In the Spirit of Improvement: Key Themes From Our Q2 2026 External Auditor Feedback Share Roundtables

Every year, External Auditors introduce new requests, priorities, and expectations. Some create new efficiencies; others create new challenges. Wouldn’t it be awesome if Internal Audit and SOX teams with the same External Auditor could compare notes, anticipate what’s coming, and share solutions?
I can tell you: It IS awesome, because that’s exactly what happens during the Internal Audit Collective’s ongoing External Auditor Feedback Share roundtables. We dedicate one quarterly roundtable to each Big Four auditor (EY, KPMG, Deloitte, PwC), enabling Collective members to share insights on new focus areas, guidance, pain points, leading practices, and success stories. Everyone is welcome, staff to CAE, no matter who your auditor is.
Below are key themes from our Q2 2026 share sessions. Because these groups are true “circles of trust,” all feedback and descriptions have been anonymized and generalized. (Note: Throughout, the standalone term “teams” refers to Internal Audit and SOX teams.)
Before proceeding, one massive caveat: This information represents individual teams’ perceptions, we don’t have context, and we aren’t suggesting that any practices are right or wrong. We share this information solely in a spirit of improvement, with the goal of helping External and Internal Audit teams communicate better, anticipate likely hurdles, and work together more effectively.
Overarching Themes Across the Big Four
1. AI and Automation Are Reshaping Audit Expectations and Increasing Documentation Requirements
Unsurprisingly, every Big Four auditor is perceived as placing increased emphasis on governance, human oversight, AI-enabled control requirements, and evidence/documentation.
- Several teams noted expanded documentation requests. For example, one team noted Deloitte’s increased scrutiny on Technology-Assisted Analysis (TAA) requirements, looking at how organizations govern and validate externally sourced information used in business processes and controls. While these areas were previously addressed through a SOC report or other standard documentation, Deloitte sought evidence similar to that required for key reports.
- One team shared that EY had asked them to consider:
- Separating AI controls into two areas, given different risks and testing approaches:
- Design-time controls, focusing on how the AI solution (in their case, a Gemini Gem prompt) is initially built and configured. These controls are tested once and then governed through change management.
- Run-time controls, focusing on the execution of the AI-enabled process. These controls require the control performer or reviewer to demonstrate that appropriate human in the loop (HITL) review and oversight occurred every time the control is performed.
- A new consideration: “human ON the loop,” which applies to companies using automated AI tools (in this case, a UiPath bot in scope for ITGCs) to independently validate AI outputs. This extra layer of oversight gives greater assurance over AI’s results and can reduce the level of effort for manual verification.
- Separating AI controls into two areas, given different risks and testing approaches:
- Several teams reported that KPMG seemed receptive to relying on AI-enabled controls, as long as traditional audit documentation (e.g., clear workpapers, evidence, documented parameters for AI-assisted testing) stays in place.
- Teams discussed PwC’s updated guidance around key report inventories, testing cadence, and governance, with multiple teams observing an increased focus on key reports governance and standardization.
- One team with EY as their External Auditor is currently working with them on a risk assessment to look at each material process individually and agree on the manual review that would be sufficient to give EY comfort.
2. Access Reviews, SOD, and Related ITGCs Are Getting More Scrutiny
Every Big Four Auditor was perceived as focusing on access reviews in ways they haven’t in the past.
- Especially at higher access levels (i.e., admins and other privileged users), they want to understand exactly what these users can and can’t do, sometimes doing deep dives into activity logs. They’re also looking for ITGCs across applications and tools where these users have direct access and change privileges.
- EY was seen by several teams as significantly increasing its focus on SOD and privileged access controls. EY appeared to be performing deeper reviews of code migration processes, code repositories, and the tools used to deploy changes, thereby bringing systems into scope that weren’t previously included. EY was also perceived as placing greater emphasis on non-human accounts, including password management and privileged access.
