In the Spirit of Improvement: Key Themes From Our Q1 2026 External Auditor Feedback Share Roundtables

Every year, External Auditors bring new requests, insights, and focus areas. Some of them help us achieve efficiencies and better target Internal Audit and SOX efforts. Some, however, show up as unexpected challenges and new pain points.

Wouldn’t it be awesome if Internal Audit and SOX teams who share the same External Auditor could compare notes, helping them anticipate potential issues and share ideas for solutions? 

I can tell you: It IS awesome, because that’s exactly what happens during the Internal Audit Collective’s ongoing External Auditor Feedback Share roundtables. 

We dedicate one quarterly roundtable to each Big Four auditor (EY, KPMG, Deloitte, PwC), enabling Collective members to share their insights on new focus areas, guidance, pain points, leading practices, and success stories. Everyone is welcome, staff to CAE, no matter who your auditor is. 

In case you’re not yet attending these roundtables, below are four key themes that arose from each of our Q1 2026 share sessions. Because these groups are true “circles of trust” — what happens at the roundtable, stays at the roundtable — all feedback is anonymous and all descriptions have been generalized. (Note: Throughout, the standalone term “teams” refers to Internal Audit and SOX teams.)  

While focus areas run the gamut, noteworthy threads include an increased focus on third- and Nth-party controls, including IPEs; management review controls around process-enabling technologies; and tracking of key data elements. Teams also shared insights around new firm guidance or methodology changes and concerns about the impact of full-population testing.

Before we proceed, one massive caveat: This information represents individual teams’ perceptions, we don’t have context, and we aren’t suggesting that any practices are right or wrong. We share this information solely in a spirit of improvement, with the goal of helping External Auditors, Internal Auditors, and SOX teams communicate better, anticipate potential hurdles, and work together more effectively. 

PwC Feedback Themes

Roundtable timing: 3.24.26

1. Focus on Management Controls Around Process-Enabling Technologies

• Teams perceived that PwC is often fine with how their organizations are internally implementing process changes to use enabling technologies, provided they can document how management review controls continue ensuring completeness and accuracy. 
• PwC seems to be placing more scrutiny on management’s controls than the technologies themselves. If the use of enabling technology doesn’t change what’s being performed (only how it’s performed), it may be of less concern given the consistent human-in-the-loop.

2. Increasingly Detailed Questions/Rigor

• Teams perceived PwC asking more detailed questions, going deeper and getting more granular in certain substantive areas. Because questions tended to focus on substantive areas (not controls) and often arose late, teams theorized they may result from PwC’s increased use of technology and AI.
• Some teams noted that design-related questions tend to arise when new PwC team members join — and that in many cases, they’re directly asking management questions that ideally they should ask Internal Audit. 

3. Hesitancy About Full-Population Testing 

• Some teams expressed hesitancy about full-population sampling, given that it inevitably uncovers more failures. The worry is that External Auditors may seize on small issues that aren’t control deficiencies (as teams report PwC doing in some cases), becoming a clean-up exercise that doesn’t yield value. 
• In other cases, however, PwC has taken a wider view, asking teams to assess full-population testing results in terms of how they impact the bigger picture of deficiency aggregation. 

4. Varying Guidance on Key Report Testing Frequency and Baselining

• Teams reported that PwC’s key report testing guidance does not specify frequency, so frequency varies based on PwC partners’ individual preferences. As a result, expectations vary widely (e.g., three years, five years, no testing if teams can verify no changes). Some teams report having to frequently re-baseline key reports.
• Teams have also seen inconsistencies in benchmarking protocols. Some PwC partners say that baselining years must be the first year of benchmarking, while others allow the next year to be the first year of benchmarking.

KPMG Feedback Themes

Roundtable timing: 3.10.26

1. New Requests on Tracking Relevant Data Elements 

• KPMG appeared to increase its focus and requests around identifying, tracking, and understanding the potential impacts of relevant data elements (RDEs) — specific, high-risk data points in reports that are used to verify controls’ accuracy, completeness, and validity. 
  
  • KPMG, stressing the potential domino effect impacts of ineffective RDEs, required some teams to undertake labor-intensive RDE mapping, walkthroughs, testing, and alignment. 
• Teams expect all External Auditors’ RDE focus to grow — and become more challenging — as organizations introduce more automation, AI, and agents.  

2. Methodology Change Around Deficiencies and Look-Back Procedures

• Teams perceived that KPMG’s methodology seems to have changed regarding deficiencies and look-back procedures. 
  
  • For example, in prior years, a team with a September operating effectiveness deficiency who’d had an effective test of design in April may have been permitted to ring-fence the ineffective period following the effective period. 
  • Now, KPMG may say that the ineffective September control requires lookback procedures for the entire year.

