Audit Committee Insights | October 2025

Q4 has commenced which means Halloween and spooky season are upon us. The ghosts, goblins, and witches may scare us, but we’re not scared away by the quick pace of regulatory developments and resources released by stakeholders, and you shouldn’t be either. We’re tracking everything audit committees need to know. Read on to learn about what’s new.​​​​

We welcome input; please let us know what you think. Subscribe here so that you never miss an update from the CAQ.

In This Issue:

• CAQ Releases an Updated External Auditor Assessment Tool
• Hot Topics: Questions You Should Ask in the Q3 Audit Committee Meeting
• Establishing a Technology Committee: Find Out What’s Right for Your Company
• SEC Chair Atkins Supports a Shift to Semi-Annual from Quarterly Financial Reporting
• CAQ’s Audit Committee Council Spotlight: Theo Bunting, Jr., Audit Committee Chair Unum Group
• ICYMI: CAQ Public Policy Technical Alert (PPTA), September 2025
• Ready for a New Year’s Resolution…Start Now and Lock In!

CAQ Releases an Updated External Auditor Assessment Tool

The CAQ released an updated External Auditor Assessment Tool, which includes a four-part framework with several focus areas in each part, paired with sample discussion questions for audit committees to consider when evaluating the external auditor. Audit committees are responsible for evaluating the external auditor, at least annually, and making a recommendation to the board on whether to retain them. The CAQ’s tool helps audit committees conduct this evaluation to support their recommendation to the board. The framework focuses on the following key areas:

1. Quality of services and sufficiency of resources provided by the external auditor – the engagement team
   • Engagement team competence, resources, and responsiveness
   • Engagement team hours and workload
   • Audit plan and risks
   • ​​​​Audit participants
   • Engagement team succession
   • ​​​​​Complex accounting and auditing matters, including consultations
   • Scope and cost considerations
2. Quality of services and sufficiency of resources provided by the external auditor – the audit firm
   • Audit quality report
   • Governance and leadership
   • Resources
   • Engagement performance
   • Monitoring and remediation
3. Communication and interaction with the external auditor
   • Openness of communications
   • Nature of communications
   • Communication of concerns
4. Auditor independence, objectivity, and professional skepticism
   • Independence compliance
   • Disagreements with management
   • Promotion of professional skepticism
   • Internal audit reliance
   • Non-audit services

Read the full CAQ resource and dive into the sample questions here. Want to learn more? Register for the November 20, 2025 webcast and join us for a discussion from both sides of the aisle – audit committee members and the auditor – about how to effectively perform this assessment.

Hot Topics: Questions You Should Ask in the Q3 Audit Committee Meeting

Speaking of interactions with the external auditor…are you ready for the Q3 audit committee meeting? PwC listed 8 hot topics the audit committee should consider when preparing for this quarter’s meeting. The resource is packed full of sample questions the audit committee should ask during the meeting, including some for the external auditor. Here are just a few of PwC’s sample questions to consider for each hot topic:

1. Accounting for US tax reform
   • What provisions of the new legislation will have the most impact on the company’s business operations, cash taxes and/or effective tax rate?
   • What is management’s process for monitoring and modeling the new tax legislation and related interpretations, and their potential impacts on the company?
2. Sustainability reporting
   • How is management preparing for overlapping national and international sustainability standards, and are there clear roadmaps for implementation and compliance?
   • How is sustainability-related risk being incorporated into enterprise risk management and financial disclosures?
3. Risk management in a volatile, uncertain, complex, and ambiguous world
   • How does management confirm it is prepared to respond to a sudden, high-impact event (e.g., cyber breach, climate disruption, regulatory investigation)?
   • How does the internal audit plan incorporate high-velocity and emerging risk areas (e.g., AI, third-party resilience)?
4. Cybersecurity and data privacy oversight
   • What is management’s process for managing risks associated with third-party vendors, cloud providers, and the use of AI and emerging technologies?
   • What investments have been prioritized to strengthen the company’s cybersecurity defenses?
5. Regulatory compliance oversight in a rapidly evolving environment
   • What is the audit committee’s process to confirm it understands the company’s most significant compliance risks and how they are evolving?
   • From the external auditor’s perspective, are there any industry-specific trends or regulatory enforcement areas that the company should be monitoring?
6. External auditor oversight
   • What is management’s assessment of the mix of skills and experience of the external audit team and their commitment to audit quality?
   • What is the external auditor’s process for confirming the continuity and knowledge transfer within the team, particularly if staffing changes occur mid-audit?
7. Crisis management and business continuity planning
   • How does the crisis response structure align with the company’s organizational risk appetite and insurance coverage?
   • How would a significant disruption (e.g., cyberattack or operational outage) affect the external auditor’s approach?
8. Updating your understanding of processes and controls
   • What is internal audit’s process for identifying recurring control deficiencies or areas where processes are overly manual or fragmented?
   • What areas do the external auditor encourage management or the audit committee to focus greater attention on before year-end?

