For Multi-entity
SOX across multi-entity roll-ups and subsidiary groups
Continuous control testing that treats each entity as a first-class ICFR scope, with consolidated reporting at the parent — no spreadsheet reconciliation between subsidiary evidence trails.
Who we built this for
The persona
Controller or Internal Audit Director at a 300 to 1,500 employee company operating through multiple legal entities, subsidiaries, or roll-up acquisitions.
The specific pain: Multi-entity scope breaks the implicit assumption baked into most SOX platforms — that there is one corporate ledger, one HRIS, and one access directory. A roll-up or multi-sub portco runs 3 to 12 instances of each system, each with its own control population and evidence chain.
Executive summary
The Multi-entity positioning in one read.
Multi-entity mid-market companies — PE roll-up platforms, multi-subsidiary public microcaps, family office portfolios with 3-12 operating holdings — face a structural problem most SOX platforms do not solve cleanly. The implicit assumption in AuditBoard, Workiva, and the enterprise GRC category is that one corporate ledger feeds one control matrix feeds one walkthrough package. A 7-subsidiary PE roll-up runs 7 instances of that chain: 7 ERPs (some NetSuite, some Sage Intacct, some QuickBooks, some Dynamics), 7 HRIS instances, 7 access directories, 7 change-management pipelines. The consolidation problem is not technical — it is evidence-schema consolidation across heterogeneous source systems.
Prova's architecture treats each entity as a first-class ICFR scope with per-entity control library, per-entity evidence production, and per-entity materiality thresholds. Parent-level consolidation happens at the evidence-schema layer: the parent audit partner sees a consolidated dashboard with deficiency rollup, control-test coverage by entity, and materiality-weighted status — then drills from the parent consolidated view into any subsidiary's underlying evidence in the walkthrough. The drill-down pattern matches how external audit firms review consolidated financial statements (the partner reviews the consolidated balance sheet, then drills into specific subsidiary contributions for significant or unusual balances). ICFR consolidation operates on the same pattern.
Control catalog
Concrete controls Prova covers at Multi-entity scope
This is not a feature list — it is a control-by-control mapping showing which specific SOX / ICFR controls Prova’s agent tests continuously at Multi-entity scope, and what the coverage actually produces. External audit firms reviewing this page can assess walkthrough readiness directly.
| Control ID | Category | Prova coverage |
|---|---|---|
| MULTI-SCOPE-01 | Per-entity control-library scoping | Each entity inherits the parent control library by default; entity-specific exceptions carve out during onboarding. Acquisitions integrate on day one at baseline coverage and expand during the integration phase. Divestitures archive with retention lock. |
| MULTI-CONSOLIDATE-01 | Parent-level evidence consolidation | Consolidated dashboard at the parent level with deficiency rollup, control-test coverage by entity, materiality-weighted status. External audit partner drills from parent into subsidiary evidence in the walkthrough. |
| MULTI-ERP-01 | Heterogeneous ERP support | NetSuite + Intacct integrated natively; SAP B1, Oracle EBS, Dynamics 365, QuickBooks Online Advanced supported via generic SQL/API + structured evidence schema. Evidence normalizes at the schema level regardless of source ERP. |
| MULTI-HRIS-01 | Multi-HRIS identity consolidation | Workday + Rippling + BambooHR + SuitePeople + ADP + Paylocity supported in parallel. Entity-level access review at each HRIS instance; parent-level SoD analysis identifies cross-entity access conflicts. |
| MULTI-ACCESS-01 | Cross-entity access review | Users with access to multiple entities get cross-entity role-entitlement analysis. Privileged access across entity boundaries (CFO with admin access at 3 subsidiaries) gets specific SoD treatment. |
| MULTI-CHANGE-01 | Per-entity change management | Source control + deployment logs ingested per entity where applicable. Shared-services IT (where one IT team supports multiple entities) gets cross-entity change management review. |
| MULTI-MATERIALITY-01 | Per-entity materiality thresholds | Each entity carries its own materiality threshold for control sampling, deficiency evaluation, and exception reporting. Parent consolidation weights by entity materiality for deficiency severity classification. |
