@prova/sox-audit-cli

Deterministic PCAOB AS 2201 walkthrough engine that runs Test-of-Design → Sample Selection → Test-of-Operating-Effectiveness → Exception Analysis over a SOX controls config and prints workpaper-quality evidence. Local, auditable, Apache-2.0 — built for Controllers + Internal Audit Directors at PE portfolio companies and sub-$500M public microcaps preparing for 404(b) integrated audit scrutiny.

Why this exists

SOX 404(b) integrated audits lean on two public standards:

• PCAOB AS 2201 — "An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements." Paragraphs 39 (design effectiveness) and 44–50 (operating effectiveness) are the load-bearing ones.
• AICPA AU-C 530 — "Audit Sampling." Paragraph .A12 drives the tolerable-deviation-rate math; .A8 drives the small-population 100%-testing exception.

External audit firms (Big 4, second-tier, specialist SOX firms) rely on those standards to scope their test procedures. PCAOB inspection findings (2024) flagged 31% of Big-4 SOX audits as having at least one significant deficiency in the auditor's own testing — meaning even the firms running the tests are getting caught for under-sampling, rubber-stamped reviews, and missing exception documentation.

Internal audit teams at PE portcos and sub-$500M public microcaps typically have 2–5 people producing quarterly evidence for 30–80 in-scope controls. At this scope, manually authoring workpaper-quality walkthroughs for every control — with correctly-sized samples, complete evidence inventories, and defensible conclusions — is the bottleneck. AuditBoard and Workiva Wdesk solve this but price for 2,000+ employee orgs with dedicated compliance engineering teams.

@prova/sox-audit-cli is the free, open-source starting point: feed it a structured controls config, get back a PCAOB-shaped workpaper in under a second. Deterministic. Local. Hash-only audit log. Apache-2.0.

The upstream paid product (prova.grindworks.ai) adds agentic evidence collection across NetSuite / Workday / Okta / GitHub / Stripe, continuous control testing (not quarterly), signed artifact chain, admin console, and external audit firm export wizards. This CLI is how you start today.

Install

# Ephemeral run, always latest v0.1
npx -y https://prova.grindworks.ai/prova-sox-audit-0.1.0.tgz --demo

# Global install from tarball
npm install -g https://prova.grindworks.ai/prova-sox-audit-0.1.0.tgz
prova-audit --demo

# Shortly (once the registry name is claimed):
npm install -g @prova/sox-audit-cli

Node 20+ required. Pure JavaScript, zero runtime dependencies. Tarball ~33 KB.

Quick start

# Run the bundled 10-control demo (no config needed)
prova-audit --demo

# Run against your own config
prova-audit ./my-q1-controls.json

# JSON output for external audit firm ingestion
prova-audit ./my-q1-controls.json --format=json > workpaper.json

# Markdown for Notion / Confluence / internal-audit repo
prova-audit ./my-q1-controls.json --format=md > workpaper.md

# Printable HTML (save, open, print-to-PDF in browser)
prova-audit ./my-q1-controls.json --format=html > workpaper.html

# Enumerate the 6 built-in PCAOB templates
prova-audit --list-templates

Exit codes:

• 0 — all controls effective, possibly with documented observations
• 1 — at least one control ineffective or not-tested (CI can gate on this)
• 2 — invocation error (bad flag, missing config, malformed JSON)

Built-in templates

Six PCAOB AS 2201-aligned control templates ship with v0.1:

| ID | Category | Risk | Name | Assertion | |---|---|---|---|---| | itgc.access_provisioning | ITGC | high | User Access Provisioning | authorization | | itgc.access_termination | ITGC | high | User Access Termination | completeness | | itgc.privileged_access_review | ITGC | high | Privileged Access Periodic Review | authorization | | itgc.change_management | ITGC | high | Change Management — Production Deployments | authorization | | bp.revenue_recognition_cutoff | BP | high | Revenue Recognition — Period-End Cutoff | cutoff | | bp.journal_entry_approval | BP | medium | Manual Journal Entry Review & Approval | authorization |

Each template encodes (a) a formal PCAOB / SOC 1 / ASC 606 reference, (b) the expected evidence inventory the external audit firm will request, and (c) the explicit test-step sequence for that walkthrough. See src/templates.ts — read the code before trusting the output.

PCAOB AS 2201 walkthrough protocol

Every control runs the exact 5-phase sequence:

1. Test of Design (TOD) — PCAOB AS 2201.39. Does the documented control description actually address the risk? Are the required process elements (approver separate from requestor, pre-provisioning SoD check, documented SLA, etc.) present?

