Audit committees are constantly facing new challenges. Technology continues to move fast and rules keep shifting. The responsibilities of the audit committee evolve from year-to-year, as shown by the CAQ and Deloitte’s annual Audit Committee Practices Report. Over the past few years, the report has highlighted how priorities such as cybersecurity, enterprise risk management (ERM) and talent in finance and internal audit have consistently risen to the top of audit committee agendas, even as other areas like compliance and AI governance evolve year over year.
This evolving landscape underscores why audit committees need to prioritize developing and executing robust action plans. Using the resources from EY’s Center for Board Matters, 2026 audit committee priorities: navigating complexity and change; PwC’s Governance Insights Center, Approaching the 2025 year-end financial reporting season, Your guide to year-end reporting developments, and BDO’s Corporate Governance Center’s Audit Committee Priorities for 2026, here are 10 priorities that can help set the tone for audit committees. They also help keep your organization ready for what comes next, creating a framework for sound oversight, smart decision-making and strong stakeholder confidence.
1. Map Risks to Scenarios
Treat this like a “what if” plan. List big risks like market swings, trade shifts, cyber risk and AI shocks. Run scenario analyses for each—think about what happens if a critical supplier goes under, if a major cyber event occurs or if new regulations disrupt business models. Agree on the triggers, decision rights and escalation paths.
2. Update Cyber Incident Response and AI Governance
Cyber and AI risk are not just for IT now. Threats cut across every function, and boards are increasingly held accountable. Keep plans up to date and keep controls strong by holding periodic tabletop exercises and testing the speed and effectiveness of escalation procedures. Track clear measures, like how fast teams spot and contain an issue, system recovery time and incident disclosure protocols.
3. Be Aware of Leading SEC Comment Letter Themes
Stay close to what the SEC flags in filings. Common themes include non-GAAP use, MD&A clarity, segment reporting and revenue recognition. Ask if management has a plan to address these points, and keep notes clear and plain so external reviewers—and regulators—can follow your logic. Periodic reviews of recent SEC comment letters can further help prevent surprises.
4. Be Aware of the Top Internal Control Issues in Adverse ICFR Management Assessments
Strong controls help stop errors and fraud. Focus on spots where organizations often slip in ICFR (Internal Control over Financial Reporting). This can include accounting personnel resources, segregation of duties, information technology, inadequate disclosure controls and non-routine transactions. More time here can save real time later, by preventing restatements or regulatory fines, and by reinforcing a culture of compliance.
5. Assess Pillar Two/Global Minimum Tax Impacts
Global tax rules keep changing, and Pillar Two is a key piece of that. The new global minimum tax regime introduces complex calculations and disclosure requirements that span jurisdictions. Check if your team can meet new needs for math, notes and controls, including effective data collection and reporting on a consolidated basis. It helps to be ready early, not rush when rules shift and deadlines hit. Consider cross-functional coordination with tax, finance and IT to manage compliance and identify areas for process improvements.
6. Challenge Impairment and Going Concern Judgments
Rates and cash strain can make these calls hard—especially when economic volatility spikes. Push on key calls tied to asset write-downs and going concern assessments and ask if assumptions stand up to stress tests and scenario analysis. Review refinancing plans and covenant sensitivities. Regularly revisiting these judgments during the year is key, as circumstances can change fast.
7. Refresh Fraud Risk Assessment and Investigations Protocol
Fraud risks change fast, and bad actors keep learning new tricks, often exploiting new tech or lapses during an organizational change. Update the fraud risk view, and test that the hotline works, ensuring channels are accessible and confidential. Use data tests, analytics and trend monitoring to spot red flags, such as unusual transactions or rapid employee turnover. Confirm the auditor’s use of data analytics and how the audit committee will get insight.
8. Clarify AI in the Audit and Finance Functions
AI now sits in many finance and audit tasks, from invoice processing to forecasting. Understand where the external auditor uses technology and AI. Ask where it is used and why. What problem is it solving and what is the human fallback? Ask what it can and cannot do, and what controls sit around it to guard against errors or misuse. Review policies for model validation, output monitoring and data privacy.
9. Tighten Cyber Reporting to the Board
Cyber events now sit at board level, due to their potential for broad business impact and regulatory attention. Define what makes an event “material,” and align on how to flag and communicate it internally and externally. Build dashboards that are clear and tied to goals for firm strength, showing incident trends, threat types and comparative benchmarks. Clear reports provide a strong view and sound action, ensuring the board is not caught off guard and can respond with authority.
10. Revisit AC Charter, Skills and Education Plan
The world shifts, so the audit committee should check its fitness. Review the charter, and ensure technology fluency (AI, data governance), transaction oversight (M&A comeback), and disclosure expertise are covered. Small steps here can pay off fast, ensuring the committee has the expertise to oversee a changing risk landscape.
For more resources for audit committee members, explore the Center for Audit Quality’s Audit Committee Resource Center.
