Key Themes from Q1 2026 External Auditor Feedback Share Roundtables
The Internal Audit Collective hosted quarterly roundtables for members to share insights and challenges regarding their external auditors (Big Four firms). This article summarizes key themes from the Q1 2026 sessions, highlighting common focus areas, methodology changes, and emerging issues perceived by internal audit and SOX teams. The goal is to foster better communication and collaboration between internal and external audit functions.
Insights from External Auditor Feedback Roundtables
The Internal Audit Collective facilitates quarterly roundtables where internal audit and SOX teams can anonymously share their experiences and perceptions regarding their external auditors, specifically the Big Four firms (PwC, KPMG, EY, and Deloitte). These sessions aim to identify common themes, new focus areas, and potential pain points, fostering a spirit of improvement and better collaboration between internal and external audit functions. The Q1 2026 roundtables revealed several recurring topics, offering valuable insights for audit professionals.
PwC and KPMG: Emerging Focus Areas and Methodological Shifts
For PwC, key themes included an increased scrutiny on management controls related to process-enabling technologies, with less focus on the technologies themselves if the underlying process remains human-in-the-loop. Teams also noted more detailed and granular questions, potentially driven by PwC's use of technology and AI, and a hesitancy around full-population testing due to concerns about uncovering minor issues that may not be control deficiencies. Inconsistencies in guidance for key report testing frequency and baselining were also highlighted. KPMG's feedback sessions revealed a heightened focus on tracking relevant data elements (RDEs), requiring labor-intensive mapping and testing. A perceived methodology change regarding deficiencies and look-back procedures means that even a late-year control failure might necessitate a full-year review. KPMG also showed an increased focus on third- and Nth-party controls, often requiring more SOC 1 reports from sub-providers, and a strict stance on IT risks and testing, making full-population testing challenging for internal teams.
EY and Deloitte: Documentation, Scope, and Sampling Changes
EY's roundtables indicated an increased focus on the control implications of bots and automation, particularly for SOX-critical application integrations. A significant theme was the demand for more "inspectable evidence," especially for IPE documentation, with some teams reporting conflicting messages on documentation standards. Several teams observed late-cycle scope changes, impacting audit coverage. Regarding meeting recordings, there was conflicting information, with some teams hearing that recordings are now permitted, while others still face strict prohibitions. Deloitte's sessions highlighted new guidance reportedly requiring statistical sampling for control testing, leading to last-minute adjustments for some teams. An increased focus on IPEs and SOC1 reports meant Deloitte questioned reliance on these, pushing for more internal procedures or deeper looks at entity-level controls. Deloitte also showed greater scrutiny on "park and post" controls, particularly how transactions can be changed after being parked. Conversely, Deloitte reportedly allows walkthroughs to be recorded, which teams found helpful in reducing follow-up questions.
Opportunities for Proactive Improvement
The overarching message from these roundtables is that challenges with external auditors should be viewed as opportunities for internal audit and SOX teams to proactively improve their communication, collaboration, and methodologies. By understanding the evolving focus areas and methodological changes of external auditors, internal teams can anticipate hurdles, enhance their processes, and ultimately strengthen their relationships and the value of their work. This proactive approach not only improves external audit reliance but also elevates the overall effectiveness of internal audit and SOX functions.
Read more