These topics are consistent with EY’s suggested topics for the Q3 audit committee agenda. EY also notes that audit committees should consider discussing the evolving AI regulatory landscape, including implications of the GENIUS act on the business. We covered the GENIUS act in last month’s newsletter – in case you missed it, click here for the details.

Establishing a Technology Committee: Find Out What’s Right for Your Company

Should boards establish a separate technology committee? We hear this question a lot these days. EY reports that 13% of S&P 500 companies have a separate technology committee. EY notes that most S&P 500 companies have expanded the purview of existing committees, usually the audit committee, to include specific aspects of technology oversight. While the audit committee typically handles technology oversight because of its broader role in overseeing risk management, the audit committee already has a heavy workload and adding technology oversight could risk overloading the committee.

There are other ways for the board to allocate the responsibility of technology oversight. EY explores potential options in their recent publication, How boards can enhance technology oversight to unlock potential.

Whether shifting technology oversight from the audit committee to a separate technology committee is right for your company depends on many factors. EY suggests boards consider the following discussion questions to evaluate which committee structure is best for the company:

1. Level-setting on the company’s technology maturity
   • What is the current level of technology fluency in the boardroom?
   • Where is the company currently in terms of its technology maturity across the enterprise?
   • What is the quality of the company’s leadership team related to technology?
   • Are technology executives strategically and business oriented?
2. Determining the role of technology in advancing company strategy
   • What role does technology play in the company’s strategy and enterprise risk management? Is it a mission-critical matter? Is it a strategic enabler or differentiator?
   • How does the current approach to technology oversight enable the board to serve as strategic partner to management in technology transformation and investment?
   • Does the company’s investment in technology require more board oversight? Or is current spending insufficient for competitive growth, potentially needing more board leadership?
3. Securing the expertise needed for effective oversight
   • What expertise does the board have to oversee the company’s technology strategy and risks? To execute the responsibilities of a stand-alone technology committee?
   • Who are the technology experts on the board, and do they facilitate full board competence and discussion? How do they contribute to broader business discussions?
   • What is the bandwidth of existing committees? What resources and expertise do they need to meet evolving technology oversight needs?
4. Optimizing and communicating board oversight
   • How do committee responsibilities related to technology potentially overlap? How is committee work coordinated?
   • How do the charters define each committee’s technology-related responsibilities? How are those responsibilities reflected in the calendar and agendas?
   • What other external disclosures could clarify the board’s approach to technology oversight for investors and other stakeholders?
   • How is the board regularly evaluating the effectiveness of its technology oversight and committee structure?

SEC Chair Atkins Supports a Shift to Semi-Annual from Quarterly Financial Reporting

Here’s another potential shift to be aware of, this time in the regulatory space. SEC Chair Paul Atkins published an opinion piece with the Financial Times indicating his support for allowing the market and investor needs to dictate companies’ optimal reporting frequency, as opposed to the SEC.

He noted that “the government should provide the minimum effective dose of regulation needed to protect investors while allowing businesses to flourish. And for that reason, I am fast-tracking President Trump’s proposal to equip companies with the option to report on a semi-annual basis, rather than locking them into the current quarterly reporting regime.”

Déjà vu all over again? The SEC broached the topic in 2018 in a Request for Comment on Earnings Releases and Quarterly Reports in response to a tweet from President Trump calling for the SEC to study a shift from quarterly to semi-annual reporting. The SEC received 87 responses to that request for comment, with the majority of respondents opposed to a shift from quarterly to semi-annual reporting.

What does this mean for audit committees? It’s a developing area to watch and to discuss with management. What are investor expectations? If the 10-Q reporting requirements were to change, would the company continue to report earnings quarterly? Would controls change? Would your auditor’s involvement change? As we like to say, more to come.

CAQ’s Audit Committee Council Spotlight: Theo Bunting, Jr., Audit Committee Chair Unum Group

​​​​​​This month we spoke to CAQ’s Audit Committee Council member Theo Bunting, Jr. about his career and journey to the audit committee.

How did you get started in accounting? What was your first and last job?

My interest in accounting first started in high school through a few accounting classes I took which piqued my interest. The concepts came very naturally to me, but I chose not to major in accounting in college. I was initially an engineering major then switched to economics. Even though I earned my degree in economics, I still had enough accounting credits to sit for the CPA exam and was offered an entry level position at Arthur Andersen in Oklahoma City.

My last full-time “day” job was as Group President, Utility Operations at Entergy Corporation until my retirement in 2017. It had little to do with accounting, but my background prepared me for the role. My last accounting-related full-time “day” job was as Chief Accounting Officer at Entergy Corporation.

What was the first corporate board that you joined? How did you get on that board?

Unum Group was the first Fortune 500 corporate board I served on. A search firm, Russell Reynolds Associates, emailed me about the position and I thought it was spam, so I deleted the email. Luckily, they were persistent and sent me a follow-up. I googled them once I received the follow-up and that’s when I realized this was a legitimate opportunity and reached back out to them. The rest is history.

