Beyond Compliance: Five Questions Effective Audit Committees Ask

There are instances where audit committee oversight appears procedurally robust but delivers limited substantive challenge. Agendas are followed. Reports are presented. The Chief Audit Executive (CAE) briefs the committee. Directors nod. Minutes are approved. Yet gaps can still emerge between what is reported and what risks ultimately receive meaningful scrutiny.

The survey findings suggest these concerns are not merely theoretical. PwC’s 2025 Annual Corporate Directors Survey (678 US public company directors) found that 55% of directors surveyed say at least one fellow board member should be replaced, a six-point jump from the prior year and the first time a majority has said so.

PwC and The Conference Board’s Board Effectiveness: A Survey of the C-Suite (May 2026) surveyed 524 executives between September and November 2025. Only 41% of executives surveyed rate their boards as excellent or good, an all-time high, yet the majority see room for improvement.

BDO’s “Audit Committee Priorities for 2026” (December 22, 2025), citing the BDO 2025 Board Survey, adds a further dimension: only 41% of directors surveyed believe their boards are highly effective at establishing risk tolerance and appetite, including fraud risk. The Center for Audit Quality (CAQ) and Deloitte’s supplemental report, Voices from the Audit Committee, drawing on interviews with 27 corporate directors, found a consistent disconnect between information received and the ability to use it for meaningful oversight.

Against this backdrop, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), with PwC as principal author, released Corporate Governance: Guiding Principles for Board Oversight on March 31, 2026 (hereafter, the COSO 2026 Publication). The publication offers 12 guiding principles spanning governance structure, board composition and effectiveness, purpose and values, culture, conduct, and tone at the top, strategy, technology and data, executive leadership, and risk management and internal control.

Effective oversight is less about reporting volume and more about inquiry quality. The best audit committees probe coverage gaps, challenge recurring issues, and seek evidence on emerging risks rather than reviewing completed work.

The Gap Between Oversight and Insight

Audit committee effectiveness is not primarily structural. Many organizations have the right composition, charter, and cadence. The gap is between information received and insight gained.

Audit committee members typically receive reports formatted for compliance, not decision-making. Findings are listed, rated, and tracked. What is often missing is the narrative connecting individual findings to systemic risk, an assessment of whether remediation is complete, and the forward-looking view of risks not yet surfaced.

The CAQ and Deloitte’s Voices from the Audit Committee report identifies practices that distinguish high-functioning committees: investing in pre-read quality, prioritizing active engagement over routine updates, and streamlining meeting mechanics for substantive oversight, including cybersecurity and AI.

The NACD (National Association of Corporate Directors) 2026 Governance Outlook Report found that more than 60% of directors cite strategy execution as the top oversight improvement area for 2026.

Five Questions That Separate Effective Audit Committees from Compliant Ones

Although many findings draw on perception-oriented surveys rather than direct governance measures, their consistency across multiple independent studies points to recurring patterns worth examining carefully. These five questions consistently elevate audit committee dialogue.

 1. What is internal audit not covering, and why?

Most audit committee conversations focus on what was audited. Fewer ask what was excluded and what risks remain without independent assurance. Internal audit functions make deliberate trade-offs under resource and capacity pressure, and committees that do not regularly probe coverage gaps may approve audit plans without fully understanding the risk implications. The COSO 2026 Publication’s Principle 12 on Risk Management and Internal Control notes that boards often consider how management monitoring, internal audit, external audit, and other assurance activities fit together to provide a coherent view of effectiveness, including whether assurance providers have appropriate independence, authority, resources, and access to the board, and may ask for reporting that links assurance insights to strategy, performance, and culture rather than focusing only on individual findings.

2. Are repeated findings a sign that something deeper is wrong?

Recurring audit findings are among the most underexamined signals in governance. When the same control weakness reappears, it rarely reflects a documentation problem. It may signal an accountability gap, a cultural blind spot, or a control never properly designed. Effective audit committees look beyond management’s assurance and ask what changed structurally, who is accountable, and how the committee will know if it recurs.

COSO’s guidance further notes that directors may also explore whether significant findings suggest changes in the entity’s risk profile that should inform periodic strategy discussions. Principle 6  on Culture, Conduct, and Tone at the Top is equally instructive: a culture that tolerates excessive pressure, ignores dissent, or conceals problems can magnify risk. Recurring control failures are rarely just technical — they are often the surface expression of a deeper cultural problem that no remediation plan has yet addressed.

3. Is our AI governance actually working, or do we just have a policy?

The NACD 2026 Governance Outlook Report found that 76% of directors say AI will factor into their 2026 growth strategy, yet most organizations report only slight or moderate success in realizing operational or financial benefits from these investments. The Conference Board’s AI Risk Disclosures in the S&P 500 reported a significant AI-related risk disclosures in 2025 compared with 2023.

PwC and The Conference Board’s Board Effectiveness: A Survey of the C-Suite (May 2026) found that 99% of executives believe boards should use AI in oversight. Yet PwC’s 2025 Annual Corporate Directors Survey found that only 35% of directors say their boards are doing so. The question is not whether a policy exists, but whether someone can demonstrate, with evidence, that it is working.

