Enterprise Preview - SOX 404 - ITGC - AI Governance

Continuous SOX control testing powered by autonomous AI auditors

Replace quarterly manual cycles with 10 specialized agents that test every control, every day - surfacing exceptions with evidence your board can act on.

Explore the Suite

SOX 404 Ready

Zero Data Exfiltration

HIPAA Compatible

Real-Time Detection

IIA Standards

SOX 404 Audit

Audit of AI

Copilot Room

10 Agents Active - Scanning

Modules

Configure

Execute Audit

Results

Report

Agents

SOD Auditor

JE Forensics

Logical Access

Config Drift

Master Data

12,847

Records Tested

Exceptions

94.2%

Coverage

4.8s

Avg Audit Time

Critical Items

Audit Findings - Live Session 23 exceptions - 3 critical

Finding ID Exception Description Severity Agent Evidence

SOD-001 AP Invoice Create + AP Payment Approve conflict - 3 users, $4.2M exposure Critical SOD Auditor Logged

JE-047 Manual JE outside business hours - $2.4M, fiscal year-end, no approver High JE Forensics Logged

ACC-012 Privileged access review overdue - 18 admin accounts, 94 days past SLA High Logical Access Logged

CFG-003 Production config change without CAB approval - security baseline deviation Medium Config Drift Logged

MD-018 Vendor master change without dual authorization - 4 records affected Medium Master Data Logged

The Problem

Internal audit is stuck
in a manual era

Legacy audit cycles weren't built for modern enterprise risk. The result is delayed detection, incomplete coverage, and findings that arrive too late to matter.

Manual Testing - Weeks Per Cycle

Auditors spend 60-70% of their time collecting data and writing workpapers by hand. Testing happens once a quarter - not continuously.

Sampling - Not Full Population

Most audits test 25-60 samples from thousands of transactions. SOD conflicts, fraud, and control failures hide in the 95% that's never examined.

Delayed Detection - Too Late to Act

By the time findings surface, the quarter has closed. Management can't remediate in time. Regulators and external auditors find what internal audit missed.

73%

of control failures go undetected by sampling

Traditional audit methodology misses the majority of exceptions hiding in large transaction populations.

6-8wk

Manual SOX audit cycle length

Average population coverage via sampling

The Breakthrough

Not automation.
Autonomous audit agents.

Automation executes scripts on a schedule. Autonomous agents reason, adapt, and act - testing every control in your population and drafting findings without human prompting.

Legacy Audit Today

Quarterly manual testing cycles

3-5% sampling coverage

Manual workpaper preparation

Retrospective exception detection

Single-threaded human analysis

Replaced

AuditAI Suite

Continuous, real-time testing

100% population coverage

AI-drafted workpapers in your format

Proactive detection as events occur

10 agents running in parallel

10 Specialized Audit Agents - Always On

SOD Auditor

Access Conflicts

JE Forensics

Journal Entries

Logical Access

Auth Controls

Config Drift

Change Mgmt

Master Data

Data Integrity

Financial Risk

Risk Analysis

Transactions

AP / AR / GL

Interfaces

System Flows

Vendor Risk

Third Party

AI Governance

Agent Oversight

Proof

See it working -
live output from real audit runs

Every screen below is from the actual platform. What you see is exactly what your audit team gets.

SOX 404 AUDIT ENGINE - EXCEPTION DETECTION

12,847 records processed - agents scanning

Total Exceptions

Critical

Agents Active

4.8s

Avg Runtime

SOD-001Critical

SOD Conflict - User jsmith@corp.com holds AP_INVOICE_CREATE + AP_PAYMENT_APPROVE simultaneously. 3 users affected. Transaction exposure: $4.2M in Q4.

Agent: SOD Auditor v4.1 - Detected: 2026-02-20 14:32:07 UTC - Evidence: Role matrix rows 147, 203, 891

JE-047High

Manual Journal Entry - $2,412,000 posted by mwilson@corp.com at 23:47 UTC on 2025-12-31 (fiscal year-end close). No secondary approver. Narrative: "YE Adjustment."

Agent: JE Forensics v3.2 - Detected: 2026-02-20 14:32:09 UTC - Evidence: GL record JE-2025-98741

ACC-012Medium

Privileged Access Review Overdue - 18 system administrator accounts not reviewed in 94 days. Policy requires 90-day review cycle. Risk: unauthorized privilege escalation.

