For Family office
SOX and ICFR for family office operating holdings
Controls testing and signed evidence at the scale and pricing a family office CFO will actually fund — without imposing portco operating costs the principal will question at the next trustee meeting.
Who we built this for
The persona
Controller or compliance officer at a family-office operating company, or the family office CFO overseeing a small portfolio of operating holdings.
The specific pain: Family office holdings often have the regulatory posture of a public microcap without the resourcing — one 450-person operating company, a principal's patience for G&A below what sponsors would tolerate, and external audit pressure from a regional CPA firm representing family-trust interests.
Executive summary
The Family office positioning in one read.
Family office operating holdings occupy a specific market position between private-company permissionless-governance and public-filer obligation. The principal expects operating-company governance discipline commensurate with the trust structure (typically generation-spanning trustee obligations, lender covenants on private-credit facilities, pre-transaction due-diligence readiness for strategic sale, and occasional regulatory overlays from state insurance or banking regulators depending on industry). The regulatory requirement is rarely an SEC filing obligation; the functional-governance bar approximates SOX § 404(a) management assessment without the § 404(b) external auditor attestation layer.
Family office CFOs running 3-12 operating holdings face a structural tension: principal sensitivity to G&A is typically higher than at PE portcos because liquidity timelines are indefinite rather than fund-defined, yet the evidence bar trustees, lenders, and pre-transaction buyers expect is close to microcap-public. The platform market does not serve this tier natively — AuditBoard is structurally overbuilt, the spreadsheet baseline produces material-weakness exposure at the trustee level, and consulting engagements are difficult to sustain year-over-year against principal G&A discipline. Prova's department-head pricing, per-entity scoping, and agent-driven testing cadence match the family office portfolio structure directly: the smallest holding runs a lightweight SOX-adjacent program, the largest holding runs a full 404(a)-equivalent program, and the portfolio consolidation supports the CFO's trustee-reporting rhythm.
Control catalog
Concrete controls Prova covers at Family office scope
This is not a feature list — it is a control-by-control mapping showing which specific SOX / ICFR controls Prova’s agent tests continuously at Family office scope, and what the coverage actually produces. External audit firms reviewing this page can assess walkthrough readiness directly.
| Control ID | Category | Prova coverage |
|---|---|---|
| FO-GOVERNANCE-01 | Trustee-reporting-grade ICFR evidence | Annual trustee-ready ICFR report: deficiency summary, material-weakness assessment, remediation status, forward-looking risk. Format designed for trustee consumption at annual trustee meetings. |
| FO-PRINCIPAL-01 | Principal-ready executive summary | Quarterly 2-page executive summary for principal review: SOX status per holding, consolidated portfolio view, emerging risks, cost vs value commentary. Designed for principal consumption at operating-committee meetings. |
| FO-COVENANT-01 | Lender covenant compliance ICFR evidence | Private-credit facility covenant compliance: ICFR reliance-letter evidence production, quarterly covenant-compliance reporting, lender-specific covenant evidence formatting. |
| FO-ACCESS-01 | Per-holding user access review | Holding-specific access audit across identity + ERP + cloud + source control. Tailored to the holding's actual system footprint (smaller holdings may have 3-4 systems, larger holdings 10-15). |
| FO-CHANGE-01 | Per-holding change management | Deployment-log ingestion and PR-approval review per holding. Smaller holdings may have simpler change management (single-developer environments); agent adapts control expectations accordingly. |
| FO-CLOSE-01 | Financial close control testing per holding | Month-end close workflow evidence per holding: posting cutoff, manual journal entry approval, account reconciliation review. Holding-specific materiality thresholds. |
| FO-INTERCO-01 | Inter-holding transaction review | Transactions between family office holdings (common in multi-holding structures): related-party review, transfer-pricing documentation, elimination support for consolidated trustee reporting. |
| FO-DUEDILIGENCE-01 | Pre-transaction due-diligence readiness | 18-24 month historical evidence package production for pre-transaction due diligence. Walkthrough-grade evidence supporting strategic sale or secondary buyout representations. |
| FO-TRUSTEE-01 | Trustee-fiduciary evidence support | Documentation supporting trustee fiduciary obligations: beneficiary interest alignment testing, compensation-committee control testing, principal-oversight evidence. |
| FO-TAX-01 | Multi-holding tax provision controls | Per-holding ASC 740 provision testing, consolidated trust-level tax compliance, estate-tax planning control-point evidence (where relevant). |
Annual audit timeline
The Family office SOX calendar
Phase 01
Q1
Annual family office portfolio planning
Activities
Portfolio scope review with family office CFO + principal advisor. Any holdings added or divested in the prior year. Covenant compliance scope for lender-covenanted holdings. Trustee-meeting calendar coordination.
