Following is my latest article in The CFO’s Edge series on “Preparing for 2026 SOX: A CFO’s End to End Playbook for Controls, Disclosure, and Assurance”. This is part of an ongoing series that includes pre-recorded webinars and articles. I’ll have content for all sizes of public and private companies. Let me know your ideas.

Over the course of my career with PwC, Deloitte, and now SingerLewak, I’ve focused not only on delivering strong project outcomes for CFOs, but also on sharing meaningful value through in-person CFO gatherings, benchmarks, webinars & articles. These events have featured speakers from Nasdaq, Donnelley, law firms, venture capitalists, and CFOs.

I’ve had the privilege of supporting hundreds of CFOs with best practices and internal controls, and I’m excited to share insights from that experience.

I’d love to tailor future content to your preferences—whether that’s longer live webinars for CPE credit, in-person networking events, recorded short-form webinars, or articles. Just let me know what works best for you.

Eric Weis

Eric is a Partner leading SingerLewak’s Internal Audit, SOX, & Risk Services practice. He has more than 25 years’ risk consulting
experience including advising CFOs on risk & controls, designing SOX controls for many global corporations and startups, internal
audit leadership & co-sourcing, internal control design & best practices, IPO readiness, external audit, enterprise risk
management, regulatory audits, contract compliance, IT governance & best practices, ERP controls, and corporate
governance. Eric has served in various leadership roles for the Big-4 and internal audit including national technology industry leadership & regional leadership for internal audit services. ([email protected])

Preparing for 2026 SOX: A CFO’s End-to-End Playbook for Controls, Disclosure, and Assurance

Executive Summary (What to get done by Q4-2026, and why it changed)

CFOs heading into the 2026 reporting cycle face a convergence of pressures that extend well beyond “classic” ICFR: (1) the external audit environment is shifting under PCAOB modernization (including the postponement of the new QC 1000 quality-control regime to Dec 15, 2026), alongside stepped-up 2025 inspection priorities that emphasize technology use (including AI), crypto, and firm culture; (2) SEC cybersecurity rules are now “operational” and clarified—tightening 8-K decisioning and documentation; and (3) new accounting disclosures (segments, income taxes, and—if applicable—crypto assets) require fresh data pipelines and control design. Meanwhile, sustainability disclosure drivers remain live even amid federal uncertainty: California’s SB 253/SB 261 deadlines land in 2026, ISSB S1/S2 adoption is accelerating globally, and the EU’s CSRD calendar shifted but still draws many U.S. multinationals into limited assurance and double-materiality readiness. All of this sits alongside the NIST CSF 2.0 pivot to governance, which reinforces that cyber is enterprise risk—an expectation audit committees are already internalizing.

What’s at stake for SOX? In 2026, your SOX scope and testing cadence will need to cover: (a) control implications of new FASB disclosures (ASU 2023-07 segments; ASU 2023-09 tax; ASU 2023-08 crypto) that begin hitting annual and interim filings in 2025–2026; (b) faster, better-documented 8-K materiality judgments for cyber incidents; (c) sustainability data and processes where state, EU, or global-baseline rules require public reporting and (in some cases) assurance; and (d) auditor expectations sharpened by PCAOB inspections and a refreshed quality-control standard going live during your 2026 year-end audit cycle.

1) The SOX Core: What “Good” Looks Like for 2026

Re-center SOX on risk, speed, and evidence. By 2026, the burden isn’t just having controls—it’s evidencing timely, risk-based execution that stands up to more probing inspection of technology-enabled procedures and management review controls. PCAOB’s 2025 inspection plan prioritizes engagements with higher going-concern risk, M&A complexity, IT-sector control challenges, crypto exposure, and the use of technology (including GenAI)—all of which will influence how your auditor scopes, tests, and evaluates deficiencies in 2026. Build this lens into your SOX scoping memos now.

