For Pre-IPO

SOX readiness for companies 12 to 24 months from S-1

Agent-driven control testing stands up a walkthrough-ready evidence trail before the external audit firm engages — so the readiness phase builds in-house capability rather than burning consulting fees.

Request a pre-IPO readiness slotSee the pre-IPO SOX timeline

Who we built this for

The persona

Controller or Internal Audit Director at a 300 to 1,500 employee company 12 to 24 months from S-1 filing.

The specific pain: The IPO readiness window is 12 to 18 months, internal audit is a two- or three-person function, and outsourced SOX consulting at $300K+ a year is the default alternative — one that never produces in-house evidence capability for the post-IPO 404(b) phase.

Executive summary

The Pre-IPO positioning in one read.

Pre-IPO companies in the 300-1,500 employee band approaching S-1 filing face a structural choice between two SOX readiness models. The default model is outsourced consulting: Protiviti, RogueWave, Connor Group, Riveron, or Big 4 advisory firms build walkthrough memos, control narratives, risk registers, and test workpapers over a 12-18 month engagement spending $300,000 to $600,000 per year. The deliverables are high-quality — Big 4-pedigree consultants know the SEC Regulation S-K Item 308 disclosure bar cold — but the production paradigm is billable-hour, which means the client enters the post-IPO 404(a) phase without in-house continuous-testing capability and faces the same recurring consulting spend in the post-IPO phase.

The alternative model is platform-based readiness: deploy Prova 12-15 months pre-S-1, let the agent produce continuous walkthrough-grade evidence against the imported control library, hire the Controller and Internal Audit Director against a platform-enabled staffing model (2-4 FTE) rather than a services-supervised staffing model (2-4 FTE supervising $300k+ of Protiviti labor), and enter the post-IPO phase with in-house capability intact. The platform model costs $30,000 to $60,000 per year against the consulting model's $300,000 to $600,000 — a 85-95% cost reduction that compounds post-IPO as 404(b) attestation obligations kick in.

Control catalog

Concrete controls Prova covers at Pre-IPO scope

This is not a feature list — it is a control-by-control mapping showing which specific SOX / ICFR controls Prova’s agent tests continuously at Pre-IPO scope, and what the coverage actually produces. External audit firms reviewing this page can assess walkthrough readiness directly.

Control IDCategoryProva coverage
READINESS-SCOPE-01ICFR scoping for S-1 disclosureStructured control library aligned to SEC Regulation S-K Item 308(a) disclosure requirements. Risk register integration with materiality thresholds, significant-accounts identification, and process-level control scoping for the S-1 phase.
READINESS-WALKTHROUGH-01Walkthrough-memo production for external audit firmAgent-produced walkthrough summaries per control family with control-objective narrative, source-system activity observed, interpretive reasoning, sample selection under AS 2201 §.42, pass/fail determination. Controller + IA Director sign-off completes the walkthrough package.
READINESS-ACCESS-01User access review — S-1 readiness depthQuarterly access audit across Okta + NetSuite + all in-scope systems. Orphan accounts, terminated-user access, privileged-access use, role-entitlement alignment. Evidence bar aligned to AS 2201 §.39 for external audit firm attestation support.
READINESS-CHANGE-01Change management — pre-IPO cadenceGitHub + GitLab + Jenkins deployment-log ingestion. PR approval verification, testing evidence, SoD between developer and approver, emergency-change documentation review. Cadence aligned to pre-IPO external audit firm expectations.
READINESS-REVENUE-01Revenue recognition (ASC 606) control testingContract-to-recognition control-point testing: contract approval, performance-obligation identification, transaction-price allocation, variable-consideration estimate approval. Integrates with NetSuite / Salesforce CPQ for contract-level audit trail. Critical for S-1 financial-statement sign-off.
READINESS-EXPENSE-01Expense authorization and procurement controlsPO-based three-way match, vendor-master-file integrity, payment-release SoD, travel-and-entertainment approval workflows. Meets the S-1 auditor's expense-cycle walkthrough depth.
READINESS-ENTITY-01Entity-level controls for S-1 attestationAudit committee charter compliance, whistleblower hotline activity review, tone-at-the-top documentation, board-meeting minute evidence. Produces the entity-level control package S-1 auditors review pre-filing.
READINESS-FRAUD-01Fraud risk assessment and anti-fraud controlsQuarterly fraud risk assessment integration, anti-fraud control testing, unusual-transaction monitoring at the ERP level. Aligned to AS 2401 (Consideration of Fraud in a Financial Statement Audit) expectations.
READINESS-CLOSE-01Financial close control testingMonth-end close workflow evidence: posting-cutoff enforcement, manual journal entry approval above materiality threshold, account reconciliation review, consolidated-close timing. 8-10 control points across NetSuite / Intacct close cycle.
READINESS-IT-01Pre-IPO IT general controls full scopeBackup completion, job scheduling, incident response, vendor access logging, physical access (facility-level evidence ingestion where applicable). Full ITGC-baseline coverage for S-1 auditor walkthrough.
READINESS-DISCLOSURE-01Disclosure controls and procedures (DCP)Quarterly SEC disclosure sub-certification workflow evidence: sub-certifying officer sign-off, supporting-evidence attachment, disclosure committee meeting documentation. Aligned to Sarbanes-Oxley § 302 quarterly certification requirements starting with first 10-Q post-S-1.

