PCAOB UpdateFeaturedJune 4, 2026 · 8 min read · By Vikash Kumar

PCAOB 2026 Inspection Priorities: What Every IT Auditor Must Prepare For

        Key takeaway: The PCAOB's 2026 inspection cycle is focusing on three areas where IT auditors are most frequently deficient — logical access control testing, change management evidence, and evaluation of automated controls in cloud ERP environments.
      

Background

Every year, the PCAOB signals inspection priorities through its annual report and supplemental communications. For 2026, the Board has been explicit: ITGC deficiencies remain the leading contributor to engagement-level audit failures, and the shift to cloud-hosted ERPs has introduced new testing complexities that many auditors have not fully adapted to.

Priority 1: Logical Access Reviews in Cloud ERPs

Traditional ITGC testing assumed that access was managed at the application layer by on-premise administrators. In SAP BTP, Oracle Cloud, and Workday environments, access is often managed at multiple layers — the platform layer, the application layer, and the integration layer — each of which represents an independent control population.

Inspectors are finding that auditors are testing only one layer and relying on that to cover the others. This is no longer acceptable under AS 2201 guidance issued in Q1 2026.

⚠️ High-risk finding: Auditors who rely solely on application-level access exports from cloud ERPs without obtaining platform-layer access logs are at high risk of a finding in the 2026 inspection cycle.

Priority 2: Change Management — Evidence Quality

The PCAOB is specifically calling out change tickets that are approved after deployment, approvals from individuals who also made the change (segregation of duties failures in the change process itself), and emergency change populations that are not properly evaluated post-implementation.

Test the entire population of emergency changes — not a sample
Obtain evidence that post-implementation review was performed by someone independent of the developer
Document the definition of "emergency" and confirm it is enforced in the ticketing system

Priority 3: AI-Generated Workpapers

PCAOB Release 2026-002 (Staff Guidance on Auditor Use of AI Tools) makes clear that using an LLM to generate workpaper text does not reduce the auditor's professional responsibility. Inspectors will evaluate whether the auditor exercised appropriate professional judgment in reviewing AI outputs.

What User Entities Should Do Now

Even if you are not a registered audit firm, your auditor's inspection findings affect you. If your external auditor receives a PCAOB deficiency finding related to your engagement, they may expand testing scope in the following year — increasing your audit fees and evidence burden.

Review your access review documentation — are reviewers certifying or actually reviewing?
Ensure change management tickets show pre-implementation approval timestamps
Map your cloud ERP access controls across all layers — not just the application

        NextGen GRC Tip: Use the GrcAI Audit Prep mode to stress-test your controls against PCAOB AS 2201 before fieldwork begins. The AI plays the role of a PCAOB inspector and surfaces the exact challenges you will face.
      