Free · Apache-2.0 · Local-only · Audit-ready

@prova/sox-audit-cli

Deterministic CLI that runs PCAOB AS 2201 walkthroughs over your SOX controls config and emits workpaper-quality evidence. Test-of- Design → Sample Selection → Test-of-Operating-Effectiveness → Exception Analysis → Conclusion, with AICPA AU-C 530 attribute sampling baked in.

Built for Controllers + Internal Audit Directors at PE portfolio companies and sub-$500M public microcaps with 2–5 person internal audit teams preparing for §404(b) integrated audit scrutiny. Deterministic. Local. Auditable. Zero network calls — you can run the same engine in your browser without installing anything.

Install

v0.1.0 is available right now as a downloadable tarball while we wait for npm registry signup approval. The tarball is a regular npm package — point npm install at the URL and it works identically to a registry install.

# Ephemeral run against the bundled 10-control demo
npx -y https://prova.grindworks.ai/prova-sox-audit-0.1.0.tgz --demo

# Global install from tarball
npm install -g https://prova.grindworks.ai/prova-sox-audit-0.1.0.tgz
prova-audit --demo

# Shortly (once the registry name is claimed):
npm install -g @prova/sox-audit-cli

Node 20+ required. Pure JavaScript, zero runtime dependencies. Tarball is ~33 KB.

SHA-256 checksum: a4b12f07b92e6f57e074fe69d2c8c3d11728cc85102eb632614b4a39f9859668. Verify before installing in a regulated environment: curl -sSf https://prova.grindworks.ai/prova-sox-audit-0.1.0.tgz | shasum -a 256

Usage

# Run the bundled 10-control demo (no config needed)
prova-audit --demo

# Run against your own config
prova-audit ./q1-controls.json

# JSON output for external audit firm ingestion
prova-audit ./q1-controls.json --format=json > workpaper.json

# Markdown for Notion / Confluence / internal-audit repo
prova-audit ./q1-controls.json --format=md > workpaper.md

# Printable HTML (save, open, print-to-PDF in browser)
prova-audit ./q1-controls.json --format=html > workpaper.html

# Enumerate the 6 built-in PCAOB templates
prova-audit --list-templates

Exit codes: 0 all controls effective or effective-with-observations; 1 at least one control ineffective or not-tested (CI-gate on this); 2 invocation error.

What it catches

Six PCAOB AS 2201-aligned control templates ship with v0.1:

IT General Controls (ITGC)

• User Access Provisioning — SOC 1 CC6.1 aligned. Tests formal request, separate-approver, pre-provisioning SoD review, SLA compliance.
• User Access Termination — SOC 1 CC6.2 aligned. Tests termination trigger, 24h SLA, orphan-account sweep.
• Privileged Access Periodic Review — SOC 1 CC6.2 / CC6.3. Flags rubber-stamp reviews via timestamp heuristics.
• Change Management — Production Deployments — SOC 1 CC8.1. Tests ticket, code review, QA/UAT, deploy approver separation, rollback criteria.

Business Process (BP)

• Revenue Recognition — Period-End Cutoff — ASC 606 transfer-of-control, including bill-and-hold criteria per ASC 606-10-25-30. Directed-sample supplement for top 5 by dollar.
• Manual Journal Entry Review & Approval — PCAOB AS 2110.65 (management override fraud risk). Flags single- approver workflows and sub-60-second approvals.

Custom templates

To run a control outside these six, supply custom_template inline on the control entry. Schema: id, category (ITGC|BP), name, assertion, risk_level, pcaob_reference, expected_evidence[], test_steps[] (each with id, phase TOD|SAMPLE|TOE|EXCEPTION, description). See the README for a full example.

PCAOB AS 2201 walkthrough protocol

Every control runs this exact sequence:

1. Test of Design (TOD) — PCAOB AS 2201.39. Does the documented control actually address the risk?
2. Sample Selection — AICPA AU-C 530 attribute sampling. Floors: high-risk 25, medium 15, low 10 (AICPA Audit Sampling Table A.2, 5% risk of over-reliance).
3. Test of Operating Effectiveness (TOE) — PCAOB AS 2201.44-50. Each sampled item gets pass/fail.
4. Exception Analysis — PCAOB AS 2201.68. Root cause + remediation hints per failure; severity escalated for access-termination, privileged-access, and revenue-cutoff failures.
5. Overall Conclusion — PCAOB AS 2201.62. Effective / effective-with-observations / ineffective / not-tested. Tolerable rates per AU-C 530.A12: 5% high, 8% medium, 10% low.

