Audit committees expand into risk

Recent governance guidance from KPMG, Deloitte and the National Association of Corporate Directors shows audit committees taking on broader risk work while compensation committees spend more time on talent and human-capital oversight. The shift is showing up in committee agendas, charter language and director guidance rather than in a single rule change. In practice, that is moving AI, cyber, export-control, data and workforce questions closer to the board’s standing committees. Recruiters and nominating committees are responding by looking for directors who can fill those seats with specific oversight experience. ### Why are audit committees being pulled beyond financial reporting? KPMG’s 2025 Audit Committee Survey said most audit committees “continue to shoulder heavy risk agendas,” with growing concern about the complexity of the business and risk environment and about oversight gaps around cybersecurity, data privacy and AI. The survey said 88% of respondents cited increased complexity in the business and risk environment among the macro trends likely to affect their agenda, and listed cybersecurity, AI, supply chains and workforce challenges among the examples. (kpmg.com) Deloitte’s 2025 Audit Committee Practices Report said audit committee priorities are evolving, and its audit committee guidance now frames the committee’s remit around financial reporting, risk, ethics and compliance, internal audit and related oversight. Deloitte’s 2026 board governance trends report separately said boards are recalibrating their approach to risk oversight in a more uncertain environment. (kpmg.com) ### Does that mean every company now has an “audit and risk” committee? NACD’s committee materials show both models in use. Its audit committee resources now sit alongside separate risk-committee guidance, and its audit committee blueprint and charter tools are presented as ways to reassess committee effectiveness and oversight scope. That does not mean every board has merged the functions, but it does show that risk oversight is now a routine committee design question. (deloitte.com) KPMG said some audit committees are reassessing oversight responsibilities as risk agendas expand. That language matters because it suggests boards are deciding whether to keep more risk work inside audit, move some of it to another committee, or reserve it for the full board. ### Why is the compensation committee moving toward talent and retention? NACD’s compensation committee guidance says the committee’s role now covers executive pay, incentive structures and human-capital management, and says directors are using the committee to align talent, incentives and long-term value. (nacdonline.org) NACD’s talent, culture and HR materials also put retention, leadership development, succession planning and workforce capabilities squarely inside board oversight. (kpmg.com) KPMG’s 2025 compensation committee agenda said directors were facing a business environment marked by uncertainty and disruption affecting companies and employees. That framing has pushed compensation discussions beyond annual pay-setting toward questions about management depth, succession, capability building and whether incentives support retention and control discipline. ### Where do AI, cyber and export-compliance questions land now? (nacdonline.org) KPMG’s audit committee materials place cybersecurity, AI, data privacy, compliance and internal controls on the committee’s agenda, making those issues less likely to be treated as occasional strategy topics. Deloitte’s audit committee guidance similarly ties oversight to risk, ethics and compliance, which gives boards a standing venue for questions about technology controls and regulatory exposure. (kpmg.com) That matters for companies exposed to restricted technologies or global supply chains because export controls, third-party oversight and documentation integrity often arrive at the board as control and compliance questions. It also matters for AI adoption because vendor concentration, model risk and data governance now fit naturally inside existing committee structures rather than ad hoc board conversations. (kpmg.com) ### What does this change in director recruiting? Deloitte’s 2026 governance trends report said boards need ongoing director education and regular reassessment of board composition as oversight demands change. NACD’s 2025 Governance Outlook likewise highlighted AI adoption, risk oversight and reputational risk as active governance priorities. Those priorities tend to favor candidates who can point to committee-ready experience in controls, cyber, compliance, talent or enterprise risk, rather than broad operating credentials alone. (assets.kpmg.com) The next evidence to watch is public: committee charters, proxy statements and board-matrix disclosures in upcoming filings will show whether companies rename committees, rewrite mandates or add directors with risk, AI, cyber or human-capital oversight backgrounds. (nacdonline.org) (deloitte.com)