SOX automation, PCAOB evidence, and mid-market compliance.
Written for controllers and internal audit directors at 300–1,500 emp PE portcos, pre-IPO companies, public microcaps, and multi-entity mid-market finance teams. No marketing fluff, no vendor-bias apology; all claims cite specific PCAOB AS 2201 paragraphs, SOC 2 TSC criteria, DORA articles, CMMC 2.0 controls, and data sources.
IT General Controls are the foundation of the SOX ITGC stack, and PCAOB AS 2201 paragraphs .39, .42, .46, and .50 govern how the external auditor evaluates whether ITGC evidence supports management's 404(b) attestation. This is the honest deep dive: what AS 2201 actually says, which ITGC families are agent-testable at audit-grade, how SOC 2 TSC CC6/CC7/CC8 overlap works, and what the 2025–2026 PCAOB inspection posture means for 300–1,500 emp finance teams.
How many internal audit FTE does a 300, 650, or 1,200 employee PE portco actually need to credibly operate a SOX program? This is a data-driven benchmark from Protiviti Internal Audit Capabilities Report, IIA Pulse of Internal Audit, PCAOB inspection findings, and Controller forum data covering controls population per headcount, hours per control per year, and the agent-coverage adjustment that rebalances the ratio in 2026.
CMMC 2.0 phased implementation runs from 2025 through 2028, and the 300–1,500 emp PE-backed defense contractor is squarely in Phase 2 scope as of 2026. This is the honest playbook on Level 1 (FAR 52.204-21 17 controls), Level 2 (NIST SP 800-171 Rev 3, 110 controls), C3PAO assessment economics, how CMMC controls overlap with SOX ITGC and SOC 2 TSC CC6–CC8, and the evidence architecture that lets a 650-emp portco clear assessment without burning $400K+ on outsourced consulting.
DORA entered into force January 17, 2025, and its ICT risk management and third-party obligations now reach US mid-market finance teams with any EU subsidiary, EU customer, EU data processor, or ICT service provider licensed in the EU. This is an honest walkthrough of Articles 5–14 (ICT risk management), Article 17 (incident reporting), Articles 28–30 (third-party ICT risk), and how the DORA evidence overlap maps to SOX ITGC and SOC 2 TSC CC7 so you do not run parallel evidence stacks.
Workiva is the connected-reporting incumbent for public filers; Prova is the agent-native SOX specialist for the 300–1,500 emp tier. This is an honest head-to-head on which platform fits which scope, pricing reality, implementation timelines, PCAOB AS 2201 evidence depth, and when switching (or stacking) makes sense.
Agent-driven continuous control testing is reshaping SOX economics, but the honest picture is more nuanced than the marketing suggests. This primer covers which control families agents test credibly today, which require human judgment, what the PCAOB actually expects under AS 2201, and how to evaluate a continuous-testing platform without hand-waving the audit-evidence bar.
AuditBoard defines the SOX platform category, but at 300–1,500 emp its $150–250K ACV frequently outpaces the value it delivers. This is an honest comparison of the eight alternatives mid-market companies actually evaluate — what each replaces, what each doesn't, and when the evaluation is worth running.
Why mid-market PE portcos systematically overpay for SOX platforms, and what the agent-driven alternative actually looks like in a 404(a) or 404(b) program. Real controls, real dollar figures, real external-auditor acceptance criteria.