Audit Committee Expectations: What Auditors Should Know

What ISA 260 actually requires (and what it doesn’t)

ISA 260 (Revised) sets out six categories of matters the auditor must communicate to those charged with governance. The standard is principle-based, not prescriptive, which means it tells you what to communicate but gives you judgment on how, when, and in what form.

The required communications under ISA 260.14 through ISA 260.17 are: the auditor’s responsibilities under the ISAs, the planned scope and timing of the audit, significant findings from the audit (including the auditor’s views on significant qualitative aspects of the entity’s accounting practices, significant difficulties encountered, written representations requested, and other matters arising from the audit that are relevant to governance oversight), and the auditor’s independence.

For listed entities, ISA 260.17 adds a requirement to communicate a statement confirming compliance with relevant ethical requirements regarding independence. Under the EU Audit Regulation (Regulation 537/2014), this extends to PIE audits across Europe.

What ISA 260 does not require is equally important. No specific format is required. Oral communication is acceptable for most matters under ISA 260.19, though significant findings should be in writing under ISA 260.A41, so a separate letter isn’t mandated either. It doesn’t prescribe length. And it doesn’t tell you what the audit committee needs to hear beyond the enumerated matters. That gap is where the relationship either works or doesn’t.

ISA 260.9 establishes the objective: the auditor should communicate clearly with those charged with governance about their responsibilities, the planned scope and timing, significant findings, and should obtain from them information relevant to the audit. That last clause (obtaining information) is the two-way communication obligation that most teams underweight.

What audit committees are asking for in 2026

The CAQ’s January 2026 audit committee action plan, built from the BDO, EY, and PwC audit committee agenda papers, identifies eight priority topics for 2026 audit committees. Not all of them fall on the external auditor, but several directly affect what the audit committee expects to hear during audit communications.

The first is AI governance. Audit committees want to understand where the external auditor uses technology and AI in the audit, what its limitations are, and how it interfaces with management’s own AI-related controls. EY’s 2026 board matters publication notes that 62% of public company boards now set aside dedicated agenda time for AI discussions, up from 28% in 2023 (NACD 2025 survey). If you’re using data analytics tools on the engagement, the audit committee expects you to explain what they do, what they cover, and what they don’t.

The second is the quality of management’s estimates and judgments. BDO’s 2026 audit committee priorities paper cited the PCAOB’s audit focus on accounting estimates, noting that only 50% of directors rated their board’s challenging of management’s judgments as effective (BDO Board Survey 2025). Audit committees are looking for the external auditor to be more specific about which estimates are most sensitive and where management’s assumptions sit within the range of reasonable outcomes. A sentence in your ISA 260 letter that says “we evaluated management’s estimates and found them reasonable” communicates nothing useful. A paragraph that says “management’s going concern cash flow projection assumes 8% revenue growth; the prior year achieved 4%; we tested downside scenarios at 2% and 0% and the conclusion held, but the margin is narrower than last year” gives the committee something to act on.

Cyber risk oversight is the next area. Deloitte’s 2026 audit committee priorities publication positions cyber risk as a permanent fixture on the committee agenda. Audit committees want to know whether the external auditor identified any IT control weaknesses that could affect financial reporting, even if those weaknesses don’t rise to the level of a “significant deficiency” under ISA 265. Communicating what you didn’t find (if relevant) can be as useful as communicating what you did.

PwC’s guidance for audit committees emphasises the importance of informal one-on-one meetings between the audit committee chair and the lead audit partner between formal meetings (ISA 260.A49 notes that timely communication throughout the audit contributes to effective dialogue). For mid-tier firms, this means the engagement partner should proactively schedule these conversations rather than waiting for the committee to request them.

The two-way communication obligation most teams ignore

ISA 260.20 requires the auditor to evaluate whether the two-way communication between the auditor and those charged with governance has been adequate for the purpose of the audit. If it hasn’t, the auditor must evaluate the effect on the assessment of risks of material misstatement and the ability to obtain sufficient appropriate audit evidence, and take appropriate action.

In practice, this means you can’t just send a letter and check the box. ISA 260 contemplates a dialogue. The auditor communicates the planned scope. The audit committee provides information about known fraud risks, related party transactions, or areas where they want the auditor to focus. That information feeds back into risk assessment under ISA 315.

Where this falls apart at mid-tier firms is when the “audit committee” is a single non-executive director, a supervisory board that meets twice a year, or (in smaller entities under ISA 260.A8) the owner-manager who is also the finance director. ISA 260 acknowledges this. ISA 260.13 states that when all of those charged with governance are involved in managing the entity, the auditor should consider whether communication with them in their management capacity adequately informs them in their governance capacity.

The practical fix is simple. At the planning stage, ask the audit committee (or equivalent) two questions: “What are you most concerned about in this year’s financial statements?” and “Is there anything you’d like us to look at specifically beyond our standard scope?” Document the answers. If the answers change your risk assessment or your planned procedures, document that link. If they don’t, document why not. This turns a one-directional compliance exercise into the two-way communication ISA 260 was designed to produce.

ISA 265: when and how to communicate internal control deficiencies

ISA 265.9 requires the auditor to communicate significant deficiencies in internal control identified during the audit to those charged with governance in writing on a timely basis. The standard defines a significant deficiency as one that, in the auditor’s professional judgment, is of sufficient importance to merit the attention of those charged with governance (ISA 265.A5 through A7 provide indicators).

