At the beginning of each year, many accounting and consulting firms present their views on the issues that should be on audit committee agendas during the next 12 months.  For 2026, those papers include:

• BDO, Audit Committee Priorities for 2026.

• EY Center for Board Matters, 2026 audit committee priorities: navigating complexity and change.

• KPMG Board Leadership Center, On the 2026 audit committee agenda.

• Protiviti, Setting the 2026 Audit Committee Agenda.

• PwC Governance Insights Center, Approaching the 2025 year-end financial reporting season.

For last year’s audit committee agenda suggestions, see What Should Be on the Audit Committee’s 2025 Agenda?, December 2024 Update; What Should Be on the Audit Committee’s 2025 Agenda? – Part II, January 2025 Update; and What Should Be on the Audit Committee’s 2025 Agenda? – Part III, February 2025 Update.

Frequent Agenda Suggestions

These papers examine audit committee agenda setting at varying levels of generality, and each firm has a unique perspective on how committees should allocate their time and attention. However, there are many common themes. Eight of the most frequent 2026 audit committee agenda topics, along with examples of firm suggestions on each, are described below:

1.     Audit Committee Effectiveness and Skills (KPMG, Protiviti, PwC)

• KPMG:  “The continued expansion of the audit committee’s oversight responsibilities (financial reporting and related internal controls, and internal and external auditors) has heightened concerns about the committee's bandwidth, composition, and skill sets. Assess whether the committee has the time and the right composition and skills to oversee the major risks on its plate. Such an assessment is sometimes done in connection with an overall assessment of issues assigned to each standing board committee.”

• PwC:  “For audit committees, assessments are an opportunity to confirm whether oversight is keeping pace with the business; quality of pre-reads and dashboards; clarity of risk ownership across committees; sufficiency of time on critical estimates, disclosures, and ICFR; and the depth of dialogue with the external auditor.”

2.     Oversight of AI, Cybersecurity, Data Privacy, and Data Governance (BDO, EY, KPMG Protiviti, KPMG)

• BDO:  “As generative artificial intelligence reshapes how the communication of financial data is analyzed, boards must reassess how disclosures are interpreted by both humans and machines, including both supervised and unsupervised models. This dual audience will reshape how communication is crafted. Generative AI tools increasingly perform sentiment analysis, keyword tracking, anomaly detection, and ESG risk mapping - functions that influence investor perception and regulatory scrutiny. Boards are urged to enhance their collective digital literacy and adopt oversight frameworks that address generative AI’s dual role in innovation and risk exposure. Boards should evaluate if and how company reporting is optimized for AI-driven analysis and aligned with emerging regulatory standards and stakeholder expectations.”

• PwC:  “AI introduces new technical risks - such as model manipulation and prompt injection—when connected to sensitive data or tools. These risks are now appearing in control environments (e.g. automated log analysis, identity analytics, narrative drafting), which means model design, monitoring, and fallback procedures matter for financial reporting, not just for IT.   * * *   From an oversight standpoint, an audit committee with cybersecurity oversight responsibility should treat AI as both an accelerant of cyber risk and an enabler of better defense—and confirm its oversight keeps pace. AI.”

3.     Geopolitical Uncertainty (BDO, EY, KPMG)

• BDO:  “We are navigating a complex environment shaped by evolving regulation, evolving tariff regimes, and dynamic geopolitical tensions. With the U.S. government re-opening in mid-November 2025, ACs are strongly encouraged to monitor regulatory activities of the SEC, PCAOB, and the activities of broader governmental agencies in both the U.S. and globally that will impact corporate decision-making. They should also evaluate whether their companies’ finance functions are prepared for potential regulatory changes and actively engage management in scenario planning to anticipate and address possible impacts.”

• EY: “For example, geopolitical conflicts - such as wars and sanctions - can disrupt oil and gas supply chains, resulting in price volatility and energy shortages. These disruptions drive up energy costs, creating affordability issues for both households and businesses. Additionally, as AI adoption accelerates, the rising cost of energy makes data center operations and AI model training more expensive, potentially slowing innovation and broader implementation. Given the pace of change and the existential threats to companies, boards and audit committees are rethinking and questioning legacy approaches in organizations, such as risk management frameworks that approach risk in a linear way.”

4.     Internal Control Effectiveness and Deficiencies (EY, KPMG, Protiviti)

• EY:  “Audit committees should query whether any of the * * * frequently cited control weaknesses described in the [2025 Ideagen] report could be present in the company’s control environment. Monitoring these and other financial-reporting-related trends may assist audit committees in focusing on the top accounting issues and maintaining high-quality financial reporting.” (The report referenced in this passage is Ideagen Audit Analytics, SOX 404 disclosures: A twenty-year review (August 2025).)

• Protiviti:  “AI has driven layoffs and workforce transformations, which can have a profound impact on the effective operation of established internal controls. The risk is that, in planning AI initiatives, those controls may be an afterthought. This issue goes beyond managing the risks directly associated with AI and maintaining a “human in the loop.” While AI may automate certain processes and even strengthen some controls, it can introduce new risks or weaken existing controls - such as segregation of duties - particularly during workforce reductions and organizational changes. Audit committees should ensure that the chief financial officer (CFO), chief audit executive (CAE), chief information officer (CIO), and others are advocating for sustaining the control structure throughout AI planning and implementation.”

5.     Internal Audit’s Focus on New and Emerging Risks (EY, KPMG, Protiviti)

• KPMG:  “Given the evolving geopolitical, macroeconomic, and risk landscape, reassess whether the internal audit plan is risk-based and flexible enough to adjust to changing business and risk conditions. The audit committee should work with the chief audit executive and chief risk officer to help identify the risks, including industry-specific and mission-critical risks, that pose the greatest threat to the company's reputation, strategy, and operations, and help ensure that internal audit is focused on these key risks they're related controls.”