Artifacts produced
Updated portfolio roster, per-holding scope confirmation, covenant-compliance calendar, trustee-meeting schedule with deliverable dates.
Phase 02
Ongoing Q1-Q4
Quarterly per-holding testing
Activities
Continuous agent-produced evidence per holding. Quarterly Controller / CFO sign-off. Principal-ready executive summary generation for operating-committee meetings.
Artifacts produced
Quarterly per-holding attestation packages, quarterly principal executive summaries, covenant-compliance evidence for any reliance-letter obligations.
Phase 03
Varies (typically Q1-Q3 depending on holding)
Annual external CPA firm engagement
Activities
Regional CPA firm engagement for each holding's annual audit or ICFR-reliance-letter engagement. Holding-specific walkthrough and evidence package delivery.
Artifacts produced
Per-holding external CPA firm attestation letter or ICFR-reliance-letter, holding-level deficiency disclosure, remediation plan.
Phase 04
Varies (typically Q4)
Annual trustee meeting preparation
Activities
Trustee-meeting evidence package production: consolidated portfolio ICFR status, material-weakness assessment, deficiency remediation status, forward-looking risk.
Artifacts produced
Trustee-meeting ICFR report, consolidated portfolio evidence summary, principal briefing package.
Phase 05
As triggered
Pre-transaction due-diligence (ad-hoc)
Activities
Pre-transaction due-diligence evidence package production for strategic sale, secondary buyout, recapitalization, or IPO readiness at the holding level. Historical evidence package covering 18-24 months.
Artifacts produced
Due-diligence evidence room contents, historical walkthrough package, deficiency history summary, transaction-specific representation evidence.
Use cases
Where Family office teams actually deploy Prova
Use case 01
Multi-holding family office portfolio consolidation
A typical mid-sized family office operates 4-8 holdings across industries (a manufacturing operating company, a professional-services firm, a real-estate operating platform, a healthcare-services group). Each holding has its own ERP, its own HRIS, its own external CPA firm relationship, and its own regulatory posture. Prova's per-entity scoping plus portfolio-level consolidation gives the family office CFO a single dashboard view for trustee reporting while each holding operates autonomously. Typical family-office-portfolio Prova ACV: $75k-$150k across 5-8 holdings, against $350k-$600k for spreadsheet-baseline plus consulting engagement alternative.
Use case 02
Private credit covenant compliance for lender-covenanted holdings
Family office holdings with private-credit facilities (common for the largest operating holdings) face quarterly covenant compliance requirements including ICFR-reliance-letter or ICFR-adjacent governance evidence. Direct-lending fund covenant packages in 2024-2025 increasingly include ICFR-adjacent requirements as part of covenant compliance (per industry surveys from Proskauer, Kirkland, and Latham). Prova produces the reliance-letter evidence package as a byproduct of continuous testing; the Controller signs off quarterly without a separate workstream. Multi-facility holdings with multiple lenders get per-lender formatting variants.
Use case 03
Trustee fiduciary evidence support for annual trustee meetings
Family office trustee meetings typically occur annually (sometimes semi-annually) and review the operating performance and governance posture of each holding. ICFR-related evidence supporting trustee fiduciary obligations (beneficiary interest alignment, compensation-committee independence, principal-oversight adequacy) is increasingly a standing agenda item. Prova produces trustee-ready evidence summaries with appropriate abstraction from operational detail (trustees do not want to review control matrices; they want to review deficiency summaries and forward-looking risk). The trustee-reporting format is tuned for the principal-plus-trustee audience rather than the audit-professional audience.
Use case 04
Pre-transaction due diligence for strategic sale
Family office holdings occasionally exit through strategic sale to strategic acquirers, secondary buyouts by PE firms, or IPO (rare but not impossible). Pre-transaction due diligence at the holding level requires 18-24 months of historical ICFR evidence supporting transaction representations about ICFR effectiveness. Prova's continuous-evidence history serves as the pre-transaction evidence package directly; buyer due diligence teams review platform-produced evidence with SHA-256 authenticity and preserved reasoning traces, which supports higher representation-and-warranty insurance coverage and cleaner purchase agreement negotiation on ICFR-related representations.
Use case 05
Regional CPA firm engagement coordination
Family office holdings typically engage regional CPA firms rather than Big 4 firms because the holding scale, trustee relationship, and family-office engagement style fit better with regional-firm practice models. Regional firms (BDO, RSM, Grant Thornton at the upper end; smaller regional partnerships for smaller holdings) have been favorable in Cohort 1 walkthrough dry-runs with Prova-produced evidence — the efficiency advantage over spreadsheet-baseline evidence collection is meaningful to regional firms whose engagement economics depend on workpaper-construction efficiency. Per-holding CPA-firm coordination happens independently; each holding's CPA firm sees its own holding's evidence.