The judgment call is where the work is. A duplicate payment in accounts payable is a deficiency. Whether it’s “significant” depends on the potential magnitude (how large was it, could it recur, is the process that missed it used across many transaction types) and whether compensating controls exist. ISA 265.A6 lists factors to consider, including whether the deficiency relates to fraud risk, whether it has been identified in prior periods without remediation, and whether it affects amounts or disclosures likely to be material.

What ISA 265 does not require is communication of every deficiency. ISA 265.10 covers communication of “other deficiencies” to management (not governance), and even then, only those of sufficient importance to merit management’s attention. If you’ve been including minor IT access control observations in your governance letter because “it’s better to be thorough,” you may actually be diluting the committee’s attention from the deficiencies that matter.

The timing requirement matters. If you deliver your ISA 265 letter alongside the final audit report, the committee receives your deficiency observations at the same moment they’re approving the financial statements. They can’t act before approval. ISA 265.A13 says the communication should be timely enough for remedial action. Raise significant deficiencies when you find them during fieldwork.

Worked example: an ISA 260 communication for a Dutch mid-market client

Client scenario: Hendriksen Techniek B.V., a Dutch precision manufacturing company with €62M revenue, a supervisory board of four members (one of whom chairs the audit committee), and an IFRS reporting obligation. The company completed a small acquisition in the current year (€8M enterprise value) and has a material provision for an environmental remediation liability (€2.4M).

Step 1: Open with what changed in the audit approach and why

Instead of restating the same “responsibilities of the auditor” paragraph from last year, open the communication with the two matters that drove changes to this year’s audit scope. The acquisition introduced €3.1M in goodwill requiring an impairment assessment under IAS 36, and the remediation provision was remeasured using updated environmental consultant estimates.

Step 2: Report significant findings with specificity, not just conclusions

For the goodwill impairment assessment: state the discount rate management used (9.2%), the range you consider reasonable (8.5% to 10.5%), and the headroom at the selected rate (€1.8M). Note that at the upper end of the reasonable range, headroom drops to €0.4M. This gives the audit committee a concrete sense of how sensitive the conclusion is, without requiring them to read your IAS 36 workpaper.

Step 3: Communicate the ISA 265 deficiency in context

During testing of the acquisition’s integration, you identified that the acquired entity’s purchase order approval workflow was not aligned with Hendriksen’s approval matrix for the first four months post-acquisition. Six purchase orders totalling €47,000 were processed without the required secondary approval. The total is immaterial to the financial statements, but the deficiency is significant because the control gap existed for four months and affected a newly acquired subsidiary where fraud risk is elevated (ISA 240.A31).

Step 4: Close with the two-way communication prompt

End the letter with two specific questions for the audit committee, not a generic “please contact us.” Ask: “Has management communicated any additional concerns about the remediation provision estimate since our last meeting?” and “Are there any changes to the company’s risk appetite following the acquisition that you’d like reflected in next year’s audit scope?”

Your checklist for audit committee communications

1. Schedule an informal call between the engagement partner and the audit committee chair before you draft the ISA 260 communication. Use it to ask what the committee wants to hear about, and document the conversation.
2. Review last year’s ISA 260 letter. If you can swap the client name and reuse it, the letter isn’t specific enough. Every communication should reference at least two engagement-specific matters.
3. For every accounting estimate discussed in the communication, include the range of reasonable outcomes, management’s selected point within that range, and the sensitivity of the conclusion. ISA 260.16(a) is not satisfied by “we found management’s estimates reasonable.”
4. Deliver ISA 265 deficiency communications when you identify the deficiency during fieldwork, not at year-end. Timely delivery under ISA 265.A13 gives the committee time to request remediation before the financial statements are approved.
5. End every ISA 260 communication with at least one specific question for the audit committee. This satisfies the two-way communication objective under ISA 260.9 and produces audit evidence you can document.

Common mistakes in audit committee communication

• Using a template ISA 260 letter with no engagement-specific content. The FRC’s audit quality reviews have repeatedly flagged communications that are generic rather than tailored to the specific engagement. A letter that could apply to any client provides no governance value and doesn’t satisfy the spirit of ISA 260.16.
• Delivering the ISA 265 significant deficiency letter at the same time as the final audit report. ISA 265.A13 states the communication should be timely enough for those charged with governance to take remedial action. If you deliver it alongside the approved financial statements, the timing defeats the purpose.

Related content

Frequently asked questions

Further reading and source references

• ISA 260 (Revised), Communication with Those Charged with Governance: paragraphs 14–20 on required communications and two-way dialogue.
• ISA 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Management: paragraphs 9–10 on significant and other deficiencies.
• CAQ January 2026 Audit Committee Action Plan: eight priority topics for 2026 audit committees.
• BDO 2026 Audit Committee Priorities: management estimate challenge effectiveness data.
• EY 2026 Board Matters: AI governance and board agenda time allocation.
• PwC 2026 Audit Committee Guidance: informal communication best practices.
• Deloitte 2026 Audit Committee Priorities: cyber risk as a permanent agenda fixture.
• EU Audit Regulation (Regulation 537/2014): extended independence communication requirements for PIE audits.