Agent: Logical Access v2.8 - Detected: 2026-02-20 14:32:11 UTC - Evidence: Access review log AR-2025-Q3

AI-DRAFTED FINDINGS - IIA STRUCTURE IIA Standards Compliant - Ready for sign-off

Finding F-001 - Segregation of Duties Failure Critical

Condition:Three users hold both AP Invoice Creation and AP Payment Approval roles, enabling unauthorized transaction processing without independent review. Criteria:SOX Section 404 ITGC requirement; COSO Principle 10; Company Policy AP-CTRL-004 requiring role separation for payment processing. Cause:Role assignments were not updated following Q3 system migration. Access recertification was deferred and not completed within the required 90-day window. Effect:Material risk of unauthorized payments up to $4.2M per quarter. Potential for undetected fraud without compensating detective controls. Recommendation:Immediately revoke conflicting access for all three users. Implement quarterly automated SOD certification. Redesign role structure to enforce separation at the system level.

Finding F-002 - Unsupported Year-End Journal Entry High

Condition:A $2.4M manual journal entry was posted at 23:47 UTC on fiscal year-end without secondary approval or adequate supporting documentation. Criteria:Journal entry policy JE-CTRL-002 requires dual authorization for entries exceeding $100K. PCAOB AS 2201 financial reporting controls require complete audit trail. Cause:Year-end close pressure resulted in bypassing the standard authorization workflow. Exception approvals were not documented or retained. Effect:Risk of financial misstatement. Entry cannot be fully substantiated for external audit purposes without additional supporting evidence. Recommendation:Obtain management explanation and supporting documentation. Implement system-enforced dual authorization for high-value entries. Review all Q4 JEs above $100K threshold.

GENERATED WORKPAPER - IIA / BIG 4 TEMPLATE FORMAT

WP-2026-SOX-001 Ready for Sign-off

AUDIT WORKPAPER - SOX 404 ITGC TESTING

Engagement: Acme Corporation | Period: Q4 FY2025 | Lead: J. Smith, CPA | WP Ref: WP-2026-SOX-001 | Date: 2026-02-20

OBJECTIVE

To test the design and operating effectiveness of IT General Controls (ITGCs) supporting financial reporting processes for the period October 1 - December 31, 2025, in accordance with SOX Section 404 and PCAOB AS 2201.

SCOPE

Population: 12,847 transactions across AP, GL, and access control domains. Coverage: 100% population via automated agent framework. Systems in scope: SAP S/4HANA, Okta, GL Sub-ledger.

PROCEDURES PERFORMED

1. SOD conflict analysis - tested all user-role combinations against conflict matrix (1,240 combinations). 2. Journal entry forensics - analyzed all 8,441 manual JEs for policy compliance. 3. Privileged access review - assessed 247 accounts against 90-day review SLA. 4. Configuration change testing - reviewed 34 production changes against CAB approval records.

EXCEPTIONS NOTED

3 Critical - 8 High - 12 Medium - See Findings F-001 through F-023.

CONCLUSION

Based on procedures performed, IT General Controls are operating with exceptions. Critical findings require immediate remediation prior to reliance for financial reporting purposes. Recommend escalation to Audit Committee.

SYSTEM ARCHITECTURE

Four-Phase Enterprise Integration Roadmap

Fully mapped to the underlying ACAP continuous assurance architecture seamlessly bridging Python backend and SaaS frontend.

Cryptographic Data Vault

Every audit event is captured with continuous SHA-256 hash verification and an immutable chain of custody. Powered by background Watcher guards.

Zero-Trust Connectors & JWT

Strict Role-Based Access Control (RBAC) and OAuth2/JWT framework securing APIs for external auditors and dynamic Azure AD integration connectors.

Async PostgreSQL RLS

Total multi-tenancy enforced at the database layer via Row-Level Security (RLS) constraints, leveraging `asyncpg` for non-blocking enterprise throughput.

Autonomous AI Command Center

High-fidelity graphical UI executing live parameterized Control Evaluations, Exception Workflows, and SOD Matrices directly into Postgres endpoints.

Platform Capabilities

Four domains.
Ten autonomous agents.

Every agent is purpose-built for its domain - trained on control frameworks, risk patterns, and exception signatures specific to that area.

