As your company prepares for the FY2026 Sarbanes-Oxley (SOX) compliance cycle, now is the ideal time for Internal Audit teams to identify opportunities to improve efficiency, strengthen control precision, and enhance audit readiness.
This article, the third of a focused series, guides you through next steps so you can approach SOX compliance in 2026 with clarity and confidence.
Engage External Auditors Early
Meet with external auditors to discuss audit strategy changes, reliance expectations and prior‑year challenges. During the meeting, timelines, testing approaches and feedback regarding prior year’s testing should also be discussed and resolved. This is also a good time to discuss emerging focus areas, determine what is in-scope or should be de-scoped based on materiality, emerging risk areas and changes within the key SOX control process areas. Also, it’s a great idea to document notes during these meetings and what is agreed upon because these will be beneficial to both parties during the year.
Communicate Changes and Remediation Efforts
As internal auditors are made aware of SOX process area changes and remediation efforts from issues identified last year, conveying these changes and statuses are beneficial to have a successful SOX testing year. Examples of topics that should be communicated to external auditors early during the planning stage are:
- New systems or upgrades
- Process redesigns or automation
- New control owners or organizational changes
- Status of remediation efforts and updated timeline for resolution
Align on Evidence and Testing Standards
During the planning stage, it can be valuable for internal auditors and external auditors to pre‑agree on acceptable evidence types and documentation standards. This would also include Information Technology General Controls (ITCGs), key reports, interfaces and SOC report coverage. This is also a good time to coordinate walkthrough timing and participants, which should include external auditors.
Establish Clear Issue Escalation and Messaging
External auditors and internal auditors alike should be made aware of issues or potential issues as they arise. Defining the escalation thresholds and communication timing during planning will help alleviate the risk of miscommunication or delayed communication of any exceptions or issues. This includes messaging to management and the Audit Committee as well.
Bottom Line
Public company internal auditors who lead early, transparent, and risk‑focused alignment with external auditors can reduce rework, protect reliance and create a smoother SOX cycle.
Explore the rest of the series for more actionable insights:
- Strengthen SOX Compliance: FY2025 SOX Close Out and Lessons Learned
- Strengthen SOX Compliance: FY2026 SOX Scope and Risk Assessment
- Strengthen SOX Compliance: Balancing a Risk-Based SOX Program with External Auditor Needs
- Strengthen SOX Compliance: SOX IT General Controls and System-Dependent Controls
- Strengthen SOX Compliance: Third-Party Service Providers and SOC Reports
- Strengthen SOX Compliance: Implementing Continuous Auditing
- Strengthen SOX Compliance: Assessing the Risk Materiality of AI Enablement
- Strengthen SOX Compliance: How Internal Audit Supports Effective SOX Remediation
If you have questions about refining your SOX approach or want to discuss how to strengthen your internal processes, reach out to the Schneider Downs team at [email protected].
About Schneider Downs Risk Advisory
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
Explore our full Risk Advisory Service offerings or contact the team at [email protected].
