Last week, the Roz team headed to Las Vegas for AICPA ENGAGE 2026, one of the largest gatherings of accounting and finance professionals in the country. As a first-time exhibitor, it was a milestone moment for us. We came in curious, left energized, and have a lot to share.

Meeting the practitioners we built Roz for.

The best part of any conference is the conversations you didn't plan. We got to meet auditors, risk advisory professionals, and firm leaders face-to-face - the exact people Roz is built for. And what struck us most was how consistent the themes were across every conversation: evidence collection that devours hours, control testing that doesn't scale, and the relentless pressure to grow the practice without adding headcount.

Hearing those pain points directly, not from a survey or a sales call, but from someone standing at your booth who's lived it for 20 years, is something you can't manufacture. It sharpens your thinking in ways that no amount of desk research can.

We also had great conversations with vendors, tool providers, and peers across the ecosystem. The compliance and audit space is evolving faster than most industries give it credit for, and the energy at ENGAGE reflected that.

A special thank you to our advisor Crispen Maung , Senior VP of Compliance at Five9 , for making the trip out to Vegas to join us at ENGAGE.

Cha-cha-changes to the SOC Criteria.

Another big takeaway from ENGAGE: SOC appears to be heading for a meaningful refresh, likely be published in 2027.

The details are still developing, but a few items stood out. We heard that explicit ties to COSO will be going away. CC5.0 will be removed entirely, which seemed to be very welcome news in the room. CC3 and CC9 will be combined. And new criteria and points of focus are expected to address emerging risks, including AI.

From what was shared, the AI is being evaluated in two phases:

Phase 1: Determining where AI matters

• When AI is relevant to a SOC 1 or SOC 2 engagement

• How AI affects Control Objective (SOC 1), Service Commitments/System Requirements (SOC 2), and Management’s Description

• AI-specific risks, including governance and oversight

• Engagement team competencies, including when specialists may be needed

Phase 2: Determining how to audit it

• Expanded guidance on subservice organizations and Trust Service Criteria

• How to test AI-enabled controls

The systems being audited have changed. The risks have changed. The way companies use vendors, automation, and AI has changed. The SOC Criteria needs to catch up with the new way of working. But if these updates help SOC become more impactful, more consistent, and more focused on quality, then good. It is time.

AI wasn't a side topic. It was the topic.

One of the clearest themes across ENGAGE was how quickly AI is moving from theory to real audit workflow strategy. A high proportion of sessions touched on AI in some form, especially the practical question firms are asking now: do we buy a tool, build internally, or take a hybrid approach?

Roz presented on this during a spotlight session, and before the presentation even started, the room reflected exactly what we're seeing in the market. When attendees were asked where their teams stood, 27% said they plan to buy a platform, 27% said hybrid, 26% said they are still deciding, and only 18% said they are building internally.

In other words, firms have not picked a lane yet.

Our honest view: every firm needs to make that decision carefully. But if you do not have the expertise to build something stable, highly-available, maintainable, and secure, especially when processing sensitive client data, you should buy a purpose-built platform.

The practitioner sessions were the real thing.

Beyond the main stage, some of the most valuable time was spent in sessions with working practitioners who weren't shy about sharing what they're actually seeing in the field.

"SOC Experts Unplugged" was a standout, featuring Shelby Nelson, CISSP, CISA, CDPSE, Advanced SOC, CyberSOC , Jeff Cook , Patrick Morin , Jenny Trotta, CPA, CISA, CITP , and Steven Ursillo Jr - a panel of experienced auditors and peer reviewers who went deep on the issues keeping firms up at night.

A few things that stuck with us:

• Inquiry alone is never enough. In section four testing, you have to go beyond asking - you have to verify. This came up repeatedly, and it's a quality issue that's showing up in peer reviews.

• GRC tools are becoming systems of internal control. The newer platforms aren't just document repositories anymore. They're gathering data, correlating evidence, and embedding AI. That's exciting, and it means they need to be audited with the same scrutiny as any other system component.

• Report quality is a shared responsibility. Enhanced oversight is expanding, peer reviewers are being reviewed, and the bar is rising across the board. The firms that treat quality as a differentiator are going to pull ahead.

The "Trust Me, I'm an Auditor" session on SOC 2 privacy was equally substantive, covering controller versus processor scoping, how to handle criteria that genuinely aren't applicable, and the real difference between privacy and security. Practitioners in the room were clearly wrestling with these questions in live engagements, and the discussion reflected that.

A disaster recovery tabletop exercise that was actually fun.

Sarah Hampton (co-founder of Roz) also had the chance to participate in a disaster recovery tabletop exercise (Incident Response in Action: A Ransomware Game Show Experience) led by David Lam , and it ended up being one of the more memorable parts of the week.

Tabletop exercises are important, but let's be honest: they are not always known for being fun. This one was different. David brought energy, creativity, and yes, a disco jacket, to a Family Feud style ransomware and disaster recovery scenario that sparked real discussion around the importance of data backups, logging, incident response, communication, and the hard decisions teams have to make under pressure.

Sarah's team won the exercise, which made it even better, but the real value was the conversation. We got to meet new friends, competitors (lol), and practitioners who are all thinking deeply about how organizations prepare for security incidents.

Huge credit to David and the Miller Kaplan team. They are doing some amazing work, had great swag, and we were honored to be part of something so fun, practical, and unique.

What we're taking back.

Mischief in business.

One of the most talked-about moments of the conference was a fireside chat featuring Ryan Reynolds and Richard Galanti, the longtime CFO of Costco who spent 42 years with the company.

Ryan talked about something that's become central to how he builds businesses: mischief. The idea that the most memorable things you can do, whether it's how you launch a product, tell a story, or show up in a room, are rarely the obvious ones. He pointed to Aviation Gin and Mint Mobile as examples of brands that won by zigging where everyone else zagged. For a room full of finance and audit professionals, it was a genuinely unexpected and refreshing perspective.

We took it to heart. Literally.

We brought the mischief to our booth.

We showed up to ENGAGE with a stack of fake newsletters, printed to look like a real publication, with the headline declaring auditors to be the worst profession in pickleball. 

Yes, we handed them out to auditors. Yes, people loved it.

We also distributed funny magnets across the conference that caught a lot of attention and sparked a lot of conversations. The goal was simple: stand out in a sea of booths and give people something to remember and talk about. Based on the feedback we heard, it worked.

Ryan Reynolds was right. A little mischief goes a long way.

Every conversation at ENGAGE reinforced why we built Roz the way we did, to give audit and advisory teams a way to accelerate the work without cutting corners on quality. We heard you, and we're building accordingly.

If you were at Engage and stopped by our booth, thank you. And if we missed each other, we'd love to connect (and send you a pickleball set). 

Keep up with Roz at getroz.com