6 Actionable Ideas to Help You Strengthen Your SOX Risk Assessment in 2026

Your SOX top-down risk assessment is foundational, helping you make sure your SOX program focuses on the risks that really matter. 

It drives better scoping, stronger control design, and better alignment with External Audit. 

But let’s face it: SOX risk assessments are often rinse-and-repeat. We don’t always take the time to understand where and how we can do better. 

That’s exactly why Internal Audit Collective members convened an April 2026 roundtable (led by the wonderful Amanda Yervasi) to focus on sharing ideas for improving SOX risk assessments. 

As roundtable participants shared, the standard model for conducting SOX top-down risk assessments is still dominant in many organizations. That approach typically includes:

• Planning materiality by taking a percentage of revenue or pre-tax income, with haircut
• Analysis of disaggregated accounts (e.g., revenue streams), breaking revenues down into processes
• Overlaying both qualitative and quantitative factors
• Heavily relying on prior-year scoping
• Refreshing annually or semi-annually

While this approach is stable and defensible, everyone seemed to agree: In today’s volatile risk landscape, SOX risk assessments could use a more dynamic and adaptive approach. 

So how are leading SOX teams changing the game? Below are six top takeaways from the roundtable.

1. More SOX Teams Are Relying on Forecast-Driven Materiality

Instead of relying on prior-year actuals, several teams are using forecasting and planning numbers (e.g., EBITDA, pre-tax income [IBIT], revenue forecasts) to calculate materiality. 

This type of forward-looking approach can be especially useful when a company’s business model is changing, products or services have been discontinued, or significant revenue volatility exists. The goal is making sure that materiality calculations do their best to account for the likely impact of these scenarios. For example, as one SOX leader pointed out, if your revenue goes down by $100M, your materiality is smaller, and things that were out of scope could come into scope. 

2. Qualitative Factors Are Increasingly Driving Scoping Decisions 

Nowadays, materiality thresholds aren’t necessarily the primary lever impacting scope. Instead, roundtable participants shared several examples of SOX team and External Audit scoping decisions being driven by qualitative rather than quantitative factors. 

• Teams may scope out larger areas due to qualitative arguments around historical stability, low business impact, or processes being isolated. For example, based on low impact likelihood, SOX leaders were able to scope out small revenue streams or fixed assets that otherwise met thresholds (e.g., capital, computers). 
• Teams may scope in smaller areas due to business relevance (e.g., sensitive or business-critical areas), prior issues (e.g., material weaknesses, significant deficiencies), or risk signals in key areas (e.g., AI, fraud, cybersecurity).

3. Technology, Culture, and Strategy Risk Are Coming Into Focus

Indeed, roundtable participants noted that SOX risk assessments are starting to consider qualitative factors around emerging and/or less familiar risk areas such as: 

• AI usage and governance — Leading SOX teams are working toward entity-level controls. Roundtable participants agreed that such controls are likely necessary. 
• Cybersecurity exposures
• Data integrity 
• Management integrity (i.e., were misstatements or errors intentional/fraudulent or simply mistakes?)
• Strategic alignment
• Reputational risk

4. Assertion-Level Risk Assessment Can Have a Big Impact

One SOX leader generously shared his team’s leading-practice approach to analyzing disaggregated accounts during materiality calculations. The exercise can help SOX teams strengthen their rationale for descoping areas or reducing controls. In brief:

1. Map financial statement assertions to disaggregated accounts.
2. Link to specific risks. As the SOX leader put it, “What’s really at risk? Where is the risk of material misstatement present? Is it just presentation and disclosure? Is it completeness? Is it valuation allocation? As we go through that, it helps us beef up our argument to say, here's how we analyze this account. Here's what management's view is of the risk of material misstatement.” 
3. Link to controls. How is the risk mitigated (e.g., entity-level control, transaction-level control)?
4. Rationalize controls. List controls down the left-hand side of the page and risks across the top. Where they intersect, mark the controls as either preventive or detective. Then, assess where controls are redundant, out of balance, or missing. 

5. Proactive Pushing Can Improve External Audit Alignment

The status quo for most SOX teams is to let External Audit lead the way on scoping decisions. And while practices obviously vary across engagement teams, many External Auditors don’t share their metrics, materiality calculations, and key controls with SOX teams. 