Entity-level and ITGCs must evolve with the business. Expect inspectors (and your auditor) to challenge whether 2025–2026 business changes (shared service centers, cloud migrations, vendor shifts, new AI uses) were reflected in updated risk assessments, ITGCs (access, change, computer ops), and the design of key automated and interface controls. PCAOB staff flagged multi-location scoping, aggressive materiality, and over-reliance on tools as recurring execution pitfalls—CFO teams should pre-empt them with evidence-rich planning files and refreshed management review controls (MRCs) that show precision, thresholds, and follow-up.

Audit committee expectations are rising. Survey work from the CAQ/Deloitte shows audit committees continue to elevate cybersecurity, ERM, and finance/internal-audit talent—so CFO briefings should link SOX coverage to those top risks, not just to “financial statement assertions.”

2) External Audit Landscape: What Will Feel Different in Your 2026 Audit

QC 1000 is postponed a year—but the bar is higher. PCAOB postponed the effective date of QC 1000, A Firm’s System of Quality Control, to Dec 15, 2026. The text didn’t change; firms can early adopt portions. Practically, you should still anticipate auditor process changes (e.g., engagement acceptance, independence, EQCR rigor). This can affect timing and PBC lists in late 2026—build buffer into your close calendar.

NOCLAR expansion stalled (for now). The controversial proposal to expand auditors’ responsibility for noncompliance with laws and regulations (NOCLAR) has been on hold, with next actions listed for 2025 and beyond. While not a 2026 rule, the debate has already nudged focus on illegal-acts procedures—expect more probing questions and audit-committee dialogue on compliance programs.

Inspection priorities will shape auditor behavior. PCAOB’s 2025 priorities emphasize high-risk sectors, technology use, crypto, critical audit matters, and firm culture—themes likely to persist into 2026. Audit committees received suggested question lists; align your materials to those prompts to reduce friction.

3) SEC Cybersecurity Rules: Embed Them Into ICFR + DCP

The rule is settled; the practice is maturing. The SEC’s 2023 cyber rule requires 8-K disclosure within four business days of determining materiality; CorpFin clarified in May 2024 that Item 1.05 is for material incidents only—voluntary/non-material disclosures should use Item 8.01 to avoid confusing investors. Build a documented decision tree, escalation SLAs, and a contemporaneous memo process (counsel-led).

C&DIs clarify ransomware and insurance. June 2024 guidance confirmed that ransomware events can be material even if paid and “resolved,” and insurance coverage doesn’t obviate materiality if there are meaningful operational/brand/long-term effects—codify these factors in your materiality framework and incident tabletop exercises.

SOX impact: These are disclosure controls & procedures (DCP) topics, but they cascade into ICFR via ITGCs (identity, logging) and management review controls that assess incident impact on estimates, cut-off, and contingencies.

4) Accounting Disclosure Changes That Reshape SOX in 2026

Segments—ASU 2023-07. Public entities must disclose significant segment expenses provided to the CODM, apply new annual disclosures in 2024 and interim disclosures in 2025, retrospectively presented. This requires re-mapping CODM packages to external reporting, plus new controls over segmentation, allocations, and MRC precision.

Income taxes—ASU 2023-09. PBEs must expand rate reconciliation categories and disclose cash taxes paid by jurisdiction for annual periods beginning after Dec 15, 2024 (i.e., 2025 calendar years). Many tax departments will need new sub-ledgers and reconciliations; CFOs should schedule a dry-run in 2025 to avoid a 2026 scramble.

Crypto assets—ASU 2023-08. If you hold in-scope crypto, measurement switches to fair value through earnings (effective annual periods beginning after Dec 15, 2024). Controls must address market data, principal-market selection, price hierarchy, and presentation.

5) Sustainability & Climate: What Will Actually Matter in 2026

Federal SEC climate rule—status check. The SEC adopted climate-related disclosure rules in March 2024 but voluntarily stayed them pending litigation, and in March 2025 voted to withdraw its defense in the consolidated Eighth Circuit case. As of mid-2025, the Court placed the case in abeyance and later ordered the SEC to either renew its defense or pursue rulemaking changes— creating prolonged uncertainty. Translate that into a “monitor but don’t pause readiness” stance.

California is not waiting: SB 261 (risk) and SB 253 (GHG).

