The PCAOB just released its annual Conversations With Audit Committee Chairs report, and for the first time in the report’s history, AI shows up as its own named technology risk — not buried under cybersecurity, not tucked into a footnote. Over 250 audit committee chairs at public companies were surveyed, 82% representing companies audited by the Big Six global network firms. This is the boardroom view of AI risk from the largest public companies in the world, and it’s shifting from curiosity to accountability.
Why This Report Matters
Under Sarbanes-Oxley Section 10A(m), the audit committee is directly and legally responsible for overseeing the external auditor — not management, not the CFO. They hire the auditor, set the compensation, and oversee the work. The PCAOB runs this survey annually to surface what’s rising to the top of audit committee agendas. For the past several years, cybersecurity dominated the technology risk conversation. This year, AI graduates into its own category.
Think of it like a flight crew’s pre-departure checklist. For years, the checklist covered engines, fuel, and weather. Now there’s a new instrument on the panel — and the pilots aren’t just observing it. They’re asking: what does this measure, what happens if it fails mid-flight, and did anyone test it before takeoff? That’s exactly where audit committees are with AI right now.
Three Distinct AI Concerns From the Boardroom
1. Client-Side AI and Financial Reporting Controls
Audit committee chairs are asking their auditors to explain how AI used inside the company affects the reliability of financial statements. If a company is using AI to generate journal entries, automate estimates, or build forecasting models — who designed the model? What controls exist? Has it been stress-tested against edge cases? These questions are now expected to be part of the external auditor’s process, and in many cases, auditors are still developing the methodology to answer them.
2. AI-Assisted Fraud
Chairs specifically named “staff preparedness to detect fraud that might be facilitated through AI” as an explicit concern. Deepfake audio impersonating a CFO to authorize a wire transfer. Synthetic transactions that pass automated testing. AI-generated phishing emails indistinguishable from internal communications. These aren’t theoretical. And the traditional fraud detection toolkit — journal entry testing, management override inquiries, segregation of duties — was not built with AI-assisted manipulation in mind. AI-generated anomalies may not leave the same fingerprints as human manipulation.
3. The Fee Question — Still Unresolved
Several chairs asked directly: if your firm is using AI to complete audit work faster, should our fees go down? It’s a reasonable question with no clean answer yet. Some firms are positioning AI as a quality enhancer — same cost, better audit. Others are still figuring out the pricing model. Either way, this will be a recurring item on audit committee agendas, and accounting professionals at every level should be ready to engage with it.
The CAMs Angle
90% of audit committee chairs said their auditor discussed Critical Audit Matters (CAMs) with them, with valuations being the most common example. As AI begins influencing valuation models and complex estimates, those CAM discussions are going to require the auditor to explain not just what judgment was applied, but whether and how an AI tool informed that judgment — and what oversight existed. The intersection of AI and subjective audit judgment is about to get significantly more complex.
What This Means for CPAs
The controls question is now board-level. When audit committees ask their Big Six auditors how AI inside the company affects financial reporting, that conversation flows down through every engagement — advisory teams, controllers, and clients. CPAs need to speak to AI governance with the same fluency they bring to IT general controls. If a client is deploying AI in their financial close process, even in a limited way, the due diligence questions are the same ones you’d ask about any system that touches the financials: Who owns it? What testing was done? What documentation exists?
AI-assisted fraud is an evolving risk area, not a solved one. Audit committee chairs are naming it at the top of the governance chain, which means auditors and advisors need to track how the profession’s methodology is responding. Flag it as an open question in risk assessments.
Key Takeaways
- The PCAOB’s 2025 audit committee report formally elevates AI as a standalone technology risk — the first year it’s been treated this way.
- Chairs are asking about client-side AI — how AI inside the company affects controls — not just how auditors are using it on their end.
- AI-assisted fraud is a named concern at the highest level of corporate oversight. Traditional detection tools may not be sufficient.
- The fee question around AI adoption by audit firms is unresolved and will be recurring.
- As CAMs discussions grow more complex, the intersection of AI and audit judgment will require clearer methodology and documentation.
Source: PCAOB Spotlight — 2025 Conversations With Audit Committee Chairs, April 2026.
Leave a Reply