Access Controls

Tests user access, role assignments, and privilege levels against defined SOD requirements - 100% population coverage, no sampling.

SOD AuditorSegregation of Duties

Logical AccessPrivileged Accounts

Identity AuditAccess Certification

Change Management

Monitors system configuration changes against authorized change records, detects unauthorized modifications in real time.

Config DriftConfiguration Changes

Interface IntegritySystem Interfaces

Master Data GuardReference Data

Transaction Monitoring

Tests every journal entry, payment, and GL posting against policy thresholds and approval requirements - full population, no exceptions missed.

JE ForensicsJournal Entries

Financial RiskRisk Indicators

Transaction TestingAP / AR / GL

Fraud Analytics

Applies behavioral analytics, Benford's Law, and outlier detection to surface anomalies that sampling-based audits routinely miss.

Anomaly DetectionBehavioral Patterns

Vendor RiskThird Party

AI GovernanceAgent Oversight

Industry Use Case

AI credit decision governance for a regulated bank

A single end-to-end scenario: onboarding an agentic lending model, validating controls, preserving evidence, and producing executive attestation under SOX, COSO, and model risk governance mandates.

Architecture Workflow Diagram

Lifecycle path from model onboarding to board-ready reporting and continuous assurance.

Step 1

System Onboarding

Step 2

Risk + Compliance Evaluation

Run autonomous control and exception testing across policy and framework rules.

Step 3

Evidence + Traceability

Capture immutable artifacts, lineage, hashes, and model decision records.

Step 4

Audit Reporting

Produce board and regulator-ready findings, KPI dashboards, and remediation status.

Step 5

Governance Oversight

Continuously monitor drift, rerun UAT hardening cycles, and sustain control health.

Workflow Stage	Portal Pages	Operational Role In The Use Case
Program Entry + Context	index.html help.html	Defines audit objective, stakeholder journey, and operating model before evidence collection.
Model + Control Onboarding	app.html settings.html	Registers AI process inputs, configures runtime and audit parameters, and launches domain agents.
Domain-Specific Testing	itgc-controls.html itac-testing.html	Executes ITGC and ITAC validation aligned to enterprise control ownership and segregation rules.
Evidence Preservation	vault.html	Stores audit artifacts and integrity metadata for reproducibility and external auditor challenge.
Policy + Risk Governance	governance.html	Maintains policy inventory, framework mapping, alerting, and risk register decisions.
Attestation + Reporting	reports.html	Generates executive summary, findings, compliance status, and board-ready report packages.
Quality Assurance + Hardening	uat.html	Runs readiness gates and controlled patch workflows to keep autonomous audit behavior reliable.

Industry value proposition: organizations implement this platform to replace fragmented, manual AI assurance with one traceable governance operating system. It lowers governance risk through continuous control testing, improves auditability with evidence lineage and immutable trails, and supports responsible scaling of agentic AI through policy-to-execution monitoring.

Security & Compliance

Enterprise security
is the architecture, not a feature

Built from day one for the most regulated industries. Your financial data and PHI never leave your environment.

Zero Data Exfiltration

All audit processing runs client-side in your browser. No financial data, ERP exports, or audit evidence is ever transmitted to external servers. Architecture guarantee - not policy.

Architecture Guarantee

HIPAA Compatible

Designed for US healthcare providers. PHI boundary controls, access audit logging, and zero-transmission architecture satisfy HIPAA Security Rule requirements for audit tools.

Healthcare Ready

Private Deployment

Enterprise plan supports on-premise or private cloud deployment. Full control over infrastructure, data residency, access policies, and audit log retention periods.

Enterprise Plan

Immutable Audit Trails

Every agent decision is timestamped and logged in an immutable decision trail. Full reproducibility for external auditor review, regulatory inquiries, and PCAOB inspection.

PCAOB Aligned

BYOK Architecture

AI features use your own Claude API key. No shared credentials, no data pooling, no model training on your audit data. Your key, your isolation, your control.

Bring Your Own Key

Framework Compliance

Built to COSO 2013, COBIT 2019, IIA Standards 2024, and PCAOB AS 2201. Control mappings verified against Big 4 ITGC methodologies.

Standards Verified

Compliant with

SOX 404

PCAOB AS 2201

COSO 2013

COBIT 2019

IIA Standards

HIPAA

NIST CSF

ISO 27001