The Audit Committee Brief

Audit Committees are no longer defined by compliance alone.

They’re now at the forefront of navigating risk, culture and strategic complexity. While fair, balanced and understandable financial reporting remains essential, it’s only part of a much broader remit.  
 
Drawing on findings from Grant Thornton’s Corporate Governance Review - covering six years of reporting data set against regulatory and market developments - this brief report explores how the role of the Audit Committee Chair is being redefined in practice. 

On this page:

• A 30-second snapshot of the findings  
• Committee composition: is there space for more challenging voices? 
• Culture assurance: how is culture measured for its impact on risk and decision-making?  
• Emerging risks: should committees push for more balanced risk reporting?
• Provision 29: boards must own the effectiveness conclusion  
• Audit quality: is quality embedded in culture, or just applied as a risk layer? 
• Three priorities to focus on for the next 12 months  

Today’s Audit Committee is the board’s de facto nerve centre for risk. Oversight now stretches across cyber, data, AI, compliance and macro-economic uncertainty, often in areas where broader board capability is still developing. As our Corporate Governance Review data shows, this expansion is outpacing the evolution of committee design, raising critical questions around scope, skills and succession. The audit agenda is now broader and more complex than at any point in the past. This creates a tension: Audit Committee Chairs are accountable for risks they do not manage; they’re expected to probe and anticipate without crossing into management’s territory. Their role requires sharper prioritisation and greater judgement.  

The data evidences this shift. While 56% of FTSE 350 companies recognise the opportunities presented by AI, many have yet to fully address the associated risks or ensure their board has the necessary expertise. Audit Committees are absorbing a growing share of oversight responsibility, often without a corresponding redesign of governance frameworks.

• While most Audit Committees meet requirements, 15% fall short of full compliance through composition or capability shortages.
• Cyber and AI risks continue to accelerate as organisations expand AI-driven processes, yet board-level capability remains limited: only 7% have dedicated cyber or data expertise.
• Most companies keep the board Chair off the audit committee. A small number of outliers - mainly in healthcare, financial services and real estate - represent smaller-cap firms.

For companies without the expected level of independence or capability, this can weaken challenge - particularly where industry-specific judgements are changing and the definition of ‘market practice’ is evolving. Reporting has not kept pace, remaining standardised at a point when regulators are calling for more company-specific, decision-useful disclosure.

Culture assurance: how is culture measured for its impact on risk and decision-making?

Internal audit maturity continues to strengthen, with the proportion of firms lacking a dedicated function shrinking noticeably over the last five years. There is a clear market preference for robust in‑house models - 78% of FTSE 350 market - supported where needed, by co‑sourced or outsourced arrangements. Growing confidence in internal audit independence, particularly around cultural assurance, reflects rising expectations from regulators and stakeholders, reinforcing the function’s role in strategic governance. 

Culture is moving from narrative to a core governance priority. The 2024 Code revisions reinforce alignment with purpose, values and strategy. Audit Committee Chairs are leading this shift through increasingly prominent disclosures.

• While CEO commentary on culture remains inconsistent (55% of the market discussed culture in 2025), quality of disclosure has increased consistently since 2020.
• Satisfactory disclosures in personal commentary by Audit Committee Chairs have risen markedly to 90% in 2025, from 72% in 2020.
• 63% of FTSE 350 companies use a basket of three or more metrics to measure culture - most commonly employee surveys, speak-up and whistleblowing data, health and safety indicators, and diversity data.

Confidence in internal audit’s role in measuring and assessing culture is growing, with 68% of functions now considered to have an appropriate mandate and approach. Progress has been steady, but a continued maturity journey is needed to fully meet regulatory expectations for independent, evidence-based assurance over culture, behaviours and tone from the top.

Emerging risks: should committees push for more balanced risk reporting?

The Audit Committee’s horizon-scanning responsibility has grown considerably. Since the 2018 Code introduced emerging risk disclosure, almost every FTSE 350 company now describes how emerging risks are assessed. But breadth of adoption hasn’t always translated into depth of insight.

In 2025, only 36% of companies set out mitigations for the emerging risks they identify. That raises a legitimate question: does this reflect a considered view that risks are too nascent to mitigate, or simply that firms don’t see mitigation as a reporting obligation?

The five emerging risks most consistently cited across the six-year horizon are macroeconomic conditions, regulation and compliance, AI, climate change, and operational resilience. Their consistency prompts a challenge of its own: are companies genuinely reassessing their risk landscape each year, or reproducing the same list? The Code is clear that principal risks should be reviewed afresh annually.

There is also a subtler issue: how upside risks and opportunities are handled. Only a small minority of companies report on the upside potential of their principal risks - even where topics like AI, regulatory change and macro shifts carry genuine opportunity alongside threat. This sits in stark contrast to the positive narrative in most CEO and Chair statements. Audit Committees are well-placed to close that gap.

• 96% of FTSE 350 companies now describe how they assess emerging risks, but only 36% set out mitigations - a gap that merits closer scrutiny from Audit Committee Chairs.
• Few companies disclose upside risks alongside principal risks. Committees should actively ask what governance is in place to ensure upside risks are maximised - setting risk appetite to enable innovation and appropriate risk-taking.
• The disconnect between front-end optimism (CEO/Chair statements) and back-end risk disclosure is striking. Audit Committees are well-placed to close that gap.

Audit quality: is quality embedded in culture, or just applied as a risk layer?

Transparency around external audit quality and independence has continued to improve. Disclosure quality is rated satisfactory or above by 99% of companies in 2025, up from 95% in 2020. Auditor rotation patterns remain broadly healthy, with changes typically occurring every seven to nine years. These are encouraging signals - but they shouldn’t distract from more fundamental questions about where audit quality is heading.

The most significant development shaping audit quality in the coming period is AI. Audit firms are increasingly deploying AI tools to accelerate data analysis, transaction testing and risk identification - and executive teams are doing the same in how they manage and present information. Audit Committees should be actively asking their external auditors how AI is being used, how they satisfy themselves it enhances rather than erodes quality, and whether its use introduces any new risks to auditor independence. These are live questions now.

Audit quality is also shaped by culture, not just capability. The firms best placed to deliver consistently high-quality audits are those where quality is embedded throughout their practice as a professional standard, not a risk management response applied selectively to complex engagements.