3. Increased Focus on Auditing Third- and Nth-Party Controls

• In an ongoing theme from prior quarters’ roundtable, teams noted a substantial increase in KPMG’s focus on third- and Nth-party providers. They are sometimes requiring teams to obtain significantly more SOC 1 reports from sub-providers.
• In some cases, if SOC report timing is off, teams have been required to conduct more operational testing (e.g., pulling samples from third parties). Bridge letters have not sufficed.

4. Hesitancy About Full-Population Testing 

• Teams perceived that KPMG does not allow for any deviation on its IT risks and testing, making full-population testing potentially problematic (e.g., in a case where a team found very few failures with a very low error threshold, KPMG still required additional procedures). 
• Teams also reported feeling pressure from their audit committee to do more full-population testing because External Auditors have touted their 100% testing capabilities. Such expectations don’t always consider Internal Audit’s comparative resource limitations. 

EY Feedback Themes

Roundtable timing: 3.26.26

1. Increased Focus on Use of Bots and Automation

• Teams reported that EY appears to be honing in on how bots and automations may create potential control weaknesses. In particular, teams perceived a focus on application integrations that are key for SOX. 
• Teams have responded by enhancing their risk assessments and placing a greater focus on controls during bot/automation implementation.

2. Focus on IPE Documentation and Other “Inspectable Evidence”

• Teams perceived that EY has more frequently stressed the need for “inspectable evidence” across management review controls, e.g.:
  
  • Some teams reported needing to better align their estimate at completion (EAC) process and policies with EY’s documentation requirements. 
  • One team indicated that EY has said they shouldn’t provide meeting invites as documentation, because EY teams reportedly can’t include them in their workpapers.
  • In some cases, teams report that EY has identified control deficiencies in inspectable evidence, especially relative to IPE documentation.  
• However, teams also report hearing conflicting messaging about IPE documentation standards. Some teams perceive that EY appears to have relaxed their standards (e.g., requiring less documentation unless files exceed Excel’s maximum record count), while other teams say EY continues to focus on record count.

3. Scope Changes

• While scope changes are common in any External Audit, some teams observed that EY made several scope changes late in the annual audit cycle. 
• In some cases, the high number of scope changes caused EY to de-scope audits on payroll and revenue systems for the year.

4. Differing Messages On Meeting Recordings

• Previously, recording of meetings (e.g., walkthroughs) where EY is in attendance hasn’t been allowed, but some teams have heard that EY updated its firm guidance to permit the practice (though the policy will restrict what EY is permitted to say on recorded calls). 
• Other teams, however, are still hearing strict prohibitions against recording walkthroughs when EY is present.

Deloitte Feedback Themes

Roundtable timing: 3.9.26

1. New Guidance Requiring Statistical Sampling 

• Deloitte reportedly told several teams that new firm guidance now requires any sampling used in the performance of a control to be statistical sampling (versus judgmental sample selection). 
• In some cases, compliance required last-minute heavy lifting for teams in the quarter prior to year end to avoid deficiencies (e.g., selecting/testing new samples, creating memos). 

2. Increased Focus on IPEs and SOC1 Reports

• Several teams reported that Deloitte questioned reliance on SOC1 reports, requiring additional procedures. In these cases, Deloitte has pushed (1) management to do more around IPEs and/or (2) teams to look more deeply at internal or entity-level controls to mitigate management override. 
• In some cases, teams were required to conduct walkthroughs and scope in testing for key service providers (e.g., financial services, software) to verify how management gains comfort over SOC1 reports’ complementary user entity controls (CUECs).

3. Increased Focus on “Park and Post” Controls

• Teams perceived that Deloitte placed greater focus on controls supported by “park and post” workflows during walkthroughs and validation procedures. (“Park” references when a transaction is saved as a draft, and “post” when it’s finalized and recorded.)
• In particular, teams noted that Deloitte seems newly focused on testing if/how transactions can be changed after they’ve been “parked.”

4. Permission Granted to Record Walkthroughs

• Deloitte guidance reportedly allows teams to record walkthroughs, with teams reporting that recordings may have helped them significantly reduce the number of questions year over year.
• In some cases, Deloitte itself was also recording walkthroughs. However, teams reported hearing that the practice requires Deloitte obtaining special internal approval. 

THE LAST WORD: Challenges Are Also Opportunities to Improve

Just as any good Internal Audit and SOX team is always trying to improve its methodologies and approaches, any External Auditor is only doing the same. We’re all on a quest to be better. 

That’s why it’s generally the better path to treat our External Audit-related challenges and pain points as targeted opportunities for proactively improving how we communicate, collaborate, and do our work. 

After all, that’s the path not only to improving our External Audit relationships and reliance, but also to enhancing the value and relevance of our Internal Audit and SOX work. 

Need some help accelerating on the path to proactive improvement? The Internal Audit Collective’s 16-CPE SOX Accelerator course offers a comprehensive blueprint for building and managing a modern SOX program, including a newly added module on improving External Audit reliance (led by Dave Lorence). The next program starts on May 13, 2026. Register today.

‍