- Several teams observed that Deloitte was asking many more questions about access than in prior years. As one team shared, “Before, they asked zero questions… we would get a [vendor share count report] and would use that information and calculations and get zero questions. Now they’re asking, ’When you get this report, do you reconcile it?’ ’How do you know who has access to it?’ ’What format is it coming in?’ ’Do you have supporting documentation?’”
- Another team perceived that Deloitte started looking at SOD at a “more macro level… across the board, whereas we used to be able to nail it down on a control-by-control basis. So we would point to the controls in the design and say we assessed SOD within each control individually at the design level, but they wanted to see that macro assessment.”
Additional PwC Feedback Themes
Roundtable timing: 6.9.2026
1. Increasing Consensus on Three-Year Baselining of Key Reports
- In the Q1 2026 PwC feedback share, teams had shared that baselining/benchmarking protocols for key reports seemed to vary widely, possibly based on PwC partners’ varying preferences.
- Several teams now report being asked to baseline key reports on a three-year cycle.
2. Process Narratives Are Now Required
- One team reported that PwC’s new AI-enabled walkthrough tool requires process narratives. So whereas in the past, some processes were only shown in flowcharts, they now need to draft process narratives.
3. More Detailed Questions and Testing = AI?
In another theme also heard in the Q1 2026 PwC feedback share:
- One team perceived PwC as asking more detailed questions, often “out of left field,” that they suspected could be originating with an AI tool. While they emphasized that this was purely conjecture, the questions seemed to lack context and information that the team had provided to PwC.
- Another team plans to ask if PwC’s AI-enabled walkthrough tool is helping them draft their pre-walkthrough questions, because “some have been a little surprising.”
4. Walkthrough Recordings Are Sometimes Permitted (IF You Push)
- Several teams reported that they are not generally permitted to record calls when PwC team members are speaking. Some teams who’ve pushed the issue, however, say that PwC is now being less restrictive on walkthrough recordings. For example:
- One PwC team permits recordings if they are purged when walkthroughs are complete.
- Another PwC team allows Internal Audit to keep walkthrough recordings for a specified amount of time, provided a PwC Senior Manager (or someone more senior) is on the call being recorded. However, per their agreement, PwC can also opt out of a recorded call.
- A roundtable participant who is a PwC alumni shared that the firm’s guidance has shifted over the years.
- In recent years, it was strongly discouraged, but up to PwC partner preference.
- Interestingly, however, his organization now has PwC as an auditor — and that PwC team only allows recordings when they themselves are recording and retaining it. In that case, PwC reportedly cannot share the recording with the Internal Audit team.
5. Pragmatic, Risk-Based Audit Philosophy
- Many teams felt that PwC tailors its approach to focus on the right risks. For example:
- “We try to have the discussion around the actual risk we’re trying to address, rather than just adding another control because that’s what we’ve always done.”
- “PwC has generally been willing to focus on the areas that matter most from a risk perspective, rather than applying the same level of effort everywhere."
- “They’re generally willing to tailor the approach if you can demonstrate why the risk is low."
Additional KPMG Feedback Themes
Roundtable timing: 6.16.2026
1. Updated Sampling Methodology
Teams discussed KPMG’s updated sampling methodology, which introduces more granular sampling frequencies and (in some cases) reduces required sample sizes.
- One team noted that the revised guidance reduced sample sizes from 25 to 15 for many low-risk, ad hoc controls.
- Several teams reported aligning their sampling methodology with KPMG’s guidance to simplify coordination, avoid unnecessary testing, and facilitate reliance on External Audit procedures.
2. Highly Collaborative Audit Approach
Multiple teams described their relationships with their KPMG teams as very collaborative relative to other External Auditors they’d worked with. For example:
- “It was definitely night and day. We did find the KPMG team to be a lot more collaborative."
- “It’s a much more collaborative planning relationship… they’re not gonna tell you what to do, but they’re not gonna hide options from you.”