• SB 261 requires a biennial public climate-related financial risk report for companies with $500M+ revenue “doing business” in CA; first reports due Jan 1, 2026. CARB’s draft checklist (Sept 2025) aligns minimums with TCFD/IFRS S2, allows qualitative scenario discussion, and will open a public docket Dec 1, 2025 for report links. Build governance, risk mapping, and disclosure-control flows now.
• SB 253 requires annual Scope 1 & 2 emission disclosures starting 2026 (covering FY 2025 data) and Scope 3 beginning 2027 (within 180 days of S1/S2). CARB workshops in Aug 2025 signaled a June 30, 2026 deadline for S1/S2 and a phased-assurance path (limited, then reasonable). Controls must be SOX-like: data lineage, approvals, evidence, and auditor-readiness.

ISSB S1/S2 global baseline is moving. IFRS S1/S2 are effective for periods beginning on or after Jan 1, 2024, and multiple jurisdictions are adopting or aligning (e.g., Australia, Brazil, Japan, Singapore, Canada). U.S. parents with global listings, debt, or operations may feel “indirect” assurance and timing impacts—coordinate data models and governance across regions.

EU CSRD: delays, but U.S. groups still in scope later. The EU’s 2025 “Omnibus/Stop-the-clock” steps postpone some waves and raise scoping thresholds; non-EU groups with €150M+ EU turnover are now expected to start reporting around FY 2028, not 2026. EFRAG also exposed simplified ESRS in mid-2025. If you have significant EU activity, use 2026 for double-materiality pilots and data-quality remediation.

COSO ICSR is your blueprint for controls over non-financials. COSO’s 2023 ICSR guidance maps the 2013 COSO framework to sustainability reporting processes—use it to bring finance-grade discipline (risk assessment, control design, monitoring) to CA climate reports and any global baseline reporting.

6) Cyber Governance & NIST CSF 2.0: Why It Matters to SOX

NIST CSF 2.0 makes “Govern” a core function. The February 2024 update expands scope to all organizations, elevates governance (roles, accountability, supply chain) and strengthens alignment with enterprise risk. Practically, that means your SOX/DCP narratives should reference a cyber governance process that’s timely, documented, and integrated with escalation and 8-K materiality— especially for third-party incidents.

Audit committees are already there. Cyber is consistently a top priority in CAQ/Deloitte surveys, and the SEC’s rule has accelerated board expectations for speed, rigor, and consistency between what you disclose and the program you operate. Make sure your finance, CISO, legal, and IR teams run a joint “dry run” by Q1-2026.

7) A Quarter-by-Quarter 2026 CFO Readiness Plan

Q4-2025 → Q1-2026: Design and scoping

• Refresh the 2026 SOX risk assessment for new disclosure rules (segments/tax/crypto), cyber 8-K process, California climate reporting, and any ISSB/CSRD overlap for foreign subs. Tie each to controls and evidence you’ll need by mid-year.
• Operationalize SEC cyber decisioning (workflow, clock-start triggers, counsel memos, board notification, Item 1.05 vs 8.01 playbook).
• SB 261: finalize governance, select framework (TCFD or IFRS S2), and prepare a web-published risk report meeting CARB checklist; stage your Dec 1, 2025–Jul 1, 2026 docket posting plan.

Q2-2026: Build & test

• SB 253: deliver Scope 1 & 2 with June 30, 2026 target (for FY 2025 data). Lock the GHG methods and evidence trail; if using third-party platforms, test user access, change controls, and audit logs like you would for SOX apps.
• Segment & tax disclosures: run “pre-close” test packs and retrospective segment disclosures, and validate your tax cash-paid roll-ups by jurisdiction; document management reviews with clearly defined precision/thresholds.
• Rehearse 8-K cyber incident decisions with tabletop scenarios involving ransomware and insured losses; confirm documentation meets C&DI expectations.

Q3-2026: Operate & monitor

• Perform SOX interim testing, including controls over sustainability data if subject to CA assurance. Confirm contingency plans with your external auditor as firms implement changes ahead of QC 1000 effective date.
• Audit committee: deliver an aligned update across SOX, cyber, and ESG—mirroring PCAOB’s suggested oversight questions and the CAQ/Deloitte priority set.

