May 19, 2026 · Section 404 Deep Dive
The PCAOB QC 1000 enforcement window opens December 15. ITGC deficiencies are still the top finding category. Cybersecurity controls are formally inside ICFR scope. Here's what your audit committee needs to know now.
Your weekly briefing on SOX enforcement, internal controls, and what it means for your compliance program. All enforcement data sourced from SEC.gov, PCAOB.org, and verified legal databases. Nothing in this issue constitutes legal advice. Cross-link to the full SOX hub: /sox-compliance-pulse
What changed: Prior to March 2026, SOX cases were handled by generalist enforcement attorneys juggling securities fraud, disclosure violations, and dozens of other matter types. Now there's a team whose entire job is internal controls and certification accuracy. That specialization historically correlates with higher case volume within 12–18 months of launch.
Archer-Daniels-Midland's $40M settlement with the SEC involved, in part, failures in intersegment transaction accounting controls — a Section 404 story. It put multi-segment registrants on notice: intercompany controls are no longer a rounding error in the enforcement calculus.
Bottom Line
The SEC SOX Group is now operational. PCAOB enforcement is maintained despite budget cuts. Companies with gaps in their Section 404 documentation have a narrowing window to self-correct before scrutiny increases. Q3 2026 is the window.
The PCAOB absorbed a 9.4% budget reduction in 2026 — but enforcement staffing was explicitly protected. Inspection findings are taking longer to finalize in some cases, but the enforcement pipeline has not slowed.
2024 inspection cycle results (published early 2025): Overall engagement deficiency rates dropped from 46% (2023) to 39% (2024) for large accelerated filers. That's the first meaningful improvement in three years. The PCAOB called it encouraging. They also called 39% unacceptably high.
The top three deficiency categories have barely moved in six years:
Section 404 is the most operationally demanding part of SOX compliance. Section 404(a) requires management to assess ICFR effectiveness. Section 404(b) requires external auditor attestation (for accelerated and large accelerated filers). Two new standards are reshaping both.
What it is: The PCAOB's QC 1000 is a comprehensive new quality control standard for registered audit firms. It replaces a patchwork of legacy QC standards and requires firms to implement a functioning Quality Management System (QMS) — with documented risk assessment, monitoring, and remediation processes — by December 15, 2026.
If your external auditor hasn't implemented QC 1000 by December 15, 2026, they're exposed to PCAOB disciplinary proceedings that could include suspension of registration. A suspended firm cannot issue ICFR attestation opinions. That's your Section 404(b) opinion.
What to ask your auditor — now:
Audit committees should include QC 1000 readiness as a standing agenda item through Q3 2026.
What it is: PCAOB AS 2901 is a modernized materiality standard, effective for fiscal years ending on or after December 15, 2026. It formally codifies how auditors must determine and document materiality thresholds in ICFR audits.
The key change: Auditors must now document the basis for both quantitative and qualitative materiality thresholds at the engagement level — not just at the financial statement level. The standard of "materiality from the perspective of a reasonable investor" is the operative benchmark.
If your ICFR scope has historically been set by a purely quantitative materiality number, expect that conversation to get more nuanced.
These five patterns appear in PCAOB inspection findings with near-clockwork regularity. If your program has gaps in any of these areas, you're walking into the same territory inspectors are already targeting.
Three structural changes to the ICFR landscape are in effect now. Most internal audit and compliance teams are behind on all three.
Controls you now need in your ICFR inventory:
Note: A SOC 2 Type II from your SaaS ERP vendor does not substitute for ICFR documentation. You must document and test your own complementary controls.
AI tools are being used inside finance functions at a majority of larger companies — for journal entry drafting, contract review, variance analysis, account reconciliations. The PCAOB hasn't issued formal AI guidance yet, but 2025–2026 inspection findings have begun citing inadequate controls over AI-assisted processes as a contributing factor in review control deficiencies.
Current best practice (KPMG, EY guidance, 2025–2026):
• Maintain a formal inventory of all AI tools used in financial reporting processes
• Establish human review controls over any AI-generated output feeding financial statements
• Apply change management controls to AI model updates — including vendor-side model version updates
• Ensure data inputs to AI tools are subject to the same access and integrity controls as your underlying financial data
The framework doesn't exist yet in formal standards. That's not a reason to wait.
The industry-wide shift from traditional sample-based testing (25–60 transactions per control) toward continuous monitoring architectures is accelerating. ERP platforms (SAP S/4HANA, Oracle Fusion, Workday) now natively export control operation logs. GRC platforms (AuditBoard, Workiva, ServiceNow GRC) support automated population pulls.
What this means in practice: For key automated controls, management should document and retain control operation logs for the full fiscal year — not just for the testing window. Auditors are increasingly requesting full population data rather than samples for automated controls. If your evidence retention processes were designed for sampling, they're likely insufficient for a continuous monitoring approach.
ITGC failures propagate upward. If access management or change management controls are unreliable, every automated control that depends on them is questionable. Four ITGC failure patterns show up repeatedly in fast-scaling technology and fintech companies:
A company in 2026 might have SAP as the ERP, Workday for HR/payroll, Snowflake as the data warehouse, and Salesforce as the revenue sub-ledger source — each with separate user provisioning processes. The classic failure: terminated employee access is removed from the primary ERP within 24 hours, but persists in downstream SaaS applications for weeks.
Fix: Implement centralized Identity Governance and Administration (IGA) that automates de-provisioning across all in-scope systems on HR termination trigger. This is now a baseline expectation for large accelerated filers.
Many companies deploy changes to financial applications weekly or daily via CI/CD pipelines. Their documented change management controls describe a legacy change advisory board process that no longer matches operational reality. The documented control is functionally fictitious.
Fix: Update your controls documentation to reflect the actual deployment pipeline. Embed controls in the pipeline itself — automated approval gates, required peer review, segregation between developers and deployment keys — rather than documenting a manual process that isn't happening.
Automated batch processes (end-of-day feeds, intercompany eliminations, currency translations) run without human intervention. Companies document that "batch job failures trigger an alert email to the IT operations team." But they cannot evidence that those alerts were reviewed and responded to throughout the year. The control exists in the document. It doesn't exist in practice.
Cloud vendors push automatic version upgrades and feature rollouts outside your change management process. Most companies have no controls to assess whether vendor-initiated changes affect ICFR-relevant functionality. This is an emerging inspection focus.
Fix: Subscribe to vendor release notes. Document a risk assessment for each significant vendor release. Re-test automated controls when relevant system functionality changes.
Pick the three SaaS platforms most critical to your financial reporting (likely your ERP, FP&A tool, and revenue/billing system). For each:
| Date | Who | What |
|---|---|---|
| June 3, 2026 | Smaller fintech filers | Reg S-P smaller entity relief expires — 27-day window to remediate data protection gaps that intersect with ICFR scope |
| ~Aug 10, 2026 | Large accelerated filers | Q2 10-Q filing deadline (~40 days after June 30 period end). Section 302 certifications required. |
| ~Aug 14, 2026 | Non-accelerated filers | Q2 10-Q filing deadline (~45 days after June 30 period end). |
| Dec 15, 2026 | All accelerated filer audit firms | PCAOB QC 1000 enforcement window opens. Firms without compliant QMS face registration consequences. |
| Nov 30, 2027 | Registered PCAOB firms | Form QC annual quality report first filing (for year ending December 15, 2026). |