How SOX Is Changing in 2026

SOX teams feel it daily. The work, scope, scrutiny, and skills are changing. 

Today’s SOX status quo IS change, whether you’re talking about stakeholder expectations, regulatory standards, emerging and evolving risks, or technology, including AI’s world-shaking impacts.

That’s why it made perfect sense as the first topic for the Internal Audit Collective’s four-part Women in Leadership series. In our May 14, 2026, webinar, four high-powered SOX leaders, including moderator Alyssa Clarcq and panelists Stephanie Sydow, Meghana Jagdish, and Kendy Thompson, shared their insights on how SOX is changing and what their teams are doing to navigate.

1. SOX Teams Are “Bringing Along” External Audit on Their AI Journeys

This was one of the strongest recurring themes we heard. 

SOX teams are proactively talking with External Audit about AI use in both SOX and the overall business. 

They’re not necessarily seeking formal approval. But they are validating that documentation and evidence expectations align with External Audit standards. 

Explained Meghana, “We don’t ask the External Auditor to sign off on all the use cases. We're evolving the governance. We want to make sure the requirements we’re setting out are aligned with their standards before we get into testing, whether it be independent or reliance testing.” 

Our panelists called out several reasons:

• AI governance standards are still taking shape. At this time, COSO’s Achieving Effective Internal Control Over Generative AI is the only formal guidance. Big Four firms have not yet issued formal guidance on the topic, and PCAOB expectations are evolving. 
• Organizations’ AI governance lags far behind implementation. In particular, panelists cited concerns around evidence retention, access management, data privacy/security, monitoring, and non-deterministic outputs. 
• Misalignment could undermine External Audit confidence and reliance. Until formal guidance is available, your External Auditor is your best resource for understanding requirements around documentation, evidence, testing, human-in-the-loop, and other areas.

Said Kendy, “They have to opine on the sufficiency of the work we are doing as management in our SOX environment. So if we’re not testing in a way that gives them confidence that we are comfortable with our controls, I suspect they’ll have questions and challenges.”

Despite the ambiguity, these SOX teams are moving forward, implementing AI in SOX and establishing preliminary frameworks for understanding how SOX-relevant business controls are leveraging AI.

Implementing AI in SOX

Current SOX use cases largely focus on using AI in an assistive capacity (e.g., meeting summaries, walkthrough notes, newsletters, meeting decks, code analysis, sample selection, reporting automation, populating SOC 1 templates, first-draft test procedures and documentation, accelerating QA reviews). 

There were few examples of truly autonomous AI applications. Teams are weighing the risks and proceeding with caution. For example, Stephanie’s team is looking at potential opportunities for control automation where (1) a high number of manual transactions follow a repeatable process and (2) they can pinpoint applicable system configurations. 

• They green-lit an automated control around purchase order (PO) approvals. After putting a PO release strategy in the system and ensuring it aligned with corporate policy and levels of authority, they evaluated, “How comfortable are we that SAP is going to process those purchase orders against that strategy every single time?” Once they got comfortable, they shifted to the automated control.
• They’re still working toward an automated control for credit memo approvals. Said Stephanie, “Unlike the PO release strategy which is more straightforward, there’s some cleanup that we need to do within the credit memo workflow rules in SAP to make sure we’re comfortable with how things are being routed before we can test this as an automated control.”

Assessing SOX-Relevant Business Controls

SOX teams are establishing initial frameworks for inventorying and assessing AI use in controls. 

As Meghana put it, this primarily involves “using that risk mindset to ask the right questions, partner with legal, compliance, and IT, develop the right framework, and bring your External Auditor along on the journey.” 

To that end, our panelists’ SOX teams are:

• Asking targeted questions about AI use/reliance (e.g., IUCs, inspectable evidence, reproducibility, human-in-the-loop) during walkthroughs
• Sending control owners quarterly questionnaires inquiring about current/planned AI use
• For use cases relating to key controls, holding specific discussions with control owners about human-in-the-loop procedures
• Developing requirements documents around human-in-the-loop baseline standards
• Getting aligned with External Audit on all-of-the-above

As Kendy summarized, “We’re all kind of learning it together. They’re implementing tools; we're implementing tools. So it’s going to be important to stay in lockstep and have those conversations as our journeys proceed.”

2. SOX Teams’ Scope Is Expanding 

We keep coming back to this. 

SOX teams are increasingly expected to deliver value beyond traditional compliance. 

An impressive two-thirds of the SOX leaders polled during the webinar reported being asked to add value in operational, process, and technology audits. Another 17% pointed to ERM or connected risk initiatives, and 3% to “other.” Only 13% said they’re still 100% focused on SOX.