Q4-2026: Close & attest

• Validate that year-end ICFR evaluations incorporate judgmental areas intensified by 2025– 2026 volatility (impairment, inventory valuation, tax estimates) and that any incidents/weaknesses are consistent with 10-K risk and MD&A language. PCAOB inspections will examine these linkages.

8) Controls You’ll Likely Need (and Auditors Will Expect to See)

1) Cyber incident materiality control: a documented, repeatable, counsel-reviewed process with criteria, inputs (operational, financial, reputational), timestamps, and decisions archived; separate branches for Item 1.05 vs 8.01.

2) Segment disclosure MRCs: evidence that the CODM package aligns to external segment metrics and that significant expenses are complete and accurate across periods (retrospective consistency).

3) Tax disclosure data pipeline: jurisdictional cash-tax data with reconciliations, policy memos for thresholds (≥5%), and governance over late-posted payments/refunds.

4) Crypto FV controls (if in scope): principal-market assessment, price source governance, price-testing tolerances, and presentation reconciliations separate from other intangibles

5) GHG data lineage (SB 253): inventory boundary definition, emission factor governance, management review of anomalies, change logs, and archive retention to support phased assurance

6) Sustainability risk report (SB 261): framework selection disclosures, scope boundaries, qualitative scenario discussion (if used), and clear statements of what is and isn’t covered in this cycle.

7) NIST CSF 2.0 governance overlay: role definitions, cyber risk register, and supply-chain risk management aligned to enterprise risk and reporting cadence.

9) Managing Auditor Friction in 2026

Start the “PBC Day 0” conversation early. Explain to your audit team how you’ve integrated cyber 8-K decisioning, segment/tax changes, and CA climate pipelines into controls and monitoring. Reference PCAOB 2025 priorities and your MRC precision levels—this will signal readiness on the issues they’re under the most pressure to inspect

Anticipate engagement-quality and independence questions. Even though QC 1000 becomes effective in Dec 2026, many firms are “early-operationalizing” aspects. Expect deeper queries on specialists, technology tools, and shared service centers—prepare your documentation accordingly.

10) CFO One-Pager for the Audit Committee

• Cyber: The SEC clarified that Item 1.05 is for material incidents only; we’ve implemented an attorney-led materiality protocol and can support rapid 8-K decisions
• Segments & Taxes: We’re adopting ASU 2023-07 and ASU 2023-09—control enhancements are live; dry run complete; retrospective segment data validated.
• Sustainability: We will publish an SB 261 risk report by Jan 1, 2026 and deliver SB 253 Scope 1–2 by June 30, 2026; assurance-readiness controls are in place.
• Audit Outlook: PCAOB inspections emphasize tech, crypto, and culture; our SOX plan addresses these themes; we expect adjustments as firms transition to QC 1000

11) KPIs and “Early Warning” Dashboards to Run in 2026

• Close Timeliness + Late Adjustments (by segment) to catch data breaks introduced by new disclosures.
• Cyber incident timer (detection → materiality decision → draft 8-K) with variance flags vs. the 4-business-day rule.
• Jurisdictional cash-tax completeness vs. treasury ledgers and payment hubs to feed ASU 2023-09 disclosures.
• GHG data completeness (emissions sources covered vs. boundary) and assurance findings aging.

12) Training & Change Management

• Train control owners on materiality documentation for cyber (include counsel) and on retrospective disclosure mechanics for segments.
• Up-skill tax teams on rate-rec categories, jurisdictional cash-tax roll-ups, and narrative requirements.
• Cross-train sustainability/data teams on COSO ICSR and SOX-style evidence expectations ahead of limited assurance.

13) Ten Common 2026 Pitfalls (and How to Avoid Them)

1) Confusing 1.05 vs 8.01 filings → Adopt a written decision matrix; rehearse it.

2) Segment disclosure mis-alignment between CODM reports and external numbers → Reconcile and evidence CODM package mapping.

3) Under-estimating cash-tax data complexity → Stand up a jurisdictional data model early; perform a live Q3-2025 dry-run.