That’s why some SOX leaders are being more proactive, leading and challenging External Audit’s scoping decisions and pushing for greater transparency. They are…

Pushing External Auditors to Align on Key Controls 

“It’s super important to get your auditors on board and push them to give you a little bit more, because if they have something key and you have it non-key, it’s not gonna work,” said one SOX leader of her Big Four auditor. She explained, “While they don’t really share their full look, per se, they will look at our key controls and say where they’re different. So they’ll say, ‘this is key,’ ‘that’s not key’.” 

But she continued, “It’s better to always have more controls than them — versus less — because if they find something, we’re trying to play catch-up.”

Asking for External Audit’s Feedback on SOX Materiality Calculations

One SOX leader, who characterizes his External Auditor’s approach as “semi-transparent,” reported that his SOX team and External Auditor have stayed pretty closely aligned on materiality calculations over the past several years. While External Audit won’t share their documents, they will sit in a conference room with the SOX team, look at their calculations, and provide feedback. 

He observed, “Having a very strong working relationship with your audit team — especially at that manager-director-partner level — that's when you get things done, that's when you can make movement on de-scoping things, deficiency evaluations, all those types of things.”

Challenging External Auditors on Scoping Decisions

One SOX leader pushed back when External Audit wanted to scope out a material revenue stream, requesting their rationale. The External Auditor ultimately explained the qualitative factors informing their decision: Different controls, no prior issues, and it made up only 1% of total revenue. So they were comfortable that descoping it wouldn’t impact the company from a SOX perspective. The explanation helped the SOX leader understand the decision and align the team’s materiality calculations. 

Another SOX leader — working in a young company in a developing industry — regularly stands up for her company’s uniqueness. “We’re trying to shift the mindset of our External Auditors that, just because that’s the way you do it for everyone else, it doesn’t mean that’s the way we’re going to do it here.”

Anyway, as another leader asserted, “Sometimes the [External] Auditors will look for you to make decisions, and they’ll follow you.” 

More Frequent Communications, Helping Both Parties Be More Proactive

One SOX leader holds monthly touchpoints with External Audit while also communicating in real time regarding the SOX team’s scope changes and risk assessment updates. This approach enables the External Auditor to proactively adjust its own planning. 

She explained, “When we do the refresh, they're aware of it, and we share with them what changes and indicators we’re seeing. I think they’re also following some of those trend lines when they do our quarterly evaluations, because sometimes they'll ask me about something before I let them know we're making a change.”

6. Tone at the Top Matters for SOX Stakeholder Engagement 

This takeaway isn’t surprising. But I still think it’s worth noting.

Depending on the organization, leadership engagement around SOX can be wildly different.

• One SOX leader’s audit committee doesn’t want to hear/talk about SOX unless there’s a problem, and that even the CFO and CAO only want summary-level reporting (i.e., year-over-year change analysis). The attitude is, “Just get it done.” 
• Several SOX leaders reported that boards and executive leadership are primarily interested in noteworthy “wins” (e.g., scoping reductions), key issues or changes, and justifications for increasing SOX work or External Audit fees. 
• Another SOX leader, however, has deep conversations with her board about the SOX program’s potential impact to the organization and individual stakeholders. They’re tuned in on how risks are emerging and changing, asking probing questions about how the SOX program is adapting. 

In all scenarios, these tireless SOX teams are undoubtedly delivering value. But as one roundtable participant called out, tone at the top is critical for driving engagement. “If you don’t have your CFO and CEO saying that SOX is important, people aren’t going to prioritize it.” 

THE LAST WORD: Take Your SOX Risk Assessment to the Next Level

If this article resonated with you, there are plenty of ways you can join the conversation. 

• Join a SOX-focused roundtable discussion. This group meets quarterly; we also hold one-offs on specific topics, like our May 27, 2026, AMA on UAR and SOD considerations.
• Sign up for SOX Accelerator. This course equips SOX leaders — or soon-to-be SOX leaders — with the expert strategies and peer support to help them uplevel their programs. The course alternates expert-led presentations with peer roundtable discussions, providing a great balance of technical instruction and real-world insights. The next program starts May 13, 2026.
• Post your SOX question in the Internal Audit Collective. We have a dedicated discussion space where collective members share their challenges, questions, templates, and samples. 

I’ve said it before, and I’ll say it again: Leaning into SOX is a proven path to building stronger stakeholder relationships, improving your team’s reputation, and gaining trusted-advisor status in your organization. What are you waiting for?  

‍