SOX Under Two Watchdogs: What the SEC's New Enforcement Group and Revised PCAOB Standards Mean for Internal Controls

Regulatory pressure on SOX compliance is increasing from two directions at once. In March 2026, the SEC established a dedicated enforcement unit focused specifically on SOX violations, while the PCAOB simultaneously amended its core integrated audit standards. Together, these two developments redefine what sufficient evidence of a well-designed and operating control looks like — and who will be checking.

What Is the SEC's New SOX Enforcement Group?

The SEC's Division of Enforcement established a dedicated SOX Group in March 2026 to investigate and litigate violations of auditing and professional standards. The unit emerged partly in response to reductions in PCAOB enforcement capacity. Where the PCAOB previously held primary responsibility for investigating audit misconduct, the SEC is now filling that gap directly.

For public companies, this is a meaningful shift. Enforcement attention is no longer directed at audit firms alone. Internal control failures that produce material misstatements or contribute to audit deficiencies now sit within a more active enforcement lens.

Why Were the PCAOB Audit Standards Amended?

Alongside this new enforcement unit, the PCAOB amended two foundational standards: AS 2201 (the integrated ICFR audit standard) and AS 2101 (audit planning). Both changes take effect for audits beginning on or after December 15, 2026.

The amendments formalise a stricter top-down, risk-based approach to internal control over financial reporting. External auditors must now begin at the financial statement level, assess entity-level controls first, and work downward through significant accounts and relevant assertions. The effect is that auditors will be more selective — and more demanding — in the evidence and documentation they accept.

How Do These Two Developments Interact?

Taken separately, either development would be notable. Together, they create a compounding effect.

Organisations that have relied on light-touch documentation or inconsistently performed controls will find both pressures converging at once.

What Does This Mean for Internal Control Owners?

The practical implication is that control documentation needs to close the gap between what is designed and what is actually performed. The amended PCAOB standards ask external auditors to follow a risk-based path from the top down. Auditors will be evaluating whether entity-level controls genuinely reduce the risk of material misstatement — not just whether they exist on paper.

Control owners should expect more focused walkthroughs, tighter evidence requests and greater scrutiny of whether IT general controls and access controls genuinely support the financial reporting environment. Controls that have been documented but inconsistently executed are the most exposed.

Why Continuous Evidence Becomes More Relevant

Annual or periodic control testing was always a limited approach. Under amended standards and increased enforcement scrutiny, its limitations become more visible. Controls need to demonstrate consistent performance throughout the year, not just at audit time.

Organisations that rely on point-in-time testing face a structural problem: there is no evidence of what happened between the test and the audit. The more demanding the evidentiary bar, the more this gap matters.

How Is CovaCtrl Different?

CovaCtrl supports teams in building continuous, documented evidence of control performance rather than reconstructing it under time pressure. Controls are monitored as work happens, producing structured evidence that maps directly to the risks they are designed to address.

This is directly relevant to the amended standards: evidence produced consistently throughout the year is more credible than evidence assembled to satisfy a walkthrough at year-end.

Why This Matters Now

December 2026 is closer than it appears. Organisations entering their next fiscal year under the amended PCAOB standards will need to demonstrate a functioning top-down ICFR programme from the first audit interaction — preparation cannot start in Q4.

The SEC's SOX Group adds a secondary layer: enforcement is not only a theoretical risk for auditors but a live consideration for public companies with material control weaknesses.

Two watchdogs, one deadline. The organisations best positioned are those that start strengthening their evidence trail now.