4) GHG scope creep / poor evidence → Freeze boundary definitions; lock methods; retain change logs and approvals.

5) Assuming SEC climate is “dead” → Maintain readiness; monitor litigation and potential re-proposal.

6) Not linking NIST CSF 2.0 to DCP/ICFR → Add a governance section to your SOX narrative with roles, cadence, and supply-chain risk.

7) Minimal AI governance in finance → Document AI use cases, data controls, and override supervision—PCAOB is watching technology use.

8) Crypto holdings without FV controls → Implement pricing governance and fair-value hierarchies; separate presentation.

9) Late engagement with auditors on QC changes → Agree on PBCs and timing, expecting more rigorous EQCR and independence checks.

10) Ignoring global baseline pressure → If you operate in adopting jurisdictions, align with ISSB and watch EU ESRS simplification.

14) Board & Committee Briefing Template (Slides you can lift)

• Slide 1—2026 SOX risk map: ICFR + DCP + ESG assurance, anchored to PCAOB priorities and disclosure changes
• Slide 2—Cyber 8-K readiness: Decision tree, timer metrics, and counsel-reviewed memos; status vs. tabletop outcomes.
• Slide 3—Segments & Taxes: Retrospective segment disclosures; rate-rec category governance; cash-tax data model status.
• Slide 4—Sustainability path: SB 261 publication plan; SB 253 S1/S2 timeline/assurance; global baseline/CSRD watch.
• Slide 5—Audit outlook: QC 1000 timing and what it means for our year-end audit; how we align to inspection themes.

15) The CFO’s Bottom Line for 2026

• Controls: Treat cyber materiality, segment expense identification, cash-tax disaggregation, and GHG data as SOX-caliber processes.
• Disclosure cadence: Shorten time-to-evidence across SEC 8-Ks, segments/tax notes, and CA climate reports; document judgments.
• Assurance readiness: Even where federal climate rules are uncertain, state and global regimes (CA/ISSB/EU) continue to build assurance expectations; put COSO ICSR to work
• Audit dynamics: Expect a tougher, tech-aware audit and plan for QC 1000 era expectations during your 2026 year-end.

Appendix A — Reference Timelines You Can Share Internally

• ASU 2023-07 (Segments): Annual FYs after 12/15/2023; interim in FYs after 12/15/2024; retrospective application.
• ASU 2023-09 (Income Taxes): PBEs—annual periods after 12/15/2024.
• ASU 2023-08 (Crypto): After 12/15/2024 including interims.
• SEC Cyber Rule: Item 1.05 for material incidents; use 8.01 for voluntary/non-material.
• SB 261: First risk report due Jan 1, 2026; CARB docket opens Dec 1, 2025.
• SB 253: S1/S2 due June 30, 2026 (covering FY 2025); S3 begins 2027 (within 180 days); phased assurance.
• ISSB S1/S2: Effective for reporting on or after 1/1/2024; adoption expanding across jurisdictions.
• EU CSRD: Omnibus/Stop-the-clock delays later waves; non-EU groups expected by FY 2028; ESRS simplification in process.
• PCAOB QC 1000: Effective Dec 15, 2026.
• NIST CSF 2.0: Released Feb 26, 2024; new Govern function; emphasis on supply chain.

Sources (selected highlights)

PCAOB: QC 1000 postponement; 2025 inspection priorities.

SEC Cyber: Director Gerding’s statement; C&DIs update

FASB: ASU 2023-07 (segments), ASU 2023-09 (tax), ASU 2023-08 (crypto).

California CARB/SB 253/SB 261: deadlines, draft checklist, workshop updates.

ISSB & EU CSRD: jurisdictional adoption momentum; EU Omnibus/Stop-the-clock and ESRS simplification.

COSO ICSR (2023) and NIST CSF 2.0 (2024).

Conclusion

SOX compliance is not just a regulatory hurdle—it’s a strategic advantage. By starting early and building a scalable, risk-based framework, CFOs can ensure their companies are IPO-ready and equipped for long-term success in the public markets. With the right tools, governance, and mindset, organizations can transform SOX from a compliance burden into a value-driving initiative.