Pricing · Per entity · Not per seat

We price per entity —
not per seat.

Your internal audit team stays 2-5 people whether you have one portco or twelve. Software costs should follow the audit scope, not the team headcount. PE funds get one portfolio-wide contract — operations partner signs once, every portco is covered.

Microcap public

$24,000/yr · per entity

PE portco · volume

$20,000/yr · per portco · 3+ min

Pre-IPO intensity

$30,000/yr · per entity

Free · Open source · Live on npm

prova-sox-audit CLI

$0

Apache-2.0 · zero runtime deps · Node 20+ · `npm install -g prova-sox-audit`

Run a PCAOB AS 2201 walkthrough over a structured controls JSON and emit workpaper-quality evidence locally. Six built-in templates covering ITGC and BP. No account, no telemetry, no cloud round-trip.

  • 6 PCAOB AS 2201 templates — ITGC (CC6.1 provisioning, CC6.2 termination, CC6.3 privileged review, CC8.1 change mgmt) + BP (ASC 606 revenue cutoff, AS 2110.65 journal-entry approval)
  • AICPA AU-C 530 attribute sampling — risk-tiered floors (high 25 / medium 15 / low 10)
  • Output formats — table, markdown, HTML, JSON for external-auditor ingestion
  • Local audit log at ~/.prova/audit.jsonl — SHA-256 config digest, no plaintext entity data
  • CI-gateable exit codes (0 pass / 1 ineffective / 2 invocation error)

No email gate. The CLI exists to let you prove the category before we ask for an ERP integration call.

Read the CLI docs

Continuous assurance

Microcap public · Single entity

$24,000/yr

Per entity · annual prepaid preferred · quarterly billed acceptable

For sub-$1B market-cap public companies running 404(b) with an existing external audit partner. Continuous ITGC and change-management testing, signed PCAOB-ready workpapers, direct handoff to Big 4 or regional audit firm.

  • Live read-only integration — Okta, Entra ID, Workday, NetSuite, Intacct, GitHub, AWS IAM
  • Daily population sampling + exception alerting to control owner
  • Signed workpaper PDF per control test — SHA-256 hash, reasoning trace, sign-off chain
  • External-auditor handoff pack (Grant Thornton / RSM / BDO / CohnReznick / Big 4 formats)
  • Private Slack channel with the founder + audit walkthrough dry-run before year-end
Book a 15-min call

Continuous assurance

PE portfolio · Per portco

$20,000/yr

Per portco · minimum 3 portcos · fund-wide contract discount

For PE funds and family offices with 3+ portcos at mixed SOX maturity. One contract with the fund — per-entity deployment across each portco, rolled up to the operations partner with a portfolio-wide readiness dashboard.

  • Volume tier — $20k/yr per portco (vs $24k standalone) once the fund contracts 3+ entities
  • Fund-level rollup — operations partner sees every portco's control health in one view
  • Mixed-ERP support — NetSuite, Sage Intacct, SAP B1 simultaneously across portcos
  • Pre-exit readiness mode — tightens ITGC coverage 12-18 months before a QofE or S-1
  • PE-operator onboarding — sponsor-reviewed master agreement with per-portco SOW

Typical 8-12 portco fund lands $160-240k fund-wide ACV — the same controller + IA director who would have paid AuditBoard $150-250k for one entity.

Book a 15-min call

Continuous assurance

Pre-IPO · Higher intensity

$30,000/yr

Per entity · 12-18 months to S-1 filing

For pre-IPO companies 12-18 months from an S-1 filing. Tighter sampling cadence, deeper ITGC + BP coverage, pre-commitment walkthroughs with your external auditor to confirm the evidence format passes the PCAOB bar before filing.

  • Weekly population sampling during the S-1 runway (vs monthly in steady-state)
  • Deficiency projection + remediation tracker mapped to AS 2201 §.50 severity
  • Pre-S-1 walkthrough dry-run with the external audit partner at quarter-end
  • ITGC + BP coverage — access review, change management, revenue cutoff, JE approval
  • Annual contract with convertible-to-public clauses for post-IPO entity transfer
Book a 15-min call

All paid tiers are 12-month contracts, net-30 terms, annual prepaid or quarterly billed (+5% uplift). No hidden integration fees, no per-seat surcharge, no volume-based price floors that penalize larger portfolios. Design-partner cohort 1 is 8-12 slots total — microcap public, PE portco fund, pre-IPO.

Regulatory framework alignment

One evidence stream, every framework auditors cite.

Prova evidence is engineered for PCAOB AS 2201 §.39 first — the four characteristics: authenticity (SHA-256), completeness (continuous population), source reliability (direct read-only), reperformability (preserved reasoning traces). From that base, framework mappings produce SOC 2, DORA, and CMMC 2.0 evidence without a second test run.

