Corporate Governance & Audit Committees: Board Recommendations

Introduction: Why Audit Committees Are the Backbone of Board Governance

Boards today face a genuinely different operating environment than they did a decade ago. Financial fraud still costs organizations an estimated 5% of annual revenue according to the ACFE's 2024 Report to the Nations. Ransomware complaints rose another 9% in 2024. Regulatory requirements keep expanding. And yet the audit committee — a three-to-five person subcommittee meeting eight times a year — is expected to hold accountability for all of it.

Those same committees, however, were built for a narrower world. Their charters reflect financial oversight priorities written years before ransomware was a board-level word. Composition still skews heavily toward finance. And the reporting they receive typically tells them what happened — not what to decide.

This article covers:

  • What well-structured audit committees actually own
  • Who should sit on them — and what's missing from most rosters
  • How cybersecurity oversight is reshaping their mandate
  • What boards can do now to close the gap between governance on paper and governance that holds when an incident hits the board's lap

TL;DR

  • Audit committees own six core responsibility areas — every one of which has expanded in scope over the past decade
  • Independence means more than no compensation ties; it requires the willingness to actually challenge management
  • 62% of audit committees now hold primary cybersecurity oversight responsibility, but only 24% feel they have sufficient expertise to do it
  • Effective cyber oversight requires trend-based reporting and defined escalation thresholds — not just familiarity with the topic
  • Annual self-evaluations and updated charters are the fastest path to closing governance gaps

The Core Responsibilities of a Board Audit Committee

Audit committees are not passive reviewers. They hold direct accountability for specific governance functions that are distinct from the full board's strategic role — and that scope has grown considerably.

Under NYSE Rule 303A.07 and SEC Rule 10A-3, well-structured audit committees own six core responsibility areas:

  1. Independent auditor oversight : selecting, compensating, evaluating, and if necessary replacing the external auditor
  2. Financial statement integrity : reviewing annual and quarterly statements with management and the auditor, including MD&A disclosures
  3. Internal controls and disclosure practices : overseeing the internal audit function and assessing control effectiveness
  4. Whistleblower and complaints process : maintaining procedures for confidential, anonymous employee submissions on accounting and audit matters
  5. Risk oversight : discussing policies on risk assessment and major financial risk exposures
  6. Legal and regulatory compliance : overseeing adherence to applicable legal and regulatory requirements

Six core audit committee responsibility areas governance framework infographic

The CAQ/Deloitte 2024 Audit Committee Practices Report found committees are now also formally engaged on cybersecurity, enterprise risk management, and AI governance — none of which appeared prominently on audit committee agendas ten years ago. The sections below cover each of the foundational responsibility areas in more detail.

Oversight of Financial Reporting and Internal Controls

Audit committees must scrutinize financial statements with documented skepticism, not simply accept management's representations. That means examining accounting policy choices, management estimates (which PCAOB standards flag as susceptible to cognitive bias), material judgments, and related-party transactions.

KPMG's 2023 material weakness study found 7% of SEC-registered public companies disclosed material weaknesses — a rate that has held between 6% and 8% for five years. That persistent baseline is precisely why active internal control oversight matters.

The internal audit function gives the committee direct visibility into control execution. Audit committees typically oversee internal audit appointments, reporting lines, and annual work plans — and treat internal audit findings as a primary input for assessing whether controls are working, not just whether they exist.

Managing the External Auditor Relationship

The audit committee — not the CFO — owns the external auditor relationship. This is a legal requirement under SEC Rule 10A-3: the committee selects, compensates, evaluates, and can replace the auditor, and pre-approves all audit and non-audit services to preserve independence.

Active management of this relationship includes:

  • Reviewing the audit plan scope before fieldwork begins
  • Tracking audit quality indicators such as PCAOB inspection results and partner responsiveness (the PCAOB reported a 46% Part I.A deficiency rate across inspected issuers in 2023, dropping to 39% in 2024 — important context when evaluating auditor quality)
  • Holding private sessions with auditors separate from management at least annually
  • Resolving any disagreements between management and the auditor on financial reporting matters

Who Should Sit on an Audit Committee: Composition and Independence

Baseline Requirements

NYSE and Nasdaq rules require a minimum of three members, all independent and financially literate, with at least one qualifying as a financial expert. Having a finance title doesn't automatically qualify someone.