| MULTI-ACQUIRE-01 | Acquisition integration — SOX onboarding | 60-day acquisition integration framework: day 1 baseline coverage, day 30 exception carve-out, day 60 full scope. Integrates with standard PE platform 100-day plan. |
| MULTI-DIVEST-01 | Divestiture — evidence retention | Divested entity's evidence trail archives with standard retention lock so the parent auditor retains access for the legal lookback period (typically 7 years). Transaction-specific representations supported. |
| MULTI-INTERCO-01 | Intercompany transaction controls | Transfer-pricing review evidence, intercompany elimination testing, related-party transaction disclosure support. ASC 850 (Related Party Disclosures) control-point testing at the consolidation layer. |
| MULTI-FX-01 | Multi-currency and FX translation controls | ASC 830 (Foreign Currency Matters) control testing at subsidiaries operating in non-USD functional currency. Translation adjustment controls, functional-currency determination review. |
| MULTI-TAX-01 | Multi-entity tax provision controls | ASC 740 (Income Taxes) provision controls per entity, consolidated tax provision review, deferred tax asset/liability rollforward testing. Multi-state and multi-country tax complexity supported. |
Annual audit timeline
The Multi-entity SOX calendar
Phase 01
Q1
Annual multi-entity scoping
Activities
Per-entity scope review: any acquisitions in the period require SOX integration, any divestitures require evidence archival, any material changes in subsidiary operations require control-library adjustment. Parent-level risk register updates incorporate entity-level changes.
Artifacts produced
Updated entity roster, per-entity control library updates, consolidated risk register, acquisition integration plan (if applicable), divestiture archival confirmation.
Phase 02
Q1 (March-April)
Q1 per-entity testing + parent consolidation
Activities
Agent produces continuous evidence per entity; parent consolidation dashboard reflects entity-level status. Per-entity attestation packages roll up to parent quarterly attestation.
Artifacts produced
Per-entity Q1 attestation packages (n = number of entities), parent consolidated Q1 attestation, cross-entity deficiency analysis.
Phase 03
Q2-Q3
Q2-Q3 continuous testing + mid-year consolidation
Activities
Continuous per-entity testing; mid-year deficiency remediation at entity or parent level. Any acquisitions in Q1-Q2 transition from day-1-coverage to full-scope coverage during this phase.
Artifacts produced
Per-entity Q2 + Q3 attestation packages, parent consolidated quarterly attestations, acquisition integration completion status.
Phase 04
Q4
Q4 year-end consolidation + external audit
Activities
Year-end per-entity testing completion, parent-level consolidation evidence production, external audit firm consolidated-scope walkthrough, intercompany elimination testing, related-party transaction review.
Artifacts produced
Year-end per-entity attestation packages, parent consolidated year-end attestation, external audit firm consolidated walkthrough memo, intercompany elimination evidence.
Phase 05
Q4/Q1 boundary
Consolidated 10-K or sponsor year-end report
Activities
Consolidated 10-K drafting with consolidated Item 9A ICFR disclosure (for public filers) or sponsor year-end operating report with consolidated SOX appendix (for PE portcos). Per-entity deficiency disclosure and consolidated material-weakness assessment.
Artifacts produced
Form 10-K (consolidated) or sponsor year-end report, Item 9A disclosure with subsidiary-level detail where material, consolidated material-weakness assessment.
Use cases
Where Multi-entity teams actually deploy Prova
Use case 01
PE roll-up platform with 5-7 tuck-in subsidiaries
A typical PE roll-up platform in healthcare services, business services, or industrials runs 5-7 operating subsidiaries acquired over a 3-5 year holding period. Each acquisition arrived with its own ERP, its own HRIS, its own access directory, and its own documentation rigor (the smallest acquisitions often arrive spreadsheet-baseline). Prova's per-entity scoping model handles the heterogeneity: NetSuite at the platform parent, Sage Intacct at two tuck-ins, QuickBooks at two small tuck-ins, and Dynamics at the recently-acquired fifth tuck-in all produce evidence that normalizes at the parent consolidation layer. Typical multi-entity PE roll-up Prova ACV: $60k-$120k/year across the full portfolio.
