Prove every SOX control,continuously.

Questions Controllers ask before a call

Frequently asked questions

How is Prova different from AuditBoard?

Prova is an agent-native SOX platform priced for department-head budgets, typically $1,000 to $5,000 per month. AuditBoard is the category-defining enterprise SOX platform, typically $100,000 to $250,000 ACV, acquired by Hg for $4.4 billion in 2024.

The functional difference is testing paradigm. AuditBoard was built in the pre-LLM era when SOX control testing required human auditors executing test procedures manually. Prova executes high-frequency control families — access review, change management, segregation of duties — through reasoning agents that produce SHA-256-hashed evidence continuously, then expands to the full SOX workflow (risk register, walkthroughs, deficiency tracking) on top of that agentic foundation.

The practical result: a 400-person public microcap paying $200,000 for AuditBoard while using 20 percent of the feature surface can replace the SOX-specific scope with Prova at roughly one-tenth the ACV, while keeping the external-auditor evidence trail at or above PCAOB expectations.

Can a 400-person company afford a SOX platform?

Yes — at department-head-tier pricing, which is where the SOX platform market has historically failed mid-market buyers. Prova is priced at $1,000 to $5,000 per month for 300-1,500 employee companies, which fits within the typical Controller or Internal Audit Director discretionary budget.

The reason this pricing tier has not existed before is structural. Legacy platforms (AuditBoard, Workiva, OneTrust) were built when SOX testing was labor-heavy, so they had to capture the associated consulting and implementation revenue to be profitable. Their per-customer economics require $100K+ ACV. Agent-driven testing collapses the per-control test cost by roughly an order of magnitude, which is what makes dept-head ACV viable without sacrificing the audit-evidence bar.

The typical buying committee at this scale is two to three people: the Controller (economic buyer), the Internal Audit Director (user buyer), and either the CFO or the Audit Committee Chair (approver). None of them want a six-figure platform decision; all of them want SOX to stop consuming quarters of their team's capacity.

What SOX controls can Prova test automatically?

Prova's initial wedge is the two highest-frequency, lowest-ambiguity control families: (1) user access review and identity-lifecycle controls, and (2) change management controls across production systems. These families alone typically represent 30 to 45 percent of a mid-market ICFR control population and consume a disproportionate share of quarterly testing hours.

For access review, the agent continuously pulls identity signals from Okta, Entra ID, Workday, Rippling, Snowflake, AWS IAM, Google Workspace, and NetSuite; reasons about whether observed access aligns with the documented role entitlements; and produces signed test results per user, per entitlement, per period. For change management, the agent tracks deployment pipelines through GitHub, GitLab, Bitbucket, Jenkins, and similar systems; verifies approval, testing, and separation-of-duties evidence; and ties each production change to a control test record.

From this foundation, Prova expands to ITGC scope (backup, incident, vendor), financial close controls (reconciliations, journal entry review), and application controls. The principle is: start with control families where the answer is deterministic enough for an agent to produce audit-grade evidence, and expand at the pace of verified accuracy — never at the pace of marketing ambition.

Does Prova work for PE portfolio companies?

PE portfolio companies are the primary ICP. Roughly half of the initial design-partner pipeline consists of 300-1,500 employee PE portcos — either preparing for an IPO SOX readiness window, running SOX because the portco is already public, or running SOX-readiness programs as a lender / covenant requirement.

The PE fit is structural. Portco CFOs are under constant margin pressure from the sponsor, which makes $150K+ AuditBoard ACV politically impossible to defend — yet the portco still needs a controls program the sponsor's audit committee will accept. Prova fits that exact gap: dept-head ACV, PCAOB-aligned evidence, and short enough implementation (typically 2-4 weeks) that the program is live before the next quarterly sponsor review.

For PE sponsors running multiple portcos, Prova supports a sponsor-level view across holdings — useful for operating partners tracking financial-reporting risk across a portfolio. This is a Phase 2 capability on the public roadmap, but active in design-partner conversations today.

