As your company prepares for the FY2026 Sarbanes-Oxley (SOX) compliance cycle, now is the ideal time for Internal Audit teams to identify opportunities to improve efficiency, strengthen control precision, and enhance audit readiness.
This article, the second of a focused series, guides you through next steps so you can approach SOX compliance in 2026 with clarity and confidence.
SOX Risk Assessment Considerations
In preparation for FY2026 SOX, Internal Audit teams should perform a risk assessment to validate and update SOX scoping, as necessary. This assessment should consider:
Changes in Significant Accounts, Entities, or Locations
Internal Audit teams should review any organizational restructurings, acquisitions, or business unit realignments that have occurred in the year, as these may introduce previously unassessed risks or alter the scope of existing controls.
Updates to Materiality Thresholds
Materiality thresholds should be revisited on an annual basis, as company changes and operations could directly influence which accounts and processes qualify as “material” under SOX.
New or Modified Revenue Streams and Transaction Types
The launch of new products and services or entry into new markets can introduce additional control requirements, which may require additional in-scope processes, systems, and controls.
M&A Activity and Post-Integration Status
M&A activity and the status of post-integration efforts can create significant control gaps or redundancies; capturing these early through integration reviews and mapping exercises ensures effective risk mitigation and avoids audit surprises.
System Implementations, Upgrades, or Configuration Changes
These types of changes ranging from ERP transitions to system implementations require a reassessment of automated and manual controls, with particular attention to access management, change management, and data integrity.
Bottom Line
Taken together, these factors enable a targeted, risk-based approach that keeps your SOX program responsive and robust. Remember that the overall objective is to ensure that SOX coverage remains appropriately focused on areas of highest ICFR risk while avoiding unnecessary over-scoping.
Explore the rest of the series for more actionable insights:
- Strengthen SOX Compliance: FY2025 SOX Close Out and Lessons Learned
- Strengthen SOX Compliance: External Auditor Alignment
- Strengthen SOX Compliance: Balancing a Risk-Based SOX Program with External Auditor Needs
- Strengthen SOX Compliance: SOX IT General Controls and System-Dependent Controls
If you have questions about refining your SOX approach or want to discuss how to strengthen your internal processes, reach out to the Schneider Downs team at [email protected].
About Schneider Downs Risk Advisory
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
Explore our full Risk Advisory Service offerings or contact the team at [email protected].