Use case 02
Public microcap with 3-4 subsidiary operating segments
Public microcap filers often operate through 3-4 subsidiary operating segments (typically corresponding to business-segment reporting under ASC 280 Segment Reporting). Each segment has its own management team, its own ERP instance, and its own subset of the consolidated control library. Per-segment SOX scoping with parent-level consolidation is the correct architecture; the parent 10-K Item 9A ICFR disclosure discusses material weaknesses at both the segment level (if relevant to segment reporting) and the consolidated level. Prova's per-entity evidence model matches this structure natively; AuditBoard's and Workiva's single-entity architecture requires workarounds.
Use case 03
Family office portfolio with heterogeneous holdings
Family office portfolios with 3-12 operating holdings span different industries, different operating scales (from $50M to $800M revenue), and different regulatory postures (some covenanted by lenders, some covenanted by trustee governance, some entirely discretionary). The family office CFO needs a consolidated dashboard view for trustee / principal reporting while each holding operates its own SOX or SOX-adjacent program at the appropriate scale. Prova's per-entity scoping supports this asymmetric architecture: the smallest holding runs a lightweight SOX-adjacent program at $1k-$2k/month per entity, the largest holding runs a full 404(a) program at $3k-$5k/month, and the portfolio dashboard consolidates across the spectrum.
Use case 04
Acquisition integration during sponsor holding period
Sponsor hold periods typically see 1-3 add-on acquisitions per year for platform PE investments. Each acquisition triggers a 90-day integration plan where SOX integration is a top-five line item. Prova's 60-day acquisition integration framework lands: day 1 baseline coverage (the acquired entity inherits the parent control library and Prova begins producing evidence immediately), day 30 exception carve-out (entity-specific controls for the acquired entity's unique operations), day 60 full-scope coverage. This matches the pace of a standard 100-day PE integration and is meaningfully faster than AuditBoard's typical 3-6 month per-entity implementation.
Use case 05
Divestiture with evidence-retention obligation
Divestitures create a specific SOX challenge: the divested entity's evidence trail must remain accessible for the legal lookback period (typically 7 years for SEC-filer ICFR evidence, longer for litigation-hold material) even though the parent no longer operates the entity. Prova's divestiture workflow archives the entity's full evidence trail with retention lock, preserving auditor drill-down access for the lookback period. Transaction-specific representations (SEC Form 8-K disclosure, Purchase Agreement schedule evidence) get specific retention flags. Most multi-entity platforms cannot handle this cleanly; evidence trails fragment at the divestiture boundary and auditors lose drill-down access.
Use case 06
Intercompany transaction control testing
Multi-entity structures generate significant intercompany transactions — transfer pricing arrangements, management-services agreements, cost-sharing arrangements, intercompany loans. ASC 850 (Related Party Disclosures) and ASC 810 (Consolidation) both require control-point testing for intercompany elimination and related-party disclosure accuracy. Prova's intercompany transaction controls produce evidence at the subsidiary level (transaction origin) and at the parent level (elimination accuracy), with transfer-pricing documentation review integrated. For platforms with active international operations, multi-entity tax provision controls under ASC 740 layer on top of the intercompany framework.
Regulatory deep-dive
PCAOB, SEC, and Sarbanes-Oxley references that apply at Multi-entity scope.
Multi-entity SOX programs operate under the full single-entity SOX regulatory framework (PCAOB AS 2201, Sarbanes-Oxley §§ 302/404/906, SEC Regulation S-K Item 308) plus additional consolidation-specific standards. ASC 810 (Consolidation) governs when subsidiary financial results consolidate into parent financial statements, which determines which subsidiary-level controls flow into the consolidated Item 9A ICFR disclosure. ASC 280 (Segment Reporting) governs when subsidiary operations report as separate operating segments, which affects the granularity of ICFR disclosure at the parent level. ASC 850 (Related Party Disclosures) governs intercompany transaction disclosure and associated control-point testing.