Use case 06
New-acquisition onboarding to the family office portfolio
Family office portfolios occasionally add holdings through principal-directed acquisition, family-member-directed roll-up strategy, or trust-mandated diversification. Each new holding triggers onboarding to the portfolio SOX or ICFR program. Prova's 60-day acquisition integration framework lands for family office holdings similarly to PE tuck-ins: day 1 baseline coverage, day 30 exception carve-out, day 60 full scope. The integration is typically less urgent than PE tuck-in timelines (no 100-day sponsor review pressure) and the family office CFO has more flexibility to tune per-holding scope during onboarding.
Regulatory deep-dive
PCAOB, SEC, and Sarbanes-Oxley references that apply at Family office scope.
Family office operating holdings typically do not face direct SEC filing obligations (exception: a holding owned by a publicly-traded family office or trust parent enters SEC scope, which is rare but possible). The functional-governance bar approximates Sarbanes-Oxley § 404(a) management assessment without § 404(b) external auditor attestation, typically through the following compound obligation structure: (1) trustee fiduciary obligations under state trust law (varies by state but generally imposes ICFR-adjacent governance expectations on the trustees of multi-generation trust structures); (2) lender covenants on private-credit facilities (increasingly including ICFR-reliance-letter requirements per industry surveys of 2024-2025 direct-lending covenant packages); (3) pre-transaction due-diligence readiness obligations that surface during any contemplated strategic sale, secondary buyout, or recapitalization; (4) occasional regulatory overlays from state insurance regulators (for holdings operating in insurance), state banking regulators (for trust companies or banking-adjacent operations), or sector-specific regulators (healthcare, defense contracting, regulated financial services).
The external audit partner for family office holdings is typically a regional CPA firm representing family-trust interests; the engagement scope varies from an audit-for-reliance (full financial statement audit with ICFR reliance) to an ICFR-reliance-letter only (limited scope covering ICFR evidence for covenant compliance or trustee reporting). PCAOB AS 2201 does not directly apply to non-SEC-registrant engagements, but regional firms performing audit-for-reliance engagements increasingly apply AS 2201 §.39 four-characteristic evidence standards as professional standard of care — the legal exposure for a regional firm signing an audit opinion on inadequate ICFR evidence is meaningful, so regional firms have been accepting of platform-produced evidence that structurally meets the AS 2201 bar.
For family office holdings with active international operations or multi-state nexus, additional regulatory layers apply. State-level tax nexus (particularly under the Wayfair decision for sales-tax nexus) affects which states' compliance obligations apply. Foreign subsidiary operations introduce ASC 830 FX translation and ASC 740 consolidated tax provision complexity at the trust-level consolidation. Estate-tax planning workstreams (under 26 U.S.C. §§ 2031-2058) occasionally require ICFR-adjacent evidence for trust-valuation support at generation-skipping events.
Pricing context
What Prova typically costs at Family office scope.
Family office portfolio Prova ACV typically lands $75,000 to $150,000 per year across 5-8 operating holdings, with per-holding pricing tuned to the holding's operating scale and regulatory posture. Smallest holdings (under $100M revenue, minimal regulatory posture) land $12,000 to $20,000 per year; mid-range holdings ($100M-$400M revenue with lender covenants or active trustee reporting) land $20,000 to $35,000 per year; largest holdings ($400M-$800M revenue with full 404(a)-equivalent governance) land $35,000 to $55,000 per year. Family office CFO G&A discipline typically allows this spend when amortized across the portfolio because the per-holding line item stays well below the threshold that triggers principal-level review; a single $175k AuditBoard ACV for the largest holding alone would exceed typical principal sensitivity and force an uncomfortable operating-committee conversation.
What this page covers
Six questions Family office buyers ask
- 01
How does SOX apply to privately-held family office operating companies?
- 02
What drives ICFR expectations when there is no SEC filing requirement?
- 03
Why do family-office CFOs avoid AuditBoard-tier platform spend?
- 04
What is the right evidence bar for a principal's internal audit review?
- 05
How does the regional audit firm's role differ from a Big 4 engagement?
- 06
What does year-over-year cost look like across a small portfolio of holdings?
Full answers, concrete dollar figures, and PCAOB-aligned evidence walkthroughs for each question are shipping across the blog and product pages through Cohort 1. Readers who want the long-form treatment before the content lands: request a design partner slot and we will send the draft memo.
FAQ for Family office
Questions Controllers at this stage ask
- Are family office holdings required to run SOX?
