Audit committee priorities in the year ahead

Talking points

• In 2026, audit committee responsibilities may be shaped by an increasingly dynamic environment.
• Evolving risks, new technologies, and regulatory changes are key considerations.
• This blog shares leading practices to help audit committees prioritize for the year ahead and enhance their effectiveness.

Board responsibilities continue to evolve at a rapid pace that shows little signs of slowing. Amid ongoing geopolitical and economic uncertainty, many boards are balancing digital transformation with the need for growth and resilience. While not all of this falls on the audit committee, the committee’s role is expanding as expectations around oversight continue to broaden.

So what should be on the audit committee’s agenda in the year ahead? While priorities will vary by company, we’ve identified several focus areas audit committee members may want to keep front and center. This edition of The Pulse explores those topics—providing insights and leading practices for upcoming meetings.

Enterprise risk management (ERM)

ERM remains a priority for audit committees given the dynamic and complex environment most companies are operating in these days.

The role of the audit committee often includes overseeing management’s identification and evaluation of both established and emerging risks—from geopolitical shifts to advancing technologies—while ensuring the company’s risk appetite aligns with its strategy. This means confirming that risk tolerance aligns with growth, innovation, and transformation, especially as business models evolve. Some practical ERM recommendations for audit committees include:

• Integrate risk oversight across functions: Encourage consistent risk management practices enterprise-wide, and use dashboards and timely reporting to flag issues quickly.
• Stress-test risk scenarios: Ask management to run scenario analyses on extreme—but possible—events, such as cyberattacks, supply chain disruptions, or sudden regulatory shifts.
• Monitor risk culture: Evaluate whether risk awareness is woven throughout the organization, from tone at the top to employee engagement in day-to-day risk management.
  

Regulatory environment

Given the pace of regulatory change, audit committees should stay current on SEC, PCAOB, and other requirements affecting disclosures, reporting, and internal controls. A global patchwork—especially around sustainability reporting, data privacy, and artificial intelligence (AI)—adds complexity. Early engagement with auditors and legal counsel, paired with ongoing oversight, helps the organization anticipate changes, maintain readiness, and keep disclosures aligned with executive messaging. Specific actions the audit committee can take include:

• Review and rationalize disclosures: Ask management to evaluate whether disclosures are clear, decision-useful, and consistent across filings and investor communications.
• Stay current on the evolving regulatory environment: Request regular briefings from management and the external auditor on potential US and global regulatory developments, including implications for reporting, disclosures, and internal controls.
  

Cyber risk and resilience

Cyber risk remains a core audit committee focus as threat actors, regulatory expectations, and technology adoption (including cloud and AI) accelerate. Audit committees can play an important role in overseeing cyber preparedness and resilience—ensuring cyber risk is treated as an enterprise risk with clear ownership, measurable controls, and incident response processes that support timely, consistent disclosures. Practical actions for audit committee oversight in relation to cyber risk include:

• Clarify ownership and metrics: Confirm chief information security officer (CISO) accountability and reporting lines, board-level reporting, and a small set of metrics that tie investments to risk reduction.
• Test incident response and disclosure readiness: Perform regular cross-functional tabletop exercises and validate escalation, decision rights, and disclosure alignment.
• Focus on key risk drivers: Encourage management to focus on identity and access management, patching, third-party access, backups and recovery, and ransomware resilience.

Fraud and compliance risks

Fraud and compliance risks are evolving rapidly, so solely relying on static controls may not be enough. Audit committees should urge management to regularly update fraud risk assessments as business models and technology change. They should also consider how AI-driven fraud and cyber threats can bypass traditional defenses. Staying ahead means being proactive and adaptable. These steps can help audit committees keep pace:

• Strengthen whistleblower resources: Test the effectiveness and confidentiality of reporting channels to encourage employees to speak up.
• Evaluate compliance program agility: Confirm that compliance policies and internal controls are robust and flexible enough to keep pace with shifting regulations and business needs.
• Oversee third-party due diligence: Understand and monitor fraud and compliance risks with vendors and other third parties, not just internal sources.
  

Third-party and supply chain risk

Third-party risk—especially from supply chain partners—should remain a priority for audit committees. Oversight should address critical vendor exposures, monitoring for cyber and regulatory compliance, and tracking risks across global supply chains—especially in light of tariffs and geopolitical pressures. Audit committees can also:

• Review business continuity plans: Confirm contingency planning covers both operational and reputational risks from third-party disruptions.
• Insist on ongoing monitoring and incident response: Expect strong oversight, testing, and clear incident escalation with key third parties.
• Reinforce responsible sourcing: Monitor vendor standards, codes of conduct, and compliance with evolving transparency requirements.
  

Internal audit modernization

Internal audit continues to evolve as risks and technologies—such as AI, blockchain, and cloud computing—reshape the control environment, placing new demands on audit committees. Audit committees can champion modernization (e.g., advanced analytics, automation, agile methods) while ensuring internal audit maintains its independence, objectivity, and coverage of both emerging and traditional risks. Audit committees can also:

• Request real-time insights: Ask for dynamic reports and dashboards for timely risk intelligence.
• Support upskilling and talent diversity: Encourage investment in digital, analytical, and industry capabilities.
• Align with ERM strategy: Encourage coordination of audit plans with the broader ERM framework.

With so much on the audit committee’s plate, preparation is key. Make sure you’re ready to engage on each topic—and define what “good” looks like for your organization. That may also mean taking a fresh look at your committee’s composition and whether you have the right mix of skills and perspectives around the table to provide effective oversight.

What role can Deloitte play?

Deloitte’s Audit Committee Program is focused on advising audit committees on their role and responsibilities, recent trends, and hot topics. From education sessions to workshops, we provide a suite of offerings to advise audit committees as they navigate their ever-increasing oversight responsibilities. Reach out to me with questions and subscribe to our Audit Committee Brief to receive monthly updates.

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.