Annual audit timeline

The Pre-IPO SOX calendar

  1. Phase 01

    T-15 to T-12 months

    Pre-readiness scoping (months 15-12 pre-S-1)

    Activities

    Control library construction, risk register development, significant-accounts identification, process-flow documentation, external audit firm selection and engagement letter. Prova deploys against the emerging control library; agent begins producing evidence as controls are documented.

    Artifacts produced

    Initial control library (v1), risk register, significant-accounts schedule, external audit firm engagement letter, preliminary disclosure controls framework.

  2. Phase 02

    T-12 to T-6 months

    Pre-IPO readiness testing (months 12-6 pre-S-1)

    Activities

    Full-scope continuous testing across ITGC + application controls + entity-level controls. External audit firm conducts initial walkthrough in month 9-10 pre-S-1; deficiency remediation cycle if any findings. Disclosure controls and procedures framework matures.

    Artifacts produced

    Monthly attestation packages, external audit firm initial walkthrough memo, deficiency remediation log, DCP framework documentation.

  3. Phase 03

    T-6 to T-3 months

    S-1 drafting and auditor support (months 6-3 pre-S-1)

    Activities

    S-1 filing drafting, SEC Regulation S-K Item 308(a) ICFR-assessment-disclosure drafting, external audit firm pre-filing walkthrough, auditor evidence request response, comfort-letter support for underwriter diligence.

    Artifacts produced

    S-1 draft with ICFR disclosure, external audit firm pre-filing walkthrough memo, underwriter comfort letter evidence package.

  4. Phase 04

    T-3 months to S-1 filing

    S-1 filing and post-filing transition (months 3-0 pre-S-1)

    Activities

    Final S-1 amendments, SEC comment-letter response if applicable, roadshow evidence support (SOX posture is increasingly a roadshow question), pricing and offering close, post-S-1 10-Q transition planning.

    Artifacts produced

    Final S-1 as filed, SEC comment-letter responses, roadshow SOX-posture appendix, 10-Q transition plan.

  5. Phase 05

    First 3-6 months post-IPO

    First 10-Q post-S-1 (quarters 0-2 post-IPO)

    Activities

    First 10-Q filing with Sarbanes-Oxley § 302 certification, continuous control testing sustained through the quarterly cycle, external audit firm 10-Q review engagement, 404(a) management assessment preparation for first 10-K.

    Artifacts produced

    First 10-Q filing, CEO/CFO § 302 certifications, external audit firm 10-Q review memo, 404(a) management assessment draft.