2. Sample Selection — AICPA AU-C 530 attribute sampling. Sample size scales with risk level:

   SAMPLE_SIZE_BY_RISK = { high: 25, medium: 15, low: 10 }

   These are floors drawn from the AICPA Audit Guide "Audit Sampling" Table A.2 (5% risk of over-reliance, 0% expected deviation rate). External audit firms routinely request higher counts for high-risk controls; some use 40. Override via sample_size on the control entry.

3. Test of Operating Effectiveness (TOE) — PCAOB AS 2201.44–50. Each sampled item carries a pass / fail / not_tested result. Tester documents reason for failures in the notes field.

4. Exception Analysis — PCAOB AS 2201.68. Each failure derives a severity (high for ITGC access-termination, privileged-access-review, and revenue-cutoff failures; otherwise inherits the control risk level), a root-cause hint, and a remediation hint.

5. Overall Conclusion — PCAOB AS 2201.62. Control is:

   • effective — all sampled items passed, projected deviation within tolerable rate.
   • effective_with_observations — some deviations, but projected rate ≤ tolerable (see below).
   • ineffective — projected rate > tolerable. Escalate to external audit firm and remediate.
   • not_tested — coverage gap (actual sample < required) or no pass/fail results recorded.

Tolerable deviation rates per AICPA AU-C 530.A12:

TOLERABLE_RATE = { high: 5%, medium: 8%, low: 10% }

SOX & adjacent framework mapping

This CLI produces input to, not a substitute for, the external auditor's work. Specific framework touchpoints:

• SOX §302 (Corporate Responsibility for Financial Reports) — Officer certifications. Workpaper output feeds the §302 disclosure committee package.
• SOX §404(a) (Management Assessment) — Management's assessment of ICFR. Workpaper documents TOD + TOE evidence for every in-scope control.
• SOX §404(b) (Auditor Attestation) — External auditor's opinion on ICFR. Output format is designed to ingest cleanly into the audit firm's workpaper system via the --format=json mode.
• SOX §906 (Corporate Responsibility for Financial Reports — criminal penalties) — Evidence chain defensibility. The ~/.prova/audit.jsonl hash-only log shows when testing was run and the config digest of what was tested.
• PCAOB AS 2201 — The single most-cited standard in external audit workpapers. Every template in templates.ts references specific paragraphs.
• PCAOB AS 2110.65 — Fraud risk from management override of JE controls. bp.journal_entry_approval explicitly cites and tests for rubber-stamp patterns.
• AICPA AU-C 530 — Audit Sampling. Drives sample size floors and tolerable-rate thresholds.
• SOC 1 (SSAE 18) — Trust services criteria CC6.1 / CC6.2 / CC6.3 / CC8.1 map 1:1 to the ITGC templates. If your entity produces its own SOC 1 report, this CLI's ITGC output is structured to align.
• ASC 606 — Revenue recognition. bp.revenue_recognition_cutoff explicitly tests performance-obligation satisfaction criteria per ASC 606-10-25-30 (bill-and-hold specifically).
• COSO 2013 — Internal Control - Integrated Framework. Control Environment + Monitoring components are referenced in the JE approval template.

Adjacent framework notes (not implemented, surface-only)

• DORA (EU Digital Operational Resilience Act, Regulation (EU) 2022/2554) — Article 6 (ICT Risk Management Framework) and Article 9 (Protection and Prevention) overlap with ITGC Access Management + Change Management templates. If your entity has European operations, an internal mapping exercise is straightforward.
• CMMC 2.0 (Cybersecurity Maturity Model Certification) — Level 2 / Level 3 practice areas AC.L2-3.1 (access control) and CM.L2-3.4 (configuration management) overlap substantially with ITGC templates. This CLI does not produce CMMC evidence; defense primes should use CMMC-specific tooling. But the ITGC output can inform a CMMC self-assessment.

Nothing in this document is legal or audit advice. The external audit firm's work is the audit of record. This tool produces input to that work.

Config schema

A controls config is a single JSON file. Minimal example:

{
  "audit_id": "Q1-2026",
  "entity_name": "Acme Corp",
  "period_start": "2026-01-01",
  "period_end": "2026-03-31",
  "prepared_by": "J. Smith, Internal Audit",
  "reviewed_by": "M. Jones, Controller",
  "controls": [
    {
      "control_id": "ITGC-01",
      "template_id": "itgc.access_provisioning",
      "owner": "IT Security Manager",
      "risk_level": "high",
      "population_size": 142,
      "samples": [
        { "item_id": "REQ-00147", "result": "pass" },
        { "item_id": "REQ-00301", "result": "fail", "notes": "approver = requestor" }
      ],
      "evidence_sources": [
        { "type": "servicenow_export", "ref_id": "SN-ACCESS-Q1-2026.csv" }
      ]
    }
  ]
}

See samples/demo-controls.json for a realistic 10-control config covering all 6 built-in templates.

