SOX platform for public microcaps under $1B

Public microcap filers below $1 billion market cap operate under identical Sarbanes-Oxley and PCAOB obligations as $10B+ large-cap filers. SEC Regulation S-K Item 308(a) and 308(b) apply without scale adjustment; SOX § 302 quarterly certification applies without scale adjustment; PCAOB AS 2201 evidence standards apply without scale adjustment. The structural asymmetry is that the compliance cost base — platform ACV, external audit firm fees, internal audit staffing — scales much more slowly than revenue, which means microcap G&A envelopes absorb a proportionally larger compliance line item than large-cap G&A envelopes.

This asymmetry is where the AuditBoard-tier pricing breaks. A $500M revenue microcap paying $200k AuditBoard ACV is paying 40 basis points of revenue for a SOX platform, compared to a $5B revenue large-cap paying 4 basis points for the same platform — a 10x differential in proportional G&A impact. Microcap Controllers at this tier are structurally forced toward one of three options: pay the disproportionate ACV and absorb the G&A impact, run the spreadsheet-and-SharePoint baseline and accept material weakness exposure, or operate a SOX program scoped below the expected regulatory bar. Prova is designed for the fourth option: agent-driven continuous testing at a cost base that scales with the microcap's actual G&A budget while producing AS 2201 §.39 evidence that satisfies the full PCAOB inspection bar.

Public microcap SOX programs operate under the full SEC + Sarbanes-Oxley + PCAOB regulatory stack without scale adjustment from the large-cap regime. SEC Regulation S-K Item 308(a) requires the annual 10-K Item 9A disclosure of management's assessment of ICFR effectiveness, identifying any material weaknesses; Item 308(b) requires the external auditor's attestation on management's assessment for non-EGC accelerated filers under Sarbanes-Oxley § 404(b). SEC Rule 13a-15 and 15d-15 require the quarterly and annual evaluation of disclosure controls and procedures (DCP) with the CEO/CFO certification under Sarbanes-Oxley § 302 filed with each 10-Q and 10-K.

PCAOB AS 2201 (formerly AS 5) governs the external auditor's integrated audit of financial statements and ICFR. The PCAOB's inspection program reviews audit workpapers on a 3-year cycle for Big 4 firms and a less-frequent cycle for regional firms; inspection findings classify as Part I.A deficiencies (material-level audit-quality deficiencies in the specific engagement) or Part I.B/II deficiencies (systemic audit-quality issues at the firm level). Microcap filers face PCAOB inspection exposure through their external audit firm's broader inspection cycle, which means the evidence the microcap produces must withstand PCAOB inspection scrutiny independent of its direct engagement team's review.

The Sarbanes-Oxley § 302 quarterly certification (Rule 13a-14 / 15d-14) requires the CEO and CFO to certify quarterly that they have designed disclosure controls and procedures "under our supervision," evaluated the effectiveness of DCP and ICFR "as of the end of the period," disclosed to the audit committee and external auditor "all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting," and disclosed "any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting." The § 906 criminal certification layer (18 U.S.C. § 1350) adds willful-and-knowing certification-violation penalties up to 20-year imprisonment. These personal-liability certification requirements are why microcap CEOs + CFOs take ICFR posture seriously despite the G&A cost asymmetry with large-cap filers.