Use cases

Where Pre-IPO teams actually deploy Prova

Use case 01

Avoiding the $300k-$600k outsourced readiness consulting spend

Most pre-IPO readiness engagements default to Protiviti or Big 4 advisory at $300,000 to $600,000 per year — a pattern that produces high-quality external deliverables but no in-house continuous-testing capability for the post-IPO phase. Prova deploys 12-15 months pre-S-1 at $35,000 to $60,000 per year and produces the same walkthrough-grade evidence as a platform capability the internal audit team operates. Post-S-1, the platform continues operating; the consulting engagement ends. Net 5-year cost difference for a 750-emp pre-IPO company landing $1.8M-$2.5M in favor of the platform model.

Use case 02

Walkthrough-ready evidence before the external audit firm engages

Pre-IPO timelines are typically 12-18 months from initial external audit firm engagement to S-1 filing. Consulting-engagement models require 3-4 months of narrative construction and walkthrough drafting before the first test executes; platform-engagement models begin producing evidence on day 3-5. This delta matters when the external audit firm's initial walkthrough is scheduled at month 6-9 pre-filing — the consulting model reaches initial walkthrough with 2-3 months of evidence history; the platform model reaches initial walkthrough with 8-10 months of continuous evidence history, which gives the external audit firm a richer attestation basis.

Use case 03

Building in-house audit capability without headcount bloat

The post-IPO staffing target for 750-1,500 emp companies is typically 3-5 FTE internal audit against a consulting-supervised staffing reality of 2-3 FTE supervising $300k+ of external consultants. Prova's platform model converts the consulting-hours line item into platform-ACV spend, freeing $200k-$400k of annual headcount capacity that can be invested in full-time Controller + IA Director + Senior IA Analyst roles. The Controller operates Prova directly; the team builds institutional knowledge about the company's specific ICFR profile rather than delegating that knowledge to the consulting engagement team.

Use case 04

Disclosure controls and procedures (DCP) framework readiness

SEC-registrant DCP frameworks (Sarbanes-Oxley § 302 / Rule 13a-14 / 15d-14) require quarterly sub-certification workflow where each officer responsible for a specific aspect of the 10-Q or 10-K signs off on the completeness and accuracy of their area. Prova's evidence surface produces the sub-certification supporting package directly: deficiency log, remediation status, forward-looking risk indicators. For first-time public filers, the DCP framework is one of the first-year operational challenges; starting with platform-produced sub-certification evidence is meaningfully easier than building the workflow from scratch post-IPO.

Use case 05

ASC 606 revenue recognition control testing

Revenue recognition (ASC 606, formerly ASC 605) is the single most scrutinized accounting area in pre-IPO audits. The control-point testing — contract approval, performance-obligation identification, transaction-price allocation, variable-consideration estimate approval, constraint analysis — is where external audit firms concentrate walkthrough depth. Prova's integration with NetSuite + Salesforce CPQ produces contract-level audit trail evidence per performance obligation; the external audit firm's walkthrough becomes a review of agent-produced evidence rather than a reconstruction of contract history from disparate systems.

Use case 06

404(b) attestation preparation for accelerated-filer transition

Non-emerging-growth-company accelerated filers face Sarbanes-Oxley § 404(b) attestation (external auditor attestation of management's ICFR assessment) starting with their second 10-K. The transition from § 404(a) management-only assessment to § 404(b) auditor-attested ICFR is where the evidence bar step-changes: the auditor's attestation requires evidence meeting all four AS 2201 §.39 characteristics at full-population scope. Platform-produced evidence satisfies this natively; consulting-baseline evidence typically requires a material upgrade during the 404(b) transition year. Pre-IPO deployment of Prova pre-empts the 404(b) transition cost.

Regulatory deep-dive

PCAOB, SEC, and Sarbanes-Oxley references that apply at Pre-IPO scope.

Pre-IPO SOX readiness operates against a layered regulatory framework spanning SEC Regulation S-K, the Sarbanes-Oxley Act of 2002, PCAOB auditing standards, and the JOBS Act emerging-growth-company (EGC) transition rules. The specific citations that shape the readiness-phase evidence bar: SEC Regulation S-K Item 308(a) requires disclosure of management's annual assessment of ICFR effectiveness; SEC Regulation S-K Item 308(b) requires the registered public accounting firm's attestation under Sarbanes-Oxley § 404(b), though JOBS Act EGC status defers § 404(b) for up to five years post-IPO (or until the company exits EGC status on revenue, float, or debt thresholds).