- “It has been very collaborative… KPMG does a really nice job of leading you to where you need to be without specifically telling you what you need to do."
3. Fee Increases Continue, Despite Reliance and AI Investments
- Some teams shared frustrations about fees. Multiple teams shared that while their audit committees or management had put pressure on KPMG to reduce fees — and KPMG was stating high reliance on Internal Audit’s processes, and touting efficiencies from its own use of AI — fees were still generally increasing.
- Teams said that KPMG’s responses have focused on two areas: (1) KPMG’s teams are still in the investment and learning phases with their AI tools, and (2) current efficiencies haven’t yet offset implementation costs, so financial benefits haven’t yet flowed through to audit clients.
4. The Jury’s Still Out on Control Sync
- Continuing another theme from the Q1 2026 KPMG feedback share, one team expressed frustration with KPMG’s new Control Sync technology, perceiving that it increased the burden on control owners.
- The tool requires detailed process-level information, reportedly requiring up to an hour to complete per process. The team felt the requests duplicated information already covered in the walkthroughs, effectively shifting documentation responsibilities from KPMG to control owners.
Additional EY Feedback Themes
Roundtable timing: 6.12.2026
1. Increased Focus on Inspectable Evidence for EAC Controls
In a theme noted in EY’s Q1 2026 feedback share, teams perceived that EY has more frequently stressed the need for “inspectable evidence” for their estimate at completion (EAC) controls:
- One team said that their EY team had mentioned that while they’d cleared a recent PCAOB inspection, “It was sometimes difficult to prove how they were comfortable based on the level of documentation we had, so they’re coming back after the inspection and asking for more.” EY has provided checklists, required risk register review, and requested more detailed notes.
- Another team stated, “We’re hearing the same thing… Folks are saying, ‘I can’t go hire 20 people just to take notes in these meetings’.”
2. Increasing Control Requirements for Meetings — But You CAN Record
- Several teams shared that EY’s increasing control requirements around their participation in meetings have led to internal pushback. For example:
- One team explained that her EY team now wants not only documentation of the meeting, but also evidence of follow-up, leading to management pushback.
- Other teams said that EY is increasing management review controls for any meetings in which EY is included. One reported that management is increasingly questioning why EY should be in the meetings.
- One team said they no longer invite EY to their meetings. They participate in EY’s meetings (e.g., walkthroughs) when invited.
- Teams validated, however, that EY’s policy has now reportedly been formally updated to allow Internal Audit to record meetings in which EY is participating.
3. Tightening Control Requirements
Several teams observed that EY also appears to be tightening their control requirements around acquisition controls for SOX and other areas.
- One team found that customizing EY’s standardized acquisition controls required significant effort, ultimately recommending that management adopt EY’s standard control language. They added, “It does feel like, in some of those instances, EY is coming in and saying, ‘You must do it exactly our way for us to be able to sign off’.”
- Another team said, “We had about 20 [controls], and we were trying to combine and consolidate it down. And we got a lot of pushback from management that it’s very particular working with EY on these acquisitions for material transactions. And because it’s a CAM, they did not have any appetite in trying to even go down the avenue. They wanted to keep them as they were, just because it was easier to work with the EY team.”
- Yet another team said, “I think it’s more than just SOX. It’s also for the financial audit. They tend to give us a lot of requirements, and you’re like, ’Hey guys, it’s not as risky as you think it is. I get that it’s a CAM, but here’s why it’s not as risky.’ But they still have to go through their checklist, and you have to meet each and every point of that checklist or you’re not in compliance.”
4. New Walkthrough Requirements
- Several teams observed that their EY teams had taken over running walkthroughs. Two teams reported that EY had been clear with them that they are required to lead the walkthroughs.
- Multiple teams shared that EY’s SLAs now require that they are provided with evidence at least 10 business days in advance of walkthroughs.