What do you enjoy most about serving on the audit committee? How is it different from other board committees?

Being on the audit committee feels like a natural fit for me and my skill set – I’m still a CPA and I’m very comfortable serving on the audit committee as a result. I enjoy the breadth of responsibilities and the importance of the committee itself. The audit committee is critical to the proper functioning of capital markets, especially since the implementation of the Sarbanes Oxley Act. I’ve appreciated how dynamic the nature of the committee is and the evolution of the subject matter over time. It challenges committee members to keep current and continue learning about what’s going on in the markets and in accounting.

What else do you do outside of board service?

I am a fitness enthusiast and spend a lot of time exercising. I spend a lot of time outdoors maintaining the acreage surrounding my country home.

I recently took a trip to Greece that I really enjoyed, and it has given me more motivation to travel and see the world. In the future, I’d like to travel more.

What trends or risks do you think audit committees will need to focus on in the next few years?

Everyone talks about AI, cyber, and compliance, which are important. I think corporate culture and human behavior will also need to be focuses for audit committees. I believe a weak corporate culture increases many risks.

Corporate culture and human behavior go hand in hand. I recently spoke to a Chief Audit Executive about this and have focused more on gaining an understanding of human behavior and how those behaviors play into day-to-day business decisions. As a society, it seems we’ve lost the ability to agree to disagree, but continue to discuss an issue in order to reach alignment. Two to three years ago, understanding the impact of human behavior on the business wasn’t thought about as much. I think it will be in the future.

In addition to his role as audit committee chair of Unum Group, Theo serves on the Regulatory Compliance Committee. He joined the CAQ’s Audit Committee Council in December of 2020.

Theo will be a panelist on an upcoming webcast on October 30, 2025, hosted by the Anti-Fraud Collaboration (AFC) in partnership with the CAQ, that will explore the pervasiveness and impact of fraud at U.S. public companies. Register here to hear his thoughts.

ICYMI: CAQ Public Policy Technical Alert (PPTA), September 2025

Each month, the PPTA highlights and examines the regulatory, standard-setting, legislative, and broader financial reporting developments impacting the public company audit profession. The CAQ’s September 2025 Alert included these featured articles.

New PCAOB Audit Focus Provides Auditors of Broker-Dealers With Insights on Exemption Report Reviews
The PCAOB released a staff publication, Broker-Dealer Audit Focus: Review Engagements Regarding Exemption Reports. This edition of Broker-Dealer Audit Focus highlights key reminders for auditors from Attestation Standard No. 2, Review Engagements Regarding Exemption Reports of Brokers and Dealers, provides the staff’s perspectives on common deficiencies observed in auditors’ work, and shares good practices that PCAOB staff has observed. Broker-Dealer Audit Focus is a new series of PCAOB publications that aims to provide easy-to-digest information to auditors of registered broker-dealers.

AICPA Adds Chapter on Auditing Crypto Lending and Borrowing to Digital Assets Practice Aid
The AICPA added a new chapter to its Digital Assets Practice Aid that gives practitioners practical guidance for auditing lending and borrowing transactions of digital assets. The update reflects the rapid growth of crypto markets and the need for auditors to address the risks that come with them. The chapter walks through two common scenarios:

• When a borrower of a crypto intangible asset is not required to post collateral; and
• When a borrower is required to post collateral.

Ready for a New Year’s Resolution? Start Now and Lock In!​​​​

How many times have you set a new year’s resolution with good intentions but have fallen off by March? July? September? Never? If it’s never, well, you’re better than most. But if you’ve fallen off this year, you’re not alone and you might think about joining Gen Z in the TikTok trend coined as the Great Lock In of 2025. (WAIT—don’t let the origination of this trend on TikTok turn you away—the trend has spread like wildfire with companies like the New York Times, Associated Press, Business Insider, and more covering it.)

Forbes shares that like many of us, a few content creators on TikTok entered 2025 with great expectations for all they might achieve, only to end the summer feeling somewhat adrift. In response, Gen Z declared the need to “lock in”, a term the generation uses to mean entering into a state of intense focus to achieve a specific goal, the last two-three months of the year to finish 2025 strong. As part of the Great Lock In, everyone is free to identify their own list of goals they’d like to achieve, but with a shared intensity to accomplish them all by December 31, 2025.

So, whether it’s revamping your new year’s resolution or creating new goals for the last 2 months, will you join Gen Z and lock in this Q4? (Or maybe you’re spooked by the idea – we get that too 😊)

Questions and comments about Audit Committee Insights can be addressed to Vanessa Teitelbaum, Senior Director, Professional Practice (vteitelbaum@thecaq.org).

This newsletter is intended as general information and should not be relied upon as being definitive or all-inclusive. The CAQ encourages readers to refer to applicable rules, standards, guidance, and other resources in their entirety. All entities should carefully evaluate which requirements apply to their respective organizations.