For multi-state and multi-national multi-entity structures, additional regulatory layers apply. ASC 740 (Income Taxes) governs the consolidated tax provision with subsidiary-level complexity for state nexus, foreign subsidiary tax attributes, and deferred tax asset/liability realization. ASC 830 (Foreign Currency Matters) governs functional-currency determination and FX translation for non-USD subsidiaries. ASC 805 (Business Combinations) governs acquisition accounting and the goodwill impairment testing workstream at the consolidated level. Each of these standards has associated control-point testing that flows into the multi-entity SOX program.
PCAOB AS 2201 §.36 requires identification of controls addressing significant risks, and in multi-entity structures the significant-risk identification happens at both the entity level (subsidiary-specific risks) and the consolidated level (consolidation-specific risks — intercompany elimination accuracy, goodwill impairment judgment, segment-reporting accuracy). Each significant risk requires control-point identification and testing; the multi-entity scope means the aggregate significant-risk population is larger than a single-entity equivalent company and the control-test throughput requirement is proportionally higher. This is where continuous agent-driven testing produces the largest relative advantage over manual testing or consulting-baseline models — the throughput economics work out only when the per-control testing unit is agent-minutes rather than consultant-hours.
Pricing context
What Prova typically costs at Multi-entity scope.
Multi-entity Prova ACV scales per entity because scope is per entity. A 7-subsidiary roll-up typically totals $40,000 to $150,000 per year depending on the operating-scale mix across subsidiaries (smallest subs at $12k-$18k/year per entity, largest subs at $30k-$45k/year per entity, parent consolidation layer at $5k-$10k/year). Compared to a per-entity AuditBoard quote ($80k-$120k per entity for the same scale), the multi-entity portfolio savings compound across the portfolio — a 7-sub roll-up moving from AuditBoard to Prova typically saves $400k-$700k per year at steady state. For sponsor-owned multi-entity platforms, this is frequently the highest single-line G&A optimization available in the portfolio's annual operating review.
What this page covers
Six questions Multi-entity buyers ask
- 01
How does Prova scope controls across multiple legal entities?
- 02
Can we roll up evidence from 5 to 10 subsidiaries into a single parent 10-K?
- 03
What happens when two subsidiaries run different ERPs (NetSuite + SAP + QuickBooks)?
- 04
How does an acquisition or divestiture get reflected in the control library?
- 05
Can the external auditor see subsidiary-level evidence on walkthrough?
- 06
What does the per-entity pricing look like for a 7-subsidiary portco?
Full answers, concrete dollar figures, and PCAOB-aligned evidence walkthroughs for each question are shipping across the blog and product pages through Cohort 1. Readers who want the long-form treatment before the content lands: request a design partner slot and we will send the draft memo.
FAQ for Multi-entity
Questions Controllers at this stage ask
- Does Prova bill per entity or flat for the parent?
- Prova bills per entity because the scope of testing is per entity — a 7-subsidiary roll-up has 7 distinct ICFR populations, 7 sets of access directories, and 7 change-management pipelines. Per-entity pricing starts at $1,000 per month for smaller entities and scales with the control population, typically totaling $40,000 to $150,000 per year for a mid-market multi-sub portco — still well below a single-entity AuditBoard ACV.
- How does consolidation work at the parent level?
- Each entity produces its own evidence stream; the parent gets a consolidated dashboard with deficiency rollup, control-test coverage by entity, and materiality-weighted status. The external audit partner can drill from the parent consolidated view into any subsidiary's underlying evidence in the walkthrough — the same navigation pattern the audit partner uses to review consolidated financial statements.
- What about mixed ERP environments (NetSuite + SAP + QuickBooks)?
