Top Risks for Audit Committees To Consider in 2025

With market shifts and instability still a major consideration for 2025, audit committees have a lot to think about when setting priorities – including how to address emerging risks. The recent Crowe webinar “Financial Services Audit Committee Overview” included some of the top emerging risks in 2025 and shared how audit committees can prepare to address those risks.

Escalating cybersecurity threats in three key areas have placed immense pressure on organizations of all kinds to bolster their defenses and refocus their cybersecurity efforts.

Threat area	Protections that can help mitigate threats
Cloud computing has become a prime target for malicious actors, especially as more sensitive data migrates to the cloud. Threats like data breaches, service disruptions in security, and unauthorized access can lead to compromised systems and intellectual property theft – which in turn can lead to reputational damage, regulatory penalties, and even financial losses. Check Point’s “2024 Cloud Security Report” shows that 61% of organizations experienced cloud security incidents in the 12 months covered by the report, with 21% resulting in data breaches. Only 4% are capable of effectively mitigating these risks quickly, emphasizing the need for enhanced risk management strategies.	Create a cloud governance framework to outline cloud strategy policies and procedures. When selecting a cloud service provider, perform adequate due diligence, including an evaluation of security controls and compliance. Define contractual agreements with the cloud service provider, including provisions for data security, confidentiality, and incident response.
Third-party relationships can also pose significant cyber risks. Weak security controls within vendors’ ecosystems can provide entry points for cyber criminals, leading to devastating consequences such as data breaches, financial losses, and reputational damage.	Perform a comprehensive risk assessment across all third-party relationships. Create a sound due diligence process for onboarding vendors. Develop a business continuity plan so that work can continue in the event of a vendor data breach or outage.
Ransomware attacks have emerged as a persistent and evolving threat, holding organizations’ critical data and systems hostage for ransom. In 2024, the average cost of a data breach was $4.88 million, an increase of 10% over the previous year, reflecting the substantial financial burden of incident response, remediation, legal fees, and potential business losses.	Implement proactive measures, including: Robust security awareness programs Updated antivirus and antimalware software Rigorous patch management

Temper AI data and security risks with a governance framework

Navigating the AI landscape requires a delicate balance between innovation and risk management.

As AI systems become more sophisticated and ubiquitous, regulatory scrutiny is expected to intensify around AI ethics, data privacy, and security compliance. Because these systems rely heavily on vast troves of data, organizations must implement stringent measures to protect sensitive information from unauthorized access or misuse. This includes safeguarding against data poisoning attacks, where malicious actors inject corrupted data into training sets, and adversarial attacks, which exploit vulnerabilities in AI models to manipulate their outputs.

To help manage these concerns and mitigate risks, organizations need to prioritize robust AI governance frameworks that establish clear policies and procedures for the development, deployment, and oversight of AI initiatives while aligning with business objectives, ethical standards, and legal requirements.

In creating these frameworks, organizations should consider the following:

• Has internal audit looked at the IT infrastructure to determine its capacity to support AI initiatives without compromising system performance or scalability, including assessments of hardware, software, and network capabilities?
• Has AI security been assessed, including controls specific to those AI systems and protections against data poisoning, adversarial attacks, and unauthorized access to the AI models and data sets?
• From a compliance perspective, is the organization seeing new and emerging AI laws and regulations? Has it assessed mechanisms for maintaining compliance, including data protection practices?
• How has internal audit looked at the models involved, including ongoing monitoring?
• Has the organization assessed deployment speed? How is the governance framework balancing the need for rapid AI development or deployment with thorough risk management and quality assurance practices, ensuring expedited projects do not bypass critical controls?

Focus on consumer compliance risks

Ensuring compliance with fair lending laws and maintaining accurate credit reporting have emerged as top priorities for financial institutions. Regulatory agencies have intensified their scrutiny, with more than a dozen redlining enforcement actions against banks and credit unions of all sizes since the U.S. Department of Justice’s Combating Redlining Initiative launched in 2021. Fair lending remains a high-stakes area, as deficiencies in formal programs, testing, monitoring, data analysis, and risk assessments can quickly draw regulatory ire and consumer backlash.

Beyond fair lending, the accuracy of data furnished to credit reporting agencies is also under the microscope. A steady stream of consumer complaints and class-action lawsuits have underscored the potential for inaccurate credit reporting to unfairly affect consumers’ access to credit and loan terms. Even inadvertent errors can have far-reaching consequences, making it imperative for institutions to implement robust controls and oversight of credit reporting processes.

In response to these heightened areas of focus from regulatory bodies, internal audit should focus on the following:

• A comprehensive review of all aspects of the institution’s fair lending program, including but not limited to governance, testing, monitoring, data analysis, and – if models are used for pricing and underwriting – model validation
• A comprehensive review of all aspects of the reporting to the credit reporting agencies, including but not limited to data accuracy, direct and indirect disputes, and the process of reporting during loss mitigation and bankruptcy

Navigate increasing credit and market risk volatility with proactive planning and robust monitoring

Regulators have been highlighting increasing credit risks over the past few years, including in the fall 2024 “Semiannual Risk Perspective” from the Office of the Comptroller of the Currency. Interest rate volatility has become the new normal, with rapid fluctuations in borrowing costs wreaking havoc on net interest margins and asset valuations.

Pockets of the economy experiencing softening (especially those dependent on general consumers) have presented some challenges to commercial and industrial borrowers, especially those that are highly leveraged. Prudent interest rate risk management is crucial, as banks grapple with repricing mismatches and the threat of eroding profitability. Rigorous stress testing and dynamic hedging strategies are essential to weathering this turbulent landscape.

The following are topics for audit committees to discuss with their internal audit team regarding credit and market risks:

• Has the enterprisewide internal audit risk assessment been updated to adequately reflect the changing interest rate and credit environment?
• When was the last asset liability management internal audit performed, and did it include a focus on model validation, scenario analysis, stress testing, and model assumptions?
• When was the last liquidity risk management internal audit performed, and was there adequate coverage of stress-testing scenarios and line-of-credit testing?
• What impact does the market have on the current loan portfolio, and are current portfolio management practices adequate?
• Does the organization have any trading activities, including derivatives, and if so, have those activities been considered in the internal audit plan?

As financial institutions navigate an increasingly volatile risk landscape, proactive planning and robust monitoring have become imperative. Audit committees in particular play a pivotal role in fostering a culture of risk awareness and confirming that risk mitigation strategies align with the organization’s strategic priorities. Emerging threats like cybersecurity breaches, AI governance challenges, and market fluctuations can swiftly disrupt operations, erode profitability, and compromise reputations. To fortify risk resilience, organizations must align their risk strategies with overarching strategic objectives, enabling them to anticipate and mitigate potential disruptions effectively.