The SEC's definition under Regulation S-K Item 407 is more specific than it sounds. A qualifying financial expert must demonstrate:

  • Understanding of GAAP and how it applies to financial statements
  • Experience assessing accounting principles applied to estimates and accruals
  • Familiarity with preparing or auditing comparable financial statements
  • Understanding of internal controls over financial reporting

Independence means freedom from compensatory, business, or family relationships with the company that could compromise judgment. Critically, boards should assess independence annually — not just at initial appointment — since relationships evolve over time.

The Case for Skill Diversity Beyond Finance

Financial literacy is the minimum requirement, not the full picture. The CAQ/Deloitte 2024 report found that 44% of respondents identified cybersecurity as the most-needed skill to enhance audit committee effectiveness, and 40% cited broader technology expertise. Heidrick & Struggles' 2024 Board Monitor similarly noted that U.S. boards are selectively adding specialized expertise to address cybersecurity, AI, climate, and geopolitical risks.

An audit committee overseeing cyber risk, sustainability reporting, and AI governance without members who understand those domains is governing blind.

The Independence-Tenure Tension

Long tenure creates a real governance risk. Committee members who have served alongside management for many years may find it harder to challenge them — whether because of familiarity, social dynamics, or unconscious deference. The UK's governance model formally presumes directors are no longer independent after nine years of service. U.S. practice doesn't use a fixed cutoff, but the underlying concern is legitimate.

Boards should evaluate annually whether tenure has reduced the committee's willingness to push back on management's representations — particularly on newer topics like cyber and technology risk, where management holds a substantial informational advantage.

Technology and Cybersecurity Oversight: The Audit Committee's Expanding Mandate

The Formal Designation Is Now the Norm

Cybersecurity oversight at the board level is no longer a discretionary governance choice. The SEC's 2023 cybersecurity disclosure rules require public companies to disclose their board oversight structures for cyber risk. Among Fortune 100 companies, EY's 2024 analysis found 81% designated the audit committee as the primary oversight body. CAQ/Deloitte's 2025 survey reported 62% of audit committees held primary cyber oversight responsibility across a broader respondent population.

The designation is common. The preparation is not.

The Expertise Gap

Only 24% of audit committee respondents in CAQ/Deloitte's 2024 survey felt their committee had sufficient cybersecurity expertise — even though 58% held primary oversight responsibility. That gap is where governance breaks down in practice. Committees receive management's self-reported cyber posture, lack the background to challenge specific claims, and often end up approving dashboards they can't fully interpret.

Effective cyber oversight doesn't require committee members to become technical experts. But it does require them to ask better questions and recognize when answers are incomplete.

What Effective Cyber Oversight Actually Looks Like

Boards that handle this well tend to share a few common characteristics:

  • Trend-based reporting — receiving dashboards that show risk direction over time (improving, stable, worsening), not raw incident counts or tool utilization metrics
  • Defined escalation thresholds — knowing in advance which events trigger board notification, who can authorize containment actions, and what the materiality definition looks like in business terms
  • Pre-approved incident decision rights — roles and authorities established before an incident, not negotiated during one
  • Independent assurance — EY's 2024 Fortune 100 analysis found 87% of companies disclosed use of an external independent cybersecurity advisor, up from 43% the prior year

Four pillars of effective board-level cybersecurity oversight framework infographic

The audit committee questions that separate good oversight from compliance theater:

  • What are the top three to five cyber risks, stated as business impact?
  • Which risks are being accepted, and what's the appetite threshold?
  • Who owns each top risk, and what triggers escalation to the board?

The Role of a Board-Level Technology Advisor

Boards should evaluate whether their audit committee has members with hands-on technology governance experience. That means someone who can translate technical risk into business terms, identify gaps in management's reporting, and establish escalation protocols that hold under real incident conditions — not just on paper.

That role is distinct from what a company's internal CISO delivers. A CISO runs the security program and reports through management. An independent board advisor provides oversight that isn't filtered through the same chain of command, adding challenge and independent framing without undercutting the CISO's operational role.

Tyson Martin works with boards and audit committees to close this gap — establishing clear decision rights, stable trend-based reporting, and escalation thresholds that hold when an incident actually hits. The output is governance you can inspect — not a dashboard that stays green until it suddenly doesn't.

What Good Board-Level Oversight Looks Like in Practice

Signal vs. Noise in Reporting

The most common failure in board cyber reporting is volume without direction. A list of 47 open findings tells a committee nothing useful. A one-page dashboard showing the top five enterprise risks, movement since last quarter, and what decision the board needs to make — that's what governance-ready reporting looks like.