Audit log format

Every prova-audit run appends one JSONL line to ~/.prova/audit.jsonl:

{"ts":"2026-04-17T09:45:12.345Z","session_id":"a1b2c3d4e5f60708",
 "event":"audit_run","audit_id":"Q1-2026",
 "entity_name_digest":"8f2a7c1e9b4d5a62",
 "period_start":"2026-01-01","period_end":"2026-03-31",
 "prepared_by_digest":"d7a4f1e09c6b3520",
 "reviewed_by_digest":"c2b9e103a74d8891",
 "control_count":10,
 "config_digest":"3a71e8d492b7f105",
 "output_digest":"7e91c4f83d06a2b5",
 "summary":{"total_controls":10,"total_exceptions":3,
            "total_coverage_gaps":0,"overall_effective":false}}

No plaintext entity names, owner names, or evidence references are ever logged. Only counts, hashes, and timestamps. This is intentional: the audit log must not become a new liability for the Controller. An external audit firm can verify testing was run — and against which config digest — without ever seeing your entity data.

SOX + adjacent framework mapping

• SOX §302 — Officer certifications. Workpaper feeds the disclosure committee package.
• SOX §404(a) — Management assessment of ICFR. Workpaper documents TOD + TOE for every in-scope control.
• SOX §404(b) — External auditor attestation on ICFR. JSON output is designed to ingest cleanly into the audit firm’s workpaper system.
• SOX §906 — Evidence chain defensibility. The hash-only audit log shows what was tested and when, without exposing entity plaintext.
• PCAOB AS 2201 + AS 2110.65 — The two most-cited standards in SOX workpapers. Templates reference specific paragraphs.
• AICPA AU-C 530 — Audit sampling. Drives sample floors + tolerable-rate thresholds.
• SOC 1 (SSAE 18) — Trust services CC6 / CC8 map 1:1 to the ITGC templates.
• ASC 606 + COSO 2013 — Revenue recognition and Control Environment components referenced in the BP templates.

Adjacent-framework notes (surface-only)

If your entity has European operations, DORA Articles 6 and 9 overlap substantially with the ITGC Access Management + Change Management templates — an internal mapping exercise is straightforward. For defense primes, CMMC 2.0 Level 2/3 practice areas AC.L2-3.1 (access control) and CM.L2-3.4 (configuration management) overlap with the ITGC output. This CLI does not produce CMMC or DORA evidence independently, but the ITGC output informs both.

Environment variables

What this CLI does NOT do

Clear-eyed scope statement for v0.1:

• No automated evidence collection. You still export data from NetSuite, Workday, Okta, GitHub, Stripe and populate the samples + evidence_sources arrays. Agentic collection is the paid product.
• No continuous testing. v0.1 runs when you run it. The paid product watches control sources and flags deviations in near-real-time.
• No signed artifact chain. Each run appends an input/output digest, but there is no cross-run cryptographic binding. Paid product.
• No multi-entity rollup. One config per run, one period per config.
• Not legal or audit advice. The external audit firm’s work is the audit of record. This tool produces input.

Upgrade to the hosted product

The open-source CLI is the starting point. When you need:

• Agentic evidence collection across NetSuite / Workday / Okta / GitHub / Stripe / Jira / ServiceNow
• Continuous (not quarterly) control testing with near-real-time deviation flagging
• Signed artifact chain binding every run to the prior run and to the underlying evidence
• One-click external audit firm export wizard for §404(b) integrated audit handoff
• Admin console with multi-entity rollup and per-subsidiary control mapping
• Library of 120+ industry-specific control templates (SaaS ASC 606, medical device ISO 13485 design-control crossover, oil- and-gas volumetric revenue, etc.)

→ Join the design-partner waitlist. Reply with “prova-cli user” to seungdo@grindworks.ai for a 15-min design-partner conversation this week.