Prova Facts & Data

For 300–1,500 emp companies, the hour distribution runs internal audit 55–65 percent, management testing 15–20 percent, outsourced consulting 10–20 percent, remediation 5–10 percent. A 650-emp PE portco with 120 controls typically consumes 2,800–4,200 hours at traditional manual testing.

Source: FEI Controllers Survey (annual); Protiviti Internal Audit Capabilities Report; AuditBoard State of SOX

ITGC sub-population typically represents 65–75 percent of total control count at mid-market scale. Multi-entity roll-ups multiply the base with ~25 percent overlap reduction. Industry-specific scope expansions: healthcare adds 15–40 HIPAA-overlap controls, defense contractor adds 40–110 CMMC 2.0 Level 2 controls, EU-exposed finance adds 30–80 DORA controls.

Source: AuditBoard State of SOX 2024; Protiviti Internal Audit Capabilities Report 2024–2025; FEI Financial Reporting Benchmark 2025

Pre-IPO readiness engagements run $300,000–$600,000 plus execution-phase engagements continuing at $200,000–$400,000. Outsourced consulting produces external deliverables (walkthrough memos, control matrices, test workpapers) without leaving in-house evidence capability, restarting the cost clock at the next testing cycle.

Source: Protiviti, Crowe, BDO, RSM mid-market SOX engagement fee data 2024–2025; PE portco CFO survey data 2025

Running SOX ITGC plus SOC 2 separately typically consumes 3,400–5,200 total hours/year with ~65 percent testing-work overlap. Consolidated evidence stream with framework-tag mappings reduces total hours to 2,100–3,400. Multi-framework overlap (SOX + SOC 2 + DORA + CMMC 2.0 + ISO 42001) saves 2,000–3,500 hours/year at same scale.

Source: Field data from multi-framework design-partner deployments 2025–2026; Protiviti multi-framework benchmarking 2024

The acquisition, announced May 2024, represented the largest GRC/SOX platform exit to date and validated the category at enterprise scale. AuditBoard's pre-acquisition customer base was weighted toward 2,000+ emp enterprise with deep SOX 404(b) programs.

Source: Hg portfolio disclosures; AuditBoard acquisition press coverage (Reuters, Wall Street Journal, May 2024)

Enterprise deployments range $250,000–$500,000+. Customer reports on r/Accounting, portco CFO forums, and published G2 reviews consistently place the mid-market quote band, with ~20–30 percent feature utilization at the 400–900 emp scale driving the downmarket mispricing argument.

Source: AuditBoard public pricing analysis (Gartner IT GRC Magic Quadrant 2025, G2 enterprise reviews); Controller forum data aggregated Q1 2026

Department-head tier priced at $1,000–$5,000 per month per entity. Typical microcap cost reduction vs AuditBoard: 70–90 percent year-over-year, holding evidence quality constant or improving it. A 650-emp PE portco replacing $200K AuditBoard with $40K Prova returns $160K to G&A.

Source: Prova pricing model 2026; design partner cohort 1 engagement data

The IIA Pulse of Internal Audit and Protiviti Internal Audit Capabilities Report data place median IA headcount at 2 FTE for mid-market companies (sub-$1B revenue) with an interquartile range of 1–4. PE-backed portcos skew toward the lower end due to sponsor margin pressure.

Source: IIA Pulse of Internal Audit 2025; Protiviti Internal Audit Capabilities Report 2024–2025

Agent-driven testing of access review, change management, and ITGC baseline families returns approximately 1,200–1,400 hours per year at 650-emp scale that flow to judgmental-family testing, design effectiveness evaluation, and external auditor coordination.

Source: Field data from 2025–2026 mid-market continuous-testing design-partner engagements

Authenticity via SHA-256 cryptographic hashing; completeness via continuous full-population testing; source reliability via direct read-only system integration; reperformability via preserved reasoning traces plus source-system query parameters. Document-centric evidence lacking cryptographic integrity, black-box automated evidence, and user-submitted attestation without independent verification are common exposure patterns.

Source: PCAOB Annual Report on Broker-Dealer Inspections 2024; PCAOB Staff Inspection Brief Volume 2024-02; PCAOB 2025 Staff Inspection Outlook

The 2024 annual report on broker-dealer and emerging-growth-company inspections specifically called out insufficient testing rigor on access review and change management at programs running at the thinnest 1 FTE per 60+ control ratios under manual testing. The inspection posture validates the traditional benchmark as the minimum defensible ratio.