Principle 8 of the COSO 2026 publication on Technology and Data is equally direct for audit committees: the board oversees technology and data practices, including AI, to confirm they are managed in line with the entity’s strategy and risk appetite and used to enhance performance and resilience. This means probing whether initiatives are realistic, whether risk-taking is calibrated, and whether controls over generative AI in financial reporting are designed and operating as intended. Read More on: Why AI Errors Are a Governance Problem, Not a Technology Problem.

4. How confident are we in the quality of information we are receiving?

PwC’s 2025 Annual Corporate Directors Survey found that 78% of directors surveyed report board assessments do not capture a full picture of performance, and nearly three-quarters say their boards skip individual director reviews altogether. If the board’s own assessment processes are not sufficiently robust, audit committees cannot assume the information they receive tells the full story. Principle 2 of the COSO 2026 Publication, on Board Accountability, calls for boards to oversee governance and controls to promote accountability and maintain stakeholder confidence through complete, accurate, and timely disclosures. That standard applies to information flowing up to the board as much as information flowing out.

5. Are we having the right conversations in the right format?

PwC’s governance trends analysis identifies board self-assessment quality as a growing area of investor scrutiny, and audit committees using external facilitators are significantly more likely to say their processes are effective. The CAQ and Deloitte’s Voices from the Audit Committee report recommends prioritizing active engagement over routine updates and streamlining meeting mechanics to free time for substantive discussion. PwC and The Conference Board’s Board Effectiveness: A Survey of the C-Suite (May 2026) found that 90% of executives see room to improve the board’s assessment process, with 56% citing succession planning as the top priority. The NACD 2026 Governance Outlook Report reinforces this: more than 60% of boards are increasing strategy discussion time in meetings, and CEO succession planning ranks as the most important board practice needing improvement in 2026.

What CAEs Can Do Differently

The audit committee is a shared responsibility. Directors set the tone and CAEs shape the conversation through what they bring.

Three practices consistently raise the level of audit committee dialogue. First, lead with risk, not activity. Reporting that opens with completed audit lists answers what was done; reporting that opens with the committee’s most significant emerging exposure answers what matters. Principle 7 of the COSO 2026 publication, on Strategy, Objectives, and Performance, reflects this: the board oversees execution by monitoring performance against agreed objectives and measures and confirming incentives align with the entity’s purpose, mission, values, risk appetite, and long-term value creation. The Institute of Internal Auditors’ (IIA) 2024 Global Internal Audit Standards reinforce it: Standard 9.2 requires CAEs to develop an internal audit strategy aligned with organizational objectives, while Standard 9.4 requires the audit plan to be based on a documented assessment of strategies, objectives, and risks.

Second, be explicit about what you cannot see. Committees want to know where independent assurance is absent and what that means for exposure. The COSO 2026 Publication’s Principle 12 on Risk Management and Internal Control speaks to this directly: it calls for boards to consider whether assurance providers have appropriate independence, authority, resources, and access to the board, and to encourage coordination across assurance activities, such as a Three Lines Model or equivalent, to reduce gaps rather than simply report on findings.

Third, use in-camera sessions as a governance infrastructure, not formality. The most effective committees use them to hear what was not said in the formal meeting and discuss the control environment candidly. Principle 10 of the COSO 2026 publication, on Executive Leadership and Succession, is specific: for roles expected to provide a more independent perspective, such as the chief audit executive, the audit committee may lead the selection process and approve the appointment or hiring decision to reinforce independence and objectivity. That independence is most valuable when it is used.

The Resourcing Question Is a Governance Question

The risk landscape in 2026 is more complex, with cybersecurity, AI governance, third-party risk, sustainability reporting, and geopolitical exposure converging as active board-level concerns. The BDO 2025 Board Survey found that only 41% of directors surveyed believe their boards are highly effective at establishing risk tolerance and appetite, including fraud risk. In the May 2026 C-suite survey, only 41% of executives surveyed rate board effectiveness as excellent or good. The NACD 2026 Governance Outlook Report sharpens this: only one-third of directors surveyed are strongly confident in their board’s collective skill set, and 14% are concerned their boards lack the capabilities needed for the year ahead.

Effective committees treat resourcing as a risk decision, asking whether the audit plan matches capacity and whether internal audit has the skills to provide credible assurance over emerging risks before the budget is approved. PwC and The Conference Board’s May 2026 Board Effectiveness: A Survey of the C-Suite provides additional insight: 62% of executives who interact with the audit committee see room to improve its effectiveness. Their top asks are challenging management assumptions and estimates more rigorously (29%), challenging the results of risk assessments more rigorously (27%), and strengthening oversight beyond financial reporting, including cybersecurity, emerging technology, and geopolitical risk (23%). These are precisely the areas a well-resourced internal audit function can address.

Conclusion

Many audit committees have made meaningful progress in recent years, and the gradual improvement in board effectiveness scores reflects genuine effort. The COSO 2026 Publication concludes that governance is strengthened when board responsibilities connect and reinforce one another, supporting coherent decision-making and sustained oversight. The data from PwC, BDO, CAQ, Deloitte, and NACD suggest that many audit committees continue to evolve their oversight practices in response to increasingly complex governance expectations.

Committees that navigate 2026 well will move from procedural oversight to genuine inquiry: asking what is not covered, probing findings for cultural causes, challenging AI governance with evidence, and treating resourcing as a governance decision.