At a time when audit committees are wrestling with heavy agendas and issues like GenAI, ESG, supply chain disruptions, cybersecurity, data governance, and global compliance [is] putting risk management to the test, internal audit should be a valuable resource of the audit committee and a crucial voice on risk and control matters.”

• PWC: “In January 2024, the IIA issued new Global Internal Audit Standards, which will become effective on January 9, 2025. The Standards aim to help internal auditors define and fulfill their mandate and provide a framework of principles, requirements,  considerations and examples for the professional practice of internal auditing globally. * * *   The audit committee plays a critical role in overseeing the internal audit function and supporting its effectiveness. Understanding the new standards is critical for the audit committee in enhancing its oversight of the internal audit function and to be able to more effectively leverage it.”

Compliance and corporate integrity.  (EY, KPMG, PWC)

• EY: “[T]he U.S. Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs (ECCP) guidance in September 2024. The ECCP can serve as a guide in evaluating whether the company’s compliance programs are effective and would hold up under the DOJ’s scrutiny.  * * * Accordingly, boards and audit committees should understand the implications of these updates, including revisiting the organization’s compliance program to verify whether it is designed and functioning effectively.”

• PWC: “Audit committees have a critical oversight role in ensuring the integrity of financial reporting and adherence to regulatory standards. With the increasing complexity and scope of regulations, audit committees must confirm that their organizations have robust compliance frameworks in place to understand its requirements, mitigate risks, and avoid potential legal and financial repercussions.”

Tax law changes.  (EY, KPMG, PWC)

• KPMG: “Boards and audit committees should prompt deeper conversations with management about how their companies are preparing for a range of possibilities, including by asking management about the type of scenario planning being done; understanding the variable that may be more ‘forecastable’ and looking at impacts on cash flow; and considering how best to monitor state, federal, and global regulatory developments.”

• PWC: “The audit committee will want to confirm management has processes to monitor tax developments (both internationally and domestically) and are prepared to account for the impacts of changes appropriately. The audit committee will also want to understand how management is addressing the benefits and risks of significant tax developments going forward.”

Audit committee composition and effectiveness.  (KPMG, Protiviti, PWC)

• KPMG: “The continued expansion of the audit committee’s oversight responsibilities beyond its core oversight responsibilities (financial reporting and related internal controls, and internal and external auditors) has heightened concerns about the committee’s bandwidth and composition and skill sets.  Assess whether the committee has the time and the right composition and skill sets to oversee the major risks on its plate.”

• Protiviti: “It is crucial that management – and internal audit – provide high-quality and concise information with the right context, rather than disparate data points, to the audit committee. The role of an effective audit committee demands an enterprise wide, big-picture view rather than reporting from multiple parties and silos to identify potential blind spots.  The audit committee should request collaboration from board-facing members of management and internal audit to ensure that the reporting the committee receives is succinct, strategically relevant and actionable.”

Fraud risk exposure. (Protiviti, PWC)

• Protiviti: “Perhaps now more than ever, the time has come for a robust and refreshed view of fraud possibilities within the organization’s virtual and physical walls.  Moreover, turning the lens beyond employees to actively consider scenarios that include contractors, vendors or customers may reveal surprising results.”

• PWC: “Since the audit committee is charged with oversight of management’s fraud prevention program, it may want to add focus to this area given the continuing volatile and evolving business environment.  Confirming an understanding of the robustness of management’s anti-fraud programs, including its fraud risk assessment process, and how management is using technology to evaluate, measure and mitigate fraud risks should be a keen focus area. The audit committee will also want to understand how management has updated internal controls to address risks associated with suppliers and other third parties.”

FASB’s requirement to disaggregate certain income statement expenses. (EY, PWC)

• EY: “Audit committees should inquire with management teams whether existing systems can capture the data required and/or whether additional processes and controls are necessary to implement this new guidance.”

New PCAOB standards.  (EY, KPMG)

• KPMG: “Audit committees should probe the audit firm on its quality control systems that are intended to drive sustainable, improved audit quality­ including the firm's implementation and use of new technologies such as Al. * * *    Discussions should also include the status of the firm's preparations for the PCAOB's new quality control standard, QC 1000, A Firm's System of Quality Control, which the SEC approved in September 2024.”

Audit Committee Takeaways

A high-level review of these papers could be helpful to an audit committee as a check that it is not overlooking topics that should be on its agenda.  Also, the papers include suggested questions that the audit committee could pursue with management or the auditor to better understand suggested topics.  Those questions provide a good starting point for discussion.