Our panelists’ SOX teams are no exception: 

• Kendy’s team is “moving away from being ‘just a PMO function’ to being a trusted advisor for our business areas” and “strengthening the bridge between business processes and IT.”
• Stephanie’s team “blurs the line between a second second and third line” via SOX and audit work. They evaluate controls and processes as well as assess, recommend, and advise on potential process improvements. For example, they’re currently “identifying approaches for common testing,” given they have multiple ERPs and can likely gain efficiencies for both IA and the business. They’re also putting themselves out there as a business partner, holding annual planning meetings and ad hoc discussions to identify opportunities to help. Said Stephanie, “We can be the eyes and the ears for other leaders in the company,” following up on issues they’re concerned about.
• Meghana’s team has formally split into two to enable its expanded focus:
  
  • The “readiness” team works with the business on initiatives that would come into scope in this fiscal year or the upcoming one. As the organization implements new systems and technologies, makes acquisitions, and plans other initiatives, they’re able to proactively identify and drive needed control changes. Explained Meghana, “This allows us to be a partner with the business and work with them on all the external audit requirements coming down the pipeline.” 
  • The “run-the-business” team, of which Meghana is a part, focuses on the “the day-to-day activities to keep the company compliant” and “moving the needle on maturing the program” (e.g., controls rationalization, automation, AI usage/governance).

In other words, SOX teams are increasingly being called to provide the business with advice before controls fail — rather than merely test controls and detect issues post-implementation. 

This expanding mandate requires teams to reduce their SOX execution burden (e.g., by automating repetitive tasks) to free up advisory capacity. Speaking of which…

3. SOX Programs Are Modernizing to Better Align Risk Coverage

Integration of SOX Transformation With Overall Business Transformation

Kendy framed it perfectly: “Like many companies, we’re going on a technology transformation journey — so what better time to explore opportunities for SOX?” To that end, they’re partnering with a Big Four firm (not their External Auditor) to support their modernization journey. 

Controls Rationalization That Improves Alignment 

Kendy’s team, working alongside its Big Four partner, is focused on “right-sizing the control framework, starting with control rationalization.” She explained, “We have a significant opportunity to bring down the level of effort and burden on the business by making sure we’re focused on the risks that matter most.” 

Kendy looks forward to arming her company Controller with the ability to tell the Audit Committee, “We’ve reduced the number of key controls, but we’ve actually expanded our risk coverage.”

Leveraging Technology to Improve Efficiency and Reduce Level of Effort

This isn’t new news to anyone. But the common themes are worth reiterating. 

For example, these SOX leaders described:

• Optimizing their GRC systems to make reporting more efficient and “real-time,” and less burdensome to SOX team members and control owners. 
• Identifying opportunities to shift from manual testing to automated controls testing.
• Experimenting with AI and automation tools to reduce manual testing while increasing coverage across broader populations.

4. SOX Leadership, Skills, and Team Development Are Evolving

How SOX team leadership and development are changing could be an entire article. For today, I’ll just share some of our panelists’ best pieces of advice: 

• “Soft skills” coaching is increasingly crucial. The younger generation of auditors are often very comfortable using technology to communicate — and less adept at face-to-face conversations. They need encouragement, practice, meaningful opportunities, and ongoing reinforcement of how important in-person communication is for conducting walkthroughs, understanding processes, and building relationships. “The conversations are where you add the most value. And when your stakeholders see you having that curious mindset, asking the right questions, and partnering with them, sponsorship becomes that much easier,” said Meghana.
• SOX teams should hire for "curiosity mindsets.” For example, Meghana’s team’s interview process now assesses whether applicants are able to think about emerging risks holistically, bringing curiosity and healthy skepticism. 
• Today’s control owners need continuous education. “We need to find the right balance between defending ‘this is why we need to do it’ and teaching them how the environment is changing — that there’s a lot more scrutiny in XYZ areas,” said Stephanie. To that end, her team continually educates control owners, including holding annual SOX kickoffs with reminders about control owners’ responsibilities and sharing relevant updates on changes in control requirements.
• Connected risk has become essential. The attitude used to be “that’s an IT issue” or “that’s Internal Audit’s problem.” But as Kendy stressed, “There is so much interconnectivity between business process and IT that we’re getting tactical and intentional on how we’re integrating those areas and making sure they know the impact one has on the other.” 

THE LAST WORD: What’s Your Next SOX Adventure?

Is your SOX team keeping up with the changes? In what areas do you need help or guidance? 

Choose your own adventure:

• I want a deep dive. All four of these amazing SOX leaders are graduates of the Internal Audit Collective’s SOX Accelerator program. The 16-CPE class — highly recommended by participants — combines expert how-to guidance and real-world peer discussions on leading a contemporary SOX program. The next program starts September 2, 2026, so register today. 
• I want more guidance about implementing AI in SOX. Volume II of our Gen AI Playbook is coming out in early June! With ready-to-implement AI prompts and detailed guidance — including implementation Dos and Don’ts, current perspectives on External Audit reliance, SOX personas to enable democratization of SOX across the business, and more, this eBook delivers a vision for how AI can help us reimagine the entire SOX process for the modern age. 
• I want to join THIS conversation. The Internal Audit Collective’s four-part Women in Leadership roundtable series will run through the summer, with a range of incredible Internal Audit and SOX leaders presenting on current topics. While we’re proud to feature women leaders in many of our classes, roundtables, and webinars, we started this series with the firm conviction that it’s always a fantastic idea to pass women the mic. Keep an eye out for the next session!
• I want something else. Is there a SOX-related discussion you want to be part of — or better yet, lead? Let me and Priscilla know! Most of the Internal Audit Collective’s events spin out of conversations exactly like this one. Why not start the next great SOX conversation? 

‍