February 6, 2026
Your 2026 Audit Committee Agenda: ICFR During AI Transformations
For busy audit committee members, there are almost too many great annual publications with suggestions for your annual audit committee agenda. Luckily, Dan Goelzer’s latest Audit Committee and Auditor Oversight Update shares summaries and key takeaways, along with this 2026 audit committee action plan from the Center for Audit Quality (CAQ) that distills them into 10 succinct points.
Map 2026 risks to scenarios (economic, tariff/trade, cyber/AI, supply chain) and agree on triggers, decision rights, and escalation paths.
Update cyber incident response and AI governance (policy, model risk controls, change management, monitoring); set AC reporting metrics (e.g., time to detect, model drift indicators).
Be aware of leading SEC comment letter themes and focus on non-GAAP measures, MD\&A clarity, segment reporting, and revenue recognition; ensure management has remediation plans and disclosure controls aligned with these trends.
Be aware of the top internal control issues in adverse ICFR management assessments and focus on accounting personnel resources, segregation of duties, information technology, inadequate disclosure controls, and non-routine transactions.
Assess Pillar Two/global minimum tax impacts (measurement, disclosures, controls) and confirm readiness in tax and consolidation processes.
Challenge impairment and going concern judgments amid interest rate and liquidity dynamics; review refinancing plans and covenant sensitivities.
Refresh fraud risk assessment and investigations protocol, including data‑driven detection and hotline triage; confirm auditor’s use of data analytics and how AC will get insight.
Clarify AI in the audit and finance functions: understand where the external auditor uses tech/AI, the benefits/limits, and how management’s AI controls interface with audit procedures.
Tighten cyber reporting to the board—define thresholds for “material incident,” board‑ready dashboards, and linkage to enterprise resilience KPIs.
Revisit AC charter, skills, and education plan—ensure technology fluency (AI, data governance), transaction oversight (M\&A comeback), and disclosure expertise are covered.
Succinct, yes, but easier said than done, so Dan’s update adds some color to key topics. For example, EY summarizes (pg. 16) the top 5 ICFR issues from an August 2025 Ideagen report (available for download) that provides a 20-year analysis of SOX 404 disclosures. As noted above, the top internal control issues are staffing-related (accounting personnel resources (73-79%) and segregation of duties (60-65%)). That’s from 2024, and Protiviti says that this may only have gotten worse due to AI-related workforce transformations:
AI has driven layoffs and workforce transformations, which can have a profound impact on the effective operation of established internal controls. The risk is that, in planning AI initiatives, those controls may be an afterthought. This issue goes beyond managing the risks directly associated with AI and maintaining a “human in the loop.” While AI may automate certain processes and even strengthen some controls, it can introduce new risks or weaken existing controls – such as segregation of duties – particularly during workforce reductions and organizational changes. Audit committees should ensure that the chief financial officer (CFO), chief audit executive (CAE), chief information officer (CIO), and others are advocating for sustaining the control structure throughout AI planning and implementation.
Needless to say, management teams should be focused on maintaining (or improving!) the company’s control structure during AI implementation and be ready to answer questions from their audit committees.
– Meredith Ervine
Blog Preferences: Subscribe, unsubscribe, or change the frequency of email notifications for this blog.
UPDATE EMAIL PREFERENCESTry Out The Full Member Experience: Not a member of TheCorporateCounsel.net? Start a free trial to explore the benefits of membership.
START MY FREE TRIAL