PCAOB AS 2201

Auditing Standard No. 5

§.36 significant-risk controls · §.39 four evidence characteristics · §.42 nature-timing-extent · §.46 design · §.47 operating · §.50 deficiency severity

SEC Reg S-K Item 308

Management's ICFR report + auditor attestation

Annual management assessment + 404(b) attestation for accelerated and large-accelerated filers

Sarbanes-Oxley

§§ 302 / 404 / 906

§302 officer certification · §404(a) management · §404(b) auditor attestation · §906 criminal liability

AICPA AU-C 530

Audit Sampling

Attribute sampling floors (high 25 / medium 15 / low 10) · tolerable deviation rates 5% / 8% / 10% per §.A12

DORA (EU 2022/2554)

Digital Operational Resilience Act

Effective 2025-01-17 · Arts 5-14 ICT risk mgmt · Art 17 incident reporting · Arts 28-30 third-party cascade to US vendors

CMMC 2.0

32 CFR Part 170 · DFARS 252.204-7012/-7019/-7020/-7021

Level 1 (17 controls) · Level 2 NIST 800-171 Rev3 (110 controls, triennial C3PAO) · Level 3 NIST 800-172 (24 enhanced)

Pricing questions Controllers ask before a call

Pricing FAQ.

What's the billing cadence — annual prepaid, monthly, or quarterly?
Annual prepaid is preferred and gets you the lowest ACV — $24k microcap, $20k/portco PE, $30k pre-IPO. Quarterly billed is acceptable at a 5% uplift ($25.2k / $21k / $31.5k). We don't sell monthly because the unit of work (quarterly control testing cycle aligned to PCAOB AS 2201) is calendar-bound, and monthly churn signal would push us toward shorter contracts and weaker evidence trails. All contracts are 12 months with net-30 terms.
How long is a typical pilot before the first annual contract?
Design-partner cohort 1 runs 90 days end-to-end. Weeks 1-2 is integration (Okta + NetSuite + GitHub read-only at minimum). Weeks 3-8 is daily sampling across your highest-frequency ITGC controls (user access review, change management). Weeks 9-12 is a full walkthrough dry-run with your external audit partner — Grant Thornton, RSM, BDO, CohnReznick, or Big 4 — to confirm the agent-produced workpapers meet the PCAOB AS 2201 §.39 bar. If the audit partner rejects the format, the engagement terminates with no annual commitment.
What does the security review look like before you touch our data?
We sign the customer's MSA and DPA before any integration. SOC 2 Type II is targeted for 2026 H2 — until then we run on signed security questionnaire responses, a vendor risk assessment, and contractual encryption-in-transit + encryption-at-rest clauses. All integrations are read-only; we never write back to source systems. Production data lives in a single-tenant customer-partitioned Supabase project with row-level security keyed to the entity ID. No data ever leaves the region you provision (US-East default, US-West and EU available on request).
Does Prova replace my external auditor, or work alongside them?
Alongside. Prova produces evidence; your external audit firm (Grant Thornton, RSM, BDO, CohnReznick, Baker Tilly, Big 4, or any PCAOB-registered firm) does the audit of record. Our evidence format is explicitly designed for direct ingestion into the audit firm's PCAOB AS 2201 workpapers — signed walkthrough summary, sample-of-one narrative, full-population test report, deficiency evaluation under §.50. Design-partner cohort 1 includes a pre-commitment walkthrough dry-run with your audit partner so format compatibility is confirmed before we take annual payment.
Where is the data stored, and which regions do you support?
Default US-East (AWS us-east-1 via Supabase). US-West (us-west-2) and EU (eu-central-1) available on request at no uplift. Data residency is contractual — we do not replicate across regions. Single-tenant projects for customers with that requirement; shared-tenant with row-level security for the default. No sub-processors touch production data outside of Supabase (DB + auth), Resend (transactional email), and Vercel (edge runtime). Every sub-processor is listed in the DPA and notified 30 days before any change.
Which ERPs and IAMs are supported out of the box?
At launch: identity and HRIS — Okta, Entra ID (Azure AD), Google Workspace, Workday, Rippling, BambooHR. Cloud — AWS IAM, GCP IAM, Azure AD. ERP — NetSuite, Sage Intacct, QuickBooks Online Advanced, Xero. Source control — GitHub, GitLab, Bitbucket, Jenkins, CircleCI. Data warehouse — Snowflake, BigQuery, Databricks. Phase 2 roadmap — SAP ECC, SAP S/4HANA, Oracle Fusion, Oracle EBS, Microsoft Dynamics 365. Custom or legacy ERPs are supported via generic SQL / API / SFTP ingestion against our structured evidence schema.
Why per entity and not per seat?
Because your internal audit team is 2-5 people regardless of whether you have one portco or twelve. Per-seat pricing would create the perverse incentive for the controller to under-staff the IA function to save on software, which is the opposite of what the PCAOB wants to see. Per-entity pricing aligns the software cost to the actual audit scope — each legal entity is one S-1 / 10-K / management assessment, so each legal entity earns its own ACV line. PE funds in particular prefer this model because it makes portfolio-wide contracting a single decision rather than a per-portco seat negotiation.
Can we start on the free CLI and upgrade later?
Yes, and most design-partner conversations start that way. The prova-sox-audit CLI (live on the public npm registry — `npm install -g prova-sox-audit`) runs PCAOB AS 2201 walkthroughs against a structured controls JSON you provide — it gives you the output format and the sampling methodology before we ever ask for an ERP integration call. If the CLI output survives internal review and you decide to upgrade, we carry your controls JSON into the continuous-assurance configuration directly. No migration fee, no data-model rewrite.

Book a 15-minute call.

We will walk through your entity count, ERP stack, external audit partner, and current SOX calendar. If Prova is not the right tool today, we will say so in the call — no procurement theater.

Book a 15-min callStart with the free CLI