SOX compliance, built by specialists.
ICFR and ITGC specialists for pre-IPO and public companies — from first-year readiness through steady-state sustainment.
ICFR Specialists
Internal Control over Financial Reporting designed with your controllership and finance leaders — practical, defensible, and audit-ready.
- Entity-level controls and COSO 2013 alignment
- Process narratives & risk-control matrices (O2C, P2P, R2R, H2R)
- Key reports and management review controls (MRCs)
- SOC 1 reliance and complementary user entity controls (CUECs)
- Deficiency evaluation, aggregation, and remediation
- Audit committee and external auditor coordination
ITGC Specialists
IT General Controls executed by engineers who actually understand cloud, CI/CD, and modern identity — not checklist auditors.
- Logical access: provisioning, de-provisioning, periodic reviews
- Change management across application, database, and infra
- SDLC, CI/CD pipeline controls, and segregation of duties
- Computer operations: batch jobs, backups, incident management
- Cloud ITGCs for AWS, GCP, Azure, Workday, NetSuite, Salesforce
- AI/ML model change and access controls (SOX-relevant systems)
A five-phase engagement
Scope
Materiality, in-scope entities, significant accounts, and key systems. Risk-rank processes and define your control universe.
Design
Process narratives, flowcharts, risk-and-control matrices (RCMs), and key report inventories tuned to your stack.
Implement
Stand up control owners, evidence cadences, ticket-based workflows, and change/access reviews that run in your tools.
Test
Management testing of design and operating effectiveness, deficiency evaluation, and remediation tracking through to clean.
Sustain
Quarterly cadence, walkthrough refreshes, and external auditor (PCAOB) coordination so year two is cheaper than year one.