Effective audit committees insist on:

  • Consistent format — same structure every quarter so trends are visible across periods
  • Plain-English summaries — what changed, what it means, what management is doing about it
  • Explicit decision requests — not just status updates, but clear asks for board approval or direction

Defined Decision Rights and Escalation

Good oversight requires knowing in advance which categories of risk the committee will decide on and which it will delegate — with explicit triggers for escalation. Escalation thresholds that only exist in policy documents collapse during actual incidents when teams are negotiating authority under time pressure.

Thresholds that hold under real conditions share a few characteristics:

  • Tied to observable business metrics — hours of downtime, affected account counts, revenue impact estimates
  • Assigned to named decision owners, not job titles that shift during transitions
  • Tested through tabletop exercises, not just documented in policy binders
  • Backed by validated communication paths confirmed before an incident occurs

Meeting Rhythm and Workplan

S&P 500 audit committees met an average of 8.1 times in the 2024 proxy year according to Spencer Stuart's 2024 U.S. Board Index. High-performing committees structure that time :

  • Pre-reading materials distributed 48 hours before meetings — one page per topic, designed to answer what changed, what matters most, and what decisions are needed
  • Quarterly deep dives on one governance topic at a time (cyber posture, internal control effectiveness, auditor performance)
  • At least one annual session dedicated to governance effectiveness review, separate from time-pressured financial sign-offs
  • Monthly pulse updates between formal meetings — brief, one-page summaries of what shifted and what requires attention

Audit committee annual meeting rhythm cadence and workplan timeline infographic

Practical Board Recommendations for Strengthening Your Audit Committee

Three actions that move committees from compliance posture to genuine oversight:

1. Conduct an annual self-evaluation that goes beyond box-checking. Assess whether the committee has the right skills for current risks, whether members feel equipped to challenge management, and whether the committee's actual mandate matches what's written in its charter. Document findings and address shortfalls with a concrete improvement plan — not just noted and archived.

2. Update the charter to reflect the committee's real mandate. Many audit committees operate with charters written years before cybersecurity, AI governance, and sustainability reporting entered their scope. A charter that doesn't reflect current responsibilities creates governance gaps and potential liability exposure. Review it annually, not just at formation, and explicitly address technology risk and cyber oversight if those responsibilities sit with the committee.

3. Close the technology expertise gap deliberately. Evaluate whether the committee has meaningful technology governance experience — not just awareness that cyber is important, but the ability to challenge management's risk representations and interpret trend-based reporting.For organizations in regulated industries, navigating digital transformation, or facing M&A, this gap is worth closing directly. Engaging a board advisor or director candidate with technology governance experience is the most straightforward way to build that capacity without dismantling existing financial expertise.

Frequently Asked Questions

What is the primary role of an audit committee in corporate governance?

An audit committee is a board subcommittee responsible for overseeing financial reporting integrity, internal controls, external audit relationships, and risk management. It serves as an independent check on management's financial representations, distinct from the full board's strategic oversight role.

How is cybersecurity oversight handled at the board and audit committee level?

Audit committees are increasingly formally designated as the primary cybersecurity oversight body — 62% held that designation in CAQ/Deloitte's 2025 survey. Effective oversight involves receiving trend-based reporting, setting escalation thresholds, and ensuring members have enough technology fluency to challenge — not just receive — management's risk representations.

What qualifications should audit committee members have?

The baseline requirements are independence, financial literacy, and at least one member qualifying as a financial expert under SEC definitions. Given the committee's expanded remit, today's stronger committees also include members with technology governance, legal, or ESG backgrounds to match the oversight responsibilities they actually carry.

How often should an audit committee meet?

S&P 500 audit committees met an average of 8.1 times in the 2024 proxy year per Spencer Stuart's data. The practical structure includes quarterly financial reviews, sessions for auditor approval and internal controls assessment, and at least one annual governance effectiveness review.

What is the difference between an audit committee and a risk committee?

Many organizations fold risk oversight into the audit committee — often called the "risk and audit committee." Larger organizations may separate them. In either structure, the audit committee retains responsibility for ensuring risk management processes are sound and that significant exposures reach the board.

How should a board evaluate whether its audit committee is performing effectively?

Annual self-evaluations should assess whether the committee has the right skills for current risks, whether its charter matches its actual mandate, and whether members feel genuinely equipped to challenge management. Findings should produce a documented improvement plan with named owners and timelines — one that gets executed, not just filed.