Source: PCAOB Annual Report on Broker-Dealer Inspections 2023, 2024; PCAOB Staff Inspection Outlook 2025

§.36 identifies controls addressing significant risks. §.39 establishes evidence characteristics (authenticity, completeness, source reliability, reperformability). §.42 governs nature/timing/extent of tests. §.46 governs design effectiveness testing. §.47 governs operating effectiveness testing. §.50 governs deficiency evaluation (significant deficiency vs material weakness).

Source: PCAOB Auditing Standard No. 2201 (Auditing Standard No. 5); PCAOB AS 2201 current text as amended

High-confidence agent-testable families: access management (70–85 percent coverage), change management (65–80 percent), logging/monitoring (60–75 percent). ITGC operations baseline and configuration management reach 55–70 percent coverage. Design effectiveness (§.46) and deficiency severity (§.50) evaluations remain judgmental.

Source: Field data from continuous-testing deployments 2025–2026; PCAOB inspection reports annual Parts I & II 2024–2025

Traditional sampling examines 25–40 records from a population under statistical inference; continuous agent testing examines 100 percent continuously. Sampling can miss deficiencies that population testing cannot, which appears as a first-year uptick in identified deficiencies (detection-quality improvement, not control deterioration).

Source: PCAOB AS 2201 §.42; PCAOB Staff Inspection Brief on automated testing 2024

Agent-covered families: user access review, change management, ITGC baseline (backup, job scheduling, incident monitoring), entitlement-level SoD. Hybrid-coverage families: reconciliation, journal entry review. Human-only: estimate review, management review, anti-fraud program review, complex revenue recognition under ASC 606.

Source: Continuous-testing deployment data 2025–2026; Big 4 audit technology thought leadership (PwC, EY, KPMG, Deloitte publications 2024–2025)

CC6.1 (access) maps 90% to SOX access management. CC6.3 (access removal) maps 95% to terminated-user access. CC8.1 (change) maps 90% to SOX change management. CC7.2 (detection) maps 85% to logging/monitoring. A single evidence stream with framework-tag mappings serves both frameworks.

Source: AICPA Trust Services Criteria 2017; PCAOB AS 2201 §.39; field overlap mapping from mid-market SOX+SOC 2 deployments

The regulation is directly applicable in all EU Member States. Approximately 62 percent of DORA Articles 5–14 ICT control activities map to SOX ITGC; 78 percent map to SOC 2 TSC CC7/CC8. Article 17 requires 4-hour initial incident notification. Article 28 cascades obligations through ICT third-party supply chains to US vendors.

Source: Regulation EU 2022/2554 (DORA); Commission Delegated Regulations supplementing DORA 2024–2025

Phase 1 (Oct 2025): new contracts under $500K. Phase 2 (Oct 2026): full new-contract scope. Phase 3 (Oct 2027): renewal contracts. Phase 4 (Oct 2028): all remaining DoD contracts. Level 2 requires NIST SP 800-171 Rev 3 compliance (110 controls, triennial C3PAO assessment).

Source: 32 CFR Part 170; 48 CFR Subpart 204.75; DFARS 252.204-7012/-7019/-7020/-7021; Cyber AB C3PAO accreditation body

Single-site 650-emp typically $95,000–$130,000. Multi-site 1,200-emp typically $150,000–$220,000. Pre-assessment readiness adds 400–1,000 internal hours plus $50,000–$150,000 external consulting. Ongoing maintenance 800–1,600 hours/year plus $50,000–$150,000 platform spend. 3-year aggregate: $350,000–$750,000.

Source: Cyber AB published C3PAO assessment fee bands 2025; mid-market defense contractor readiness engagement data

Articles 51–55 govern general-purpose AI models; Articles 16–27 govern high-risk AI systems. Article 17 (record-keeping) and Article 13 (transparency) overlap with DORA Article 17 when incidents involve AI systems. ISO 42001 (AI management systems, published 2023) is the operational reference standard.

Source: Regulation EU 2024/1689 (EU AI Act); ISO/IEC 42001:2023