• Protiviti:  “The accelerating integration of AI into assurance activities places new demands on internal audit. Success will depend on the function's capacity to combine advanced technology with professional skepticism, ethical judgment, and business acumen. Through active oversight and partnership, audit committees can help ensure internal audit remains a trusted, independent advisor that strengthens governance, enhances transparency, and upholds confidence in the company's integrity.”

6.     Risk Oversight (BDO, EY, PwC)

• BDO:  “The oversight of enterprise risk management (ERM) is not confined to financial reporting. ACs can strengthen governance by regularly evaluating committee composition, structure, and effectiveness needs while clarifying roles, refining ERM frameworks, and fostering collaboration across committees. With rising threats from cybersecurity to fraud, boards need sharper focus on risk tolerance, crisis readiness, and management’s effectiveness in identifying and mitigating emerging risks.”

• PwC:  “And while companies may be keenly focused on risks associated with matters that are front and center in today’s business environment, such as those associated with AI/GenAI, cybersecurity, the geopolitical landscape, and regulatory changes, other risks may be lurking around the corner. These include risks associated with talent, like skills gaps in control functions; third-party concentration and outsourcer resilience; IT and ERP implementations; M&A transactions; and crisis response and disclosure readiness, to name a few. These risks rarely appear as a single headline item and can cascade quickly into financial reporting, controls, and disclosure challenges. It is essential for the audit committee to proactively monitor management’s understanding of the evolving risk landscape and how prepared the company is for risks around the corner.”

7.     Regulatory Change (BDO, KPMG, Protiviti)

• BDO:  “Chairman Atkins has stated that the SEC will prioritize a proposal related to quarterly reporting requirements and that he anticipates the proposal will give companies the option to report semi-annually or quarterly, letting the market dictate reporting. * * * Proponents of semiannual reporting argue that reduced reporting frequency lowers compliance costs and also enables executives to focus on long-term strategy, curbing short-term volatility. However, critics warn of diminished transparency, weakened investor confidence, and higher capital costs. ACs should engage in this evolving dialogue to understand impacts to their stakeholders, their company, and participate in comment periods to help shape emerging guidance in this area.”

• Protiviti:  “Regulatory change ranks among the top five enterprise risks globally, along with geopolitical volatility - making clear board alignment on risk appetite and tolerance a governance imperative. In many organizations, the audit committee oversees management's processes for risk identification and assessment, including scenario planning and horizon scanning, and mitigation. In the U.S., an easing of certain federal enforcement priorities -- combined with a patchwork of evolving state-level rules over sustainability, data privacy and cyber security, as well as CSRD implications for global reporters - demands clarity on how much regulatory risk the company is prepared to accept. Board-level oversight of management's alignment of risk appetite with strategy and disclosures is now a critical stakeholder expectation.”

8.     Talent Management (EY, KPMG, Protiviti)

• EY:  “As AI reshapes the workplace, boards will want to better understand how organizations are strengthening their talent foundations and evolving culture to support both talent health and effective technology use.”

• Protiviti:  “Beyond assessing internal skills and capabilities, management must consider the strategic utilization and mix of third parties - including consulting firms, contractors, and offshore resources - to supplement subject matter expertise and address spikes in demand. By focusing on these areas with senior leadership, the audit committee can help ensure organizational resilience and effective governance in a rapidly changing landscape.”

CAQ’s 2026 Audit Committee Action Plan

The Center for Audit Quality (CAQ) has created an audit committee action plan for 2026, based on the BDO, EY, and PwC agenda papers. The CAQ distilled those three papers into a ten-point plan:

1. Map 2026 risks to scenarios (economic, tariff/trade, cyber/AI, supply chain) and agree on triggers, decision rights, and escalation paths. 

2. Update cyber incident response and AI governance (policy, model risk controls, change management, monitoring); set AC reporting metrics (e.g., time to detect, model drift indicators). 

3. Be aware of leading SEC comment letter themes and focus on non-GAAP measures, MD&A clarity, segment reporting, and revenue recognition; ensure management has remediation plans and disclosure controls aligned with these trends.

4. Be aware of the top internal control issues in adverse ICFR management assessments and focus on accounting personnel resources, segregation of duties, information technology, inadequate disclosure controls, and non-routine transactions.

5. Assess Pillar Two/global minimum tax impacts (measurement, disclosures, controls) and confirm readiness in tax and consolidation processes. 

6. Challenge impairment and going concern judgments amid interest rate and liquidity dynamics; review refinancing plans and covenant sensitivities. 

7. Refresh fraud risk assessment and investigations protocol, including data driven detection and hotline triage; confirm auditor’s use of data analytics and how AC will get insight. 

8. Clarify AI in the audit and finance functions: understand where the external auditor uses tech/AI, the benefits/limits, and how management’s AI controls interface with audit procedures. 

9. Tighten cyber reporting to the board -define thresholds for “material incident,” board ready dashboards, and linkage to enterprise resilience KPIs. 

10.    Revisit AC charter, skills, and education plan - ensure technology fluency (AI, data governance), transaction oversight (M&A comeback), and disclosure expertise are covered. 

Audit Committee Takeaways

A high-level review of these papers could be helpful to an audit committee as it considers the issues it will need to address in 2026 and as a check to ensure it is not overlooking topics that should be on its agenda. Each paper also includes suggested questions for the audit committee to pursue with management or the auditor to better understand the topics. The questions provide a good starting point for discussion.