How does Prova evidence stand up to external audit?

Prova evidence is designed to meet PCAOB AS 2201 expectations for the nature, timing, and extent of tests of controls, with a specific focus on the evidence characteristics external audit partners review at walkthrough: authenticity, completeness, independence of source, and reperformability.

Every agent test execution produces a signed record containing: the control ID and objective; the source system, query, and time window; the observed data snapshot (with SHA-256 hash for integrity); the agent's reasoning trace (the interpretive steps the agent took, retained for defensibility); the pass/fail determination; and the human sign-off from the control owner or IA tester. This record is immutable once signed and is exportable in the formats Big 4 and regional audit firms expect — including walkthrough summaries, sample-of-one narratives, and full population test reports.

Prova maintains an external-auditor readiness workstream that pre-emptively addresses the most common PCAOB review findings: sufficiency of testing, evaluation of deficiencies, and reliance on automated controls. Design-partner engagements include a structured walkthrough dry-run with your external audit partner before year-end, so there are no surprises at the Q4 control review.

What about pre-IPO or public microcap use cases?

Pre-IPO and sub-$1 billion public microcap is the second-largest ICP segment after PE portcos. These companies share a common structural problem: they must run a credible SOX program — 404(a) for microcaps, 404(b) when the market cap or other thresholds trigger auditor attestation — but cannot justify AuditBoard / Workiva pricing relative to their G&A envelope.

For pre-IPO companies, Prova typically deploys during SOX readiness 12-18 months before the S-1 filing. The agent-native foundation means a two- or three-person internal audit function can credibly cover a control population that would previously have required outsourced consulting at $300K+ per year. The evidence trail is already walkthrough-ready when the pre-IPO external audit firm engages.

For public microcaps already filing 10-K/10-Q, Prova slots into the existing ICFR program, typically replacing either AuditBoard at a 70-90 percent cost reduction, or replacing a spreadsheet-and-SharePoint homegrown program that has become unsustainable as the control population grows past 100 controls.

Which systems does Prova integrate with today?

Prova's initial integration surface covers the systems where 80 percent of mid-market SOX evidence actually lives: identity and HR (Okta, Entra ID, Google Workspace, Workday, Rippling, BambooHR), cloud and IaaS (AWS IAM, GCP IAM, Azure AD), ERP and finance (NetSuite, Intacct, QuickBooks Online Advanced, Xero for smaller entities), source and build (GitHub, GitLab, Bitbucket, Jenkins, CircleCI), and data warehouse (Snowflake, BigQuery, Databricks).

Integration is read-only by design. Prova never writes back to source systems, never changes configuration, and never takes remediation actions autonomously — the boundary between agent observation and human action is deliberate, because PCAOB auditors view autonomous remediation as a control-design risk in itself.

For systems not in the initial surface (SAP, Oracle EBS, large custom ERPs), Prova supports generic SQL / API / SFTP ingestion with a structured evidence schema. Integration coverage expands based on design-partner mix; SAP is on the Phase 2 roadmap given its prevalence in larger mid-market portcos.

How long does implementation actually take?

Typical design-partner time-to-first-agent-tested-control is two to four weeks from contract. Full coverage of the initial control scope (access review + change management) reaches steady-state testing within four to eight weeks. This compares to three to six months for an AuditBoard or Workiva deployment, and six to twelve months for a OneTrust or LogicGate configuration.

The reason Prova deploys faster is architecture. Agents are control-family-specific and ship pre-trained against the PCAOB evidence expectations for each family — there is no multi-month canvas-configuration phase where the customer designs their own workflow. The deployment work is integration authentication, control-scope documentation import, and the first walkthrough dry-run with your external audit partner.

For customers replacing a legacy platform, the migration workstream runs in parallel — historical evidence import, control matrix reconciliation, and deficiency history transfer — so the cutover happens at a defined quarter boundary without loss of audit trail continuity. The external audit partner sees a single consistent evidence stream across the transition.