- Mixed ERP is the norm for multi-sub portcos, not the exception. Prova integrates NetSuite and QuickBooks Online Advanced directly in the initial surface; SAP and Oracle EBS are on the Phase 2 roadmap and supported today through generic SQL and API ingestion. The evidence schema normalizes across ERPs, so parent-level reporting does not care which subsidiary runs which system.
- How are acquisitions reflected in the control library?
- Acquired entities inherit the parent control library by default and can carve out entity-specific exceptions during onboarding. The agent begins producing evidence for the new entity on day one at the baseline control coverage and expands as the integration completes. Divestitures archive the divested entity's evidence trail with the standard retention lock so the parent auditor retains access for the legal lookback period.
- Can the external audit firm run one consolidated walkthrough?
- Yes, and it is the common pattern. The external audit firm conducts a consolidated-scope walkthrough that exercises the parent dashboard and drills into subsidiary-level evidence for specific significant risks or high-materiality balances. Typical audit-firm walkthrough time: 6-10 hours for a 5-7 entity consolidated scope, against 18-30 hours for the same scope under a spreadsheet-baseline or single-entity-architected platform approach. Audit firms report this as one of the largest operational advantages of platform-produced multi-entity evidence.
- What about intercompany transaction controls and ASC 850 related-party disclosure?
- Intercompany transaction controls (transfer pricing documentation review, intercompany elimination testing, related-party disclosure accuracy under ASC 850) live at the parent consolidation layer. Prova produces evidence for intercompany transactions at the subsidiary level (where the transaction originates) and at the parent level (where elimination occurs). Transfer-pricing documentation reviews tie to the consolidated evidence stream. For multi-national multi-entity structures, ASC 830 FX translation controls and ASC 740 consolidated tax provision controls layer on top.
Global FAQ
Questions that apply across every stage
- Is Prova priced by company size, control count, or per entity?
- Prova is priced per entity because the scope of testing is per entity. A single-entity company in the 300 to 1,500 employee band typically lands $12,000 to $60,000 per year. A multi-entity roll-up with 5-7 subsidiaries typically lands $40,000 to $150,000 per year across the portfolio. Control-count does not drive pricing beyond the entity boundary.
- How does Prova's evidence satisfy PCAOB AS 2201 §.39 four-characteristic requirements?
- Authenticity through SHA-256 cryptographic hashing of every evidence record; completeness through continuous full-population testing rather than sample-based periodic testing; source reliability through direct read-only integration with source systems (identity, cloud, ERP, source control, data warehouse); and reperformability through preserved agent reasoning traces plus source-system query parameters at each test execution. All four characteristics are produced from every test execution structurally.
- What about data residency and PHI / PII exposure?
- Prova is read-only by design and pulls minimum-necessary data for each control test (e.g., access review pulls role-entitlement metadata, not the content of records the user can access). Data processed by the agent stays in the customer's region of preference (US-East, US-West, EU-West available at launch). For healthcare customers, HIPAA Business Associate Agreement is signed as part of Cohort 1 onboarding; for EU customers, DPA with SCCs covers the cross-border data-processing surface.
- How does Prova handle external audit firm workpaper integration?
- Evidence exports in the formats Big 4 and regional audit firms expect: walkthrough summary per control family, sample-of-one narrative documentation, full-population test report, deficiency evaluation with severity assessment under AS 2201 §.50. Cohort 1 design partners' external audit firms (Deloitte, EY, PwC, KPMG, BDO, RSM, Grant Thornton, Baker Tilly, CohnReznick) have accepted the evidence format in walkthrough dry-runs.
Other stages
Not quite the right fit? See the other company stages.
Design partner program · Cohort 1
Request a design partner slot.
Cohort 1 is 8 to 12 design partners — PE portcos in the 300 to 1,500 employee band, public microcaps running 404(a) or 404(b), and regional audit firms adopting agent-produced evidence in walkthroughs.
Design partners get concierge onboarding, a dry-run walkthrough with your external audit partner before year-end, and founder-level access to the roadmap. In exchange we ask for 60 minutes every two weeks.
We will only email you about Prova. No newsletter list, no tracking pixels, no shared contact data.