Research · original analysis · 2026-04-17

PCAOB AS 2201 Evidence at Sub-$500M Revenue: A 416-Filing Analysis of Microcap SOX Pain

Original aggregate analysis of 416 SEC 10-K filings lodged since December 2025 that surfaced SOX / material-weakness / AI-governance / smaller-reporting / limited-IA-resource / AS 2201 language. Cross-referenced against PCAOB AS 2201, AICPA AU-C 530, SEC Reg S-K Item 308, Sarbanes-Oxley §§ 302/404/906, the Hg–AuditBoard $4.4B transaction, DORA, and CMMC 2.0.

19 min readProva Research Teamsox · pcaob as 2201 · microcap · pe portfolio companies

Executive summary · ungated preview

Executive summary

For a Controller or Internal Audit Director drinking their first cup of coffee, five facts: - 416 unique sub-$500M revenue public companies filed 10-K or 10-K/A disclosures with SOX-distressed language between 2025-12-01 and 2026-04-17. 63.5% are Smaller Reporting Companies and 44.5% are Emerging Growth Companies. This is not a Fortune 500 problem; this is a microcap-and-portco problem with a 416-company surface area visible from public filings alone. - 47.6% are incorporated in Delaware or Nevada, and 81.0% (337 of 416) have both a trading ticker and a published phone number — they are direct-contactable entities, not opaque shells. The subset of 52 non-large accelerated filers is the 404(b) auditor-attestation cohort where PCAOB scrutiny is highest and the cost of evidence failure is a publicly-disclosed material weakness. - AU-C 530.A12 tolerable-rate math forces a 3-person internal audit team at a 650-emp PE portco to run roughly 60 controls × 25 samples × 6 hours per sample ≈ 9,000 hours per year, against a staffed capacity of 5,800 hours — a 3,200-hour deficit that is currently closed with external consultants, missed deadlines, or undocumented shortcuts. - A 10-portco PE fund runs roughly 50,000 control tests per year across the portfolio, and the three available options are AuditBoard-upmarket tooling at $2M–$5M/year, Protiviti-style staff aug at roughly $60M/year at full AS 2201 rigor (which nobody actually pays), or per-entity continuous assurance at $20k/yr × 10 = $200k per fund — two orders of magnitude less than the $4.4 billion that Hg Capital paid for AuditBoard in May 2024. - PCAOB's 2024–2025 public Part II / disciplinary releases against Big 4 and mid-tier firms repeatedly cite stale or reperformance-deficient evidence — the standard has quietly moved from "evidence exists" to "evidence that the engagement team could reperform at inspection time." Continuous-capture evidence is now the direction of supervisory expectation, not a nice-to-have. What follows is the methodology, the 416-filing data, the sample-size math, the portfolio…

The remaining nine sections — methodology + data sources, the 416-filing analysis, the PCAOB AS 2201 sample-size mismatch, PE portfolio structural math, continuous vs point-in-time evidence, DORA + CMMC 2.0 adjacency, a 60-day operating blueprint, key takeaways, and full references — unlock with the email gate on the right.

Unlock the full report

Email gate — two fields, no marketing follow-up.

Email + role. We send the full 4,800-word report as a signed PDF with the 416-filing CSV appendix attached. No newsletter drip, no tracking pixels.

Your email enters the Prova research-subscriber list only. No cross- venture sharing. One-click unsubscribe in every email.

What this research is · and is not

Original analysis, not repackaged vendor content.

The 416-filing aggregate numbers in this report were computed from a de-duplicated set of 10-K and 10-K/A filings lodged on SEC EDGAR between 2025-12-01 and the report date. The raw result set is stored in the Prova repo under .studio/research/icp-leads/.

Every verified citation traces to public statutory text or a public SEC filing. Every estimated figure is labeled (E) in the References section. We do not present projections as verified facts.

Not legal, audit, or financial-reporting advice.

This report is operational research for internal audit, finance, and sponsor operating partners. The external audit firm’s work remains the audit of record under PCAOB AS 2201. Nothing here substitutes for a walkthrough with your audit partner.

If a PCAOB-aligned reader would raise an eyebrow at a phrasing, we rewrite it. If you find a figure you cannot trace, email seungdo@grindworks.ai and we will publish the trace.

Prefer a conversation?

Book a 15-min call instead.

Controllers, Internal Audit Directors, and PE operating partners who want to talk through how this research maps to their own SOX calendar can skip the email gate and book a call. No sales pitch; we walk through your entity count, ERP stack, and external audit partner in 15 minutes.

Book a 15-min call