Custom templates

To run a control not covered by the built-ins, pass custom_template inline instead of template_id:

{
  "control_id": "BP-CUSTOM-01",
  "custom_template": {
    "id": "bp.custom.inventory_reconciliation",
    "category": "BP",
    "name": "Inventory Reconciliation",
    "assertion": "completeness",
    "risk_level": "medium",
    "pcaob_reference": "PCAOB AS 2201.44; ASC 330",
    "expected_evidence": [
      "Perpetual-to-physical reconciliation",
      "Variance explanation memo",
      "Signed cycle-count evidence"
    ],
    "test_steps": [
      {
        "id": "tod.1",
        "phase": "TOD",
        "description": "Confirm the reconciliation methodology is documented and approved by the Controller."
      },
      {
        "id": "sample.1",
        "phase": "SAMPLE",
        "description": "Population: all SKUs in scope. Sample per AICPA AU-C 530."
      },
      {
        "id": "toe.1",
        "phase": "TOE",
        "description": "For each sampled SKU, verify variance is within tolerance or has a signed explanation."
      },
      {
        "id": "exception.1",
        "phase": "EXCEPTION",
        "description": "For each exception, document root cause + remediation."
      }
    ]
  },
  "owner": "Inventory Manager",
  "population_size": 1400,
  "samples": [],
  "evidence_sources": []
}

Audit log format

Every prova-audit run appends one JSONL line to ~/.prova/audit.jsonl:

{"ts":"2026-04-17T09:45:12.345Z","session_id":"a1b2c3d4e5f60708","event":"audit_run","audit_id":"Q1-2026","entity_name_digest":"8f2a7c1e9b4d5a62","period_start":"2026-01-01","period_end":"2026-03-31","prepared_by_digest":"d7a4f1e09c6b3520","reviewed_by_digest":"c2b9e103a74d8891","control_count":10,"config_digest":"3a71e8d492b7f105","output_digest":"7e91c4f83d06a2b5","summary":{"total_controls":10,"total_exceptions":3,"total_coverage_gaps":0,"overall_effective":false}}

No plaintext entity names, owner names, or evidence references are ever logged. Only lengths, hashes, and counts. This is intentional: the audit log must not become a new liability for the Controller. The external audit firm can point at ~/.prova/audit.jsonl and verify (a) that testing was run, (b) against which input config digest, (c) how many controls and exceptions resulted — without ever seeing plaintext entity data.

Rotate on your own schedule: mv ~/.prova/audit.jsonl ~/.prova/audit-$(date +%F).jsonl.

Environment variables

| Var | Default | Purpose | |---|---|---| | PROVA_LOG_DIR | ~/.prova/ | Directory where the audit log is written | | PROVA_LOG_PATH | {LOG_DIR}/audit.jsonl | Full audit log path override |

What this CLI does NOT do (v0.1 scope)

• No automated evidence collection. You still have to export data from NetSuite, Workday, Okta, GitHub, Stripe, etc. and populate the samples + evidence_sources arrays. Agentic collection is the paid product.
• No continuous testing. v0.1 runs when you run it. The paid product watches control sources and flags deviations in near-real-time.
• No signed artifact chain. Each run appends a hash of the input, but there is no cryptographic binding across runs. Paid product.
• No external audit firm export wizard. Use --format=json and hand the file over.
• No multi-entity rollup. One config per run, one period per config.
• Not legal or audit advice. The external audit firm's work is the audit of record. This tool produces input.

Design principles

1. Local only. Zero network calls in v0.1. Grep the source — you'll find no fetch, http, axios, or undici.
2. Deterministic. Same input config → byte-identical output (ignoring the generated-at timestamp). A CFO can reproduce your workpaper before the external audit firm arrives.
3. Audit-first. Every run emits a hash-only log event. No plaintext. Ever.
4. Trust by construction. Apache-2.0 source. Published tarball matches commit. Templates cite PCAOB AS 2201 + AICPA AU-C 530 directly — read the references before trusting the output.

Contributing

Issues and PRs welcome. The target audience is Controllers + Internal Audit Directors at PE portcos and sub-$500M public microcaps preparing for SOX 404(b) integrated audit scrutiny. If you're one of them, we want to hear which control templates are missing for your business (M&A synergy realization, lease accounting under ASC 842, tax-provision quarterly true-up, etc.).

License

Apache-2.0. Use commercially, modify freely — attribution appreciated in workpaper credits.

Upgrade path

When you're ready for agentic evidence collection across NetSuite / Workday / Okta / GitHub / Stripe + continuous testing + signed artifact chain + external audit firm export wizard:

→ prova.grindworks.ai

Design-partner program is open now. Reply with "prova-cli user" to [email protected] and we'll set up a 15-minute conversation this week.

Built by Grindworks Studio — a venture studio shipping NA B2B infrastructure products in the AI Agent era.