- Other teams said that EY is requiring Internal Audit to pre-review the uploaded documentation for completeness two weeks in advance.
Additional Deloitte Feedback Themes
Roundtable timing: 6.4.2026
1. Deeper Focus on SOC 1 Reports
In a continuing theme from the Q1 2026 Deloitte feedback share, several teams are still seeing an increased focus on SOC reports and IPEs. For example:
- Multiple teams perceived that Deloitte was deepening its focus on subservice providers’ SOC reports. But as one observed, “Where does it stop? Because then, if that subservice is using information, do they need to look even further? How far do you go?”
- One team — referring to reports from Towers Watson, CompuShare, and similar vendors — said that Deloitte now digs further into reports they’d never questioned in the past. For instance, they’re asking more specific questions about SOC report coverage, including whether and how SOC reports cover key reports.
2. Slow Controls Feedback
- Multiple teams shared frustrations about the time it takes for Deloitte to provide feedback on controls, perceiving that it takes several months for Deloitte’s feedback to proceed through all of the firm’s internal review levels.
- One team shared that they’d experienced a situation in which their Deloitte team had given good feedback — but then, months later, Deloitte’s national office raised questions that required Internal Audit to scramble right before their filing deadline.
3. Big Focus on ITACs
Several teams perceived that Deloitte’s methodology puts a significant focus on ITACs.
- For example, one team said that Deloitte was testing the resolution of individual ITACs, believing that ITAC monitoring review controls were not sufficiently precise.
- As another team put it, “We were drowning in ITAC testing this year.”
4. Fees Aren’t Decreasing Despite Reliance and AI — But Teams Are Hopeful
Teams stated that, in their experience, increased reliance and AI use was not leading to fee reductions. But they shared several examples of why they’re cautiously hopeful reductions are possible:
- One team said that Deloitte — though not reducing fees at this time — proposed a tiered approach to classifying controls: Tier A gets traditional robust testing, and Tier B gets increased use of analytics and reduced testing. Internal Audit tests controls as always, possibly at reduced sample sizes and rates, and the combination would allow them to do less in those areas. Deloitte reportedly indicated that if the organization implemented these changes, the reduced audit effort could result in a fee reduction year over year.
- Another team had attended a Deloitte University session demonstrating how the firm’s risk assessment methodology can offer organizations able to distinguish low-, moderate-, and high-risk areas the potential to reduce audit scope/fees. They also perceived that their new Deloitte partner was revisiting the scope of testing for some areas.
THE LAST WORD: Bring Your “A Game” to Improve Your External Audit Relationship
External Audit relationships are always evolving. But bringing your A Game will absolutely make a difference in how your audit runs. That’s why the Internal Audit Collective’s SOX courses are designed to help you do exactly that.
- To update and strengthen your knowledge of modern risk assessments, control design and testing, deficiency evaluation, GRC technology optimization, sign up for SOX BASE CAMP. This 16-CPE, 4-week course — FREE for all Internal Audit Collective members! — covers the fundamentals of SOX compliance while maintaining a strong focus on the evolving needs of modern SOX teams. The next program starts August 3, 2026, so register today.
- To develop your SOX leadership chops by improving your External Audit relationship, control design, testing skills, technology and analytics use, and more, sign up for SOX ACCELERATOR. This 16-CPE class focuses on helping SOX practitioners uplevel their SOX programs, careers, and relationships, combining expert how-to guidance and real-world peer discussions on leading a contemporary SOX program. The next program starts September 2, 2026, so register today.
Finally, if you aren’t yet attending our member-led Big Four Feedback Share roundtables, why not change that in Q3? Sessions will be scheduled soon, so keep an eye out for the announcements.

Recent Articles
Want to be updated as new blog posts are released? Subscribe to our newsletter.
Join 1K+ readers of The Enabling Positive Change Newsletter for tips, strategies, and resources to improve your approach to Internal Audit and SOX compliance.