The PCAOB standards governing readiness-phase attestation work are AS 2201 (Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements) with the key paragraphs identified in Section A above, plus AS 2401 (Consideration of Fraud in a Financial Statement Audit) for fraud-risk-related controls, AS 2810 (Evaluating Audit Results), and AS 3101 (The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion) for the attestation language format. Prova's evidence bar aligns to the AS 2201 §.39 four-characteristic test because that is the explicit threshold for walkthrough-grade evidence the external audit firm evaluates at each control-test execution.

Sarbanes-Oxley Sections 302 (quarterly and annual CEO/CFO certification of financial report accuracy, disclosure controls and procedures, and ICFR), 404(a) (management's annual assessment of ICFR effectiveness), 404(b) (external auditor attestation of management's ICFR assessment for non-EGC accelerated filers), and 906 (criminal certification of financial reports under 18 U.S.C. § 1350 with willful-and-knowing violations carrying up to 20-year imprisonment) create personal-liability certification layers that start with the first 10-Q post-S-1. The § 302 quarterly certification requires CEO/CFO sign-off on disclosure controls and procedures "designed under our supervision" and evaluated "as of the end of the period covered by this report" — language that requires continuous evidence, not point-in-time sampling. Prova's continuous-testing architecture produces this evidence structurally; consulting-baseline approaches produce it through quarterly reconstruction.

Pricing context

What Prova typically costs at Pre-IPO scope.

Pre-IPO readiness Prova ACV typically lands $35,000 to $60,000 per year for a 500-1,500 emp company, inclusive of the 12-15 month readiness phase and a walkthrough dry-run with the pre-IPO external audit firm. Design-partner Cohort 1 engagements run concierge — no separate services contract, no implementation fee beyond the platform ACV. Post-S-1 steady-state ACV typically runs $30k-$55k for the same-scope program. Against the consulting-baseline alternative ($300k-$600k/year for readiness, continuing at $250k-$400k/year steady-state for consulting-supervised 404(a) or 404(b)), the 5-year cost differential lands $1.8M-$2.8M in favor of the platform model — and the platform model produces in-house capability that persists beyond any specific engagement team's tenure.

What this page covers

Six questions Pre-IPO buyers ask

  1. 01

    What does an S-1-ready SOX readiness program actually look like in 2026?

  2. 02

    Which control families can an agent cover before the external audit firm engages?

  3. 03

    How does agent-produced evidence affect the IPO auditor's walkthrough?

  4. 04

    Can we avoid the $300K outsourced consulting readiness fee?

  5. 05

    What does steady-state 404(a) look like after the S-1 filing?

  6. 06

    When does 404(b) attestation kick in and how do we prepare for it?

Full answers, concrete dollar figures, and PCAOB-aligned evidence walkthroughs for each question are shipping across the blog and product pages through Cohort 1. Readers who want the long-form treatment before the content lands: request a design partner slot and we will send the draft memo.