- Not as a regulatory requirement unless the holding is publicly traded or covenanted by a lender. The governance requirement is driven by principal oversight, lender covenants, trustee review, and occasionally pre-transaction due diligence. The effective evidence bar is close to 404(a) management attestation, and the audit partner is typically a regional CPA firm representing the family-trust interest.
- What is the typical family office SOX platform budget?
- Family office CFOs typically target $20,000 to $50,000 per year per operating holding for controls tooling — meaningfully below the AuditBoard ACV floor and well inside the Prova department-head pricing tier. Principal sensitivity to G&A at operating holdings is often higher than at PE portcos because the timeline to liquidity is indefinite rather than fund-defined.
- How does Prova handle the principal's internal audit review?
- The principal's review typically runs once or twice a year and focuses on deficiency remediation, entity-level control effectiveness, and material-weakness exposure. Prova produces a principal-ready executive summary derived from the underlying evidence trail; the raw evidence is also available for the family office's CPA partner to walk through in parallel.
- What if our family office has multiple operating holdings?
- Family office portfolios with 3 to 12 operating holdings get per-entity scoping on the same pattern as PE multi-entity portcos — each holding is a first-class ICFR scope, consolidated reporting at the family office CFO level, and per-entity pricing that totals well below a single AuditBoard seat. A small family office with 5 holdings typically lands at $75,000 to $150,000 per year for the whole portfolio.
- How does Prova support the lender-covenant ICFR reliance-letter workflow?
- For family office holdings with private-credit facilities, the quarterly covenant-compliance package increasingly includes ICFR-reliance-letter or ICFR-adjacent governance evidence. Prova produces the reliance-letter evidence package as a byproduct of continuous testing; the Controller signs off quarterly without a separate workstream. Multi-lender holdings with different covenant requirements get per-lender evidence formatting.
- What about pre-transaction due diligence for a strategic sale?
- When a family office decides to exit a holding through strategic sale, secondary buyout, or IPO, pre-transaction due diligence requires 18-24 months of historical ICFR evidence supporting transaction representations. Prova's continuous-evidence history serves as the pre-transaction evidence package directly — walkthrough-grade evidence with SHA-256 authenticity supports higher representation-and-warranty insurance coverage and cleaner ICFR-related representation negotiations in the purchase agreement.
Global FAQ
Questions that apply across every stage
- Is Prova priced by company size, control count, or per entity?
- Prova is priced per entity because the scope of testing is per entity. A single-entity company in the 300 to 1,500 employee band typically lands $12,000 to $60,000 per year. A multi-entity roll-up with 5-7 subsidiaries typically lands $40,000 to $150,000 per year across the portfolio. Control-count does not drive pricing beyond the entity boundary.
- How does Prova's evidence satisfy PCAOB AS 2201 §.39 four-characteristic requirements?
- Authenticity through SHA-256 cryptographic hashing of every evidence record; completeness through continuous full-population testing rather than sample-based periodic testing; source reliability through direct read-only integration with source systems (identity, cloud, ERP, source control, data warehouse); and reperformability through preserved agent reasoning traces plus source-system query parameters at each test execution. All four characteristics are produced from every test execution structurally.
- What about data residency and PHI / PII exposure?
- Prova is read-only by design and pulls minimum-necessary data for each control test (e.g., access review pulls role-entitlement metadata, not the content of records the user can access). Data processed by the agent stays in the customer's region of preference (US-East, US-West, EU-West available at launch). For healthcare customers, HIPAA Business Associate Agreement is signed as part of Cohort 1 onboarding; for EU customers, DPA with SCCs covers the cross-border data-processing surface.
- How does Prova handle external audit firm workpaper integration?
- Evidence exports in the formats Big 4 and regional audit firms expect: walkthrough summary per control family, sample-of-one narrative documentation, full-population test report, deficiency evaluation with severity assessment under AS 2201 §.50. Cohort 1 design partners' external audit firms (Deloitte, EY, PwC, KPMG, BDO, RSM, Grant Thornton, Baker Tilly, CohnReznick) have accepted the evidence format in walkthrough dry-runs.
Other stages
Not quite the right fit? See the other company stages.
Design partner program · Cohort 1
Request a design partner slot.
Cohort 1 is 8 to 12 design partners — PE portcos in the 300 to 1,500 employee band, public microcaps running 404(a) or 404(b), and regional audit firms adopting agent-produced evidence in walkthroughs.
Design partners get concierge onboarding, a dry-run walkthrough with your external audit partner before year-end, and founder-level access to the roadmap. In exchange we ask for 60 minutes every two weeks.
We will only email you about Prova. No newsletter list, no tracking pixels, no shared contact data.