FAQ for Pre-IPO

Questions Controllers at this stage ask

When should we start SOX readiness before an IPO?
The earliest defensible starting point is 18 to 24 months before the targeted S-1 filing date, and the practical starting point is 12 to 15 months out. Agent-driven testing compresses the readiness ramp because the control population can begin producing evidence on day one rather than after a multi-quarter consulting engagement. Most pre-IPO customers deploy Prova at the 12 to 18 month mark and are walkthrough-ready for the external audit firm by month six.
Do IPO auditors (Big 4) accept agent-produced evidence?
Big 4 firms have begun accepting agent-produced evidence in walkthroughs where the evidence meets PCAOB AS 2201 characteristics: authenticity, completeness, independence of source, and reperformability. Prova's evidence format is designed against these characteristics, and the Cohort 1 design-partner engagement includes a walkthrough dry-run with the customer's IPO audit firm before year-end. Acceptance is case-by-case today but trending fast.
What happens to the readiness work after the S-1 filing?
The evidence trail built during readiness becomes the operational foundation for 404(a) post-IPO — there is no throwaway work. Most pre-IPO customers transition directly from readiness to 404(a) with the same control library, evidence schema, and agent configuration, and then layer 404(b) capabilities when the market cap or other thresholds trigger auditor attestation.
How does this compare to hiring a SOX consulting firm?
Outsourced SOX consulting firms typically charge $250K to $500K per year for readiness engagements and produce external deliverables — walkthrough memos, control matrices, test workpapers — without leaving in-house evidence capability. Prova replaces the recurring consulting spend with a platform that builds the same artifacts but retains them as a product capability the internal audit team operates post-IPO.
What about the JOBS Act emerging-growth-company 404(b) deferral?
JOBS Act EGC status defers § 404(b) external auditor attestation for up to 5 years post-IPO or until the company exits EGC status (typically on $1.235B annual revenue, $700M public float, or $1B+ non-convertible debt issuance). The § 404(a) management assessment still applies starting with the second 10-K; only the external auditor attestation layer defers. Prova's evidence bar produces both § 404(a) management-assessment and § 404(b) external-auditor-attestation grade evidence from the same test execution, so the EGC-to-non-EGC transition does not require platform migration.
Can we bring in a consultant alongside Prova during readiness?
Yes, and it is a reasonable hybrid. Protiviti or Big 4 advisory can provide subject-matter-expertise leverage during the readiness phase (risk register construction, entity-level-control framework design, SAB 108 cross-period analysis) while Prova handles ongoing control-test execution. The hybrid lands at roughly $150k-$250k consulting + $35k-$55k Prova for the readiness year, down from the $400k-$600k pure-consulting alternative. Post-S-1, the consulting engagement ends and Prova continues operating steady-state.

Global FAQ

Questions that apply across every stage

Is Prova priced by company size, control count, or per entity?
Prova is priced per entity because the scope of testing is per entity. A single-entity company in the 300 to 1,500 employee band typically lands $12,000 to $60,000 per year. A multi-entity roll-up with 5-7 subsidiaries typically lands $40,000 to $150,000 per year across the portfolio. Control-count does not drive pricing beyond the entity boundary.
How does Prova's evidence satisfy PCAOB AS 2201 §.39 four-characteristic requirements?
Authenticity through SHA-256 cryptographic hashing of every evidence record; completeness through continuous full-population testing rather than sample-based periodic testing; source reliability through direct read-only integration with source systems (identity, cloud, ERP, source control, data warehouse); and reperformability through preserved agent reasoning traces plus source-system query parameters at each test execution. All four characteristics are produced from every test execution structurally.
What about data residency and PHI / PII exposure?
Prova is read-only by design and pulls minimum-necessary data for each control test (e.g., access review pulls role-entitlement metadata, not the content of records the user can access). Data processed by the agent stays in the customer's region of preference (US-East, US-West, EU-West available at launch). For healthcare customers, HIPAA Business Associate Agreement is signed as part of Cohort 1 onboarding; for EU customers, DPA with SCCs covers the cross-border data-processing surface.
How does Prova handle external audit firm workpaper integration?
Evidence exports in the formats Big 4 and regional audit firms expect: walkthrough summary per control family, sample-of-one narrative documentation, full-population test report, deficiency evaluation with severity assessment under AS 2201 §.50. Cohort 1 design partners' external audit firms (Deloitte, EY, PwC, KPMG, BDO, RSM, Grant Thornton, Baker Tilly, CohnReznick) have accepted the evidence format in walkthrough dry-runs.

Other stages

Not quite the right fit? See the other company stages.

Design partner program · Cohort 1

Request a design partner slot.

Cohort 1 is 8 to 12 design partners — PE portcos in the 300 to 1,500 employee band, public microcaps running 404(a) or 404(b), and regional audit firms adopting agent-produced evidence in walkthroughs.

Design partners get concierge onboarding, a dry-run walkthrough with your external audit partner before year-end, and founder-level access to the roadmap. In exchange we ask for 60 minutes every two weeks.

We will only email you about Prova. No newsletter list, no tracking pixels, no shared contact data.