CONFIDENTIAL
muratov.io — ITGC Factory
IT General Controls
Workpaper Documentation
Meridian Financial Group
FY2025 SOX 404 IT General Controls Assessment
Audit Period: 1 Jan 2025 – 31 Dec 2025
WP-MER-2025-7F2A
EFFECTIVE WITH EXCEPTIONS
Controls
8 controls tested
Systems
4 in scope
Categories
access, change, operations, security
Pass Rate
63% clean (3 w/ exceptions)
Prepared by
Sarah Chen, ACCA
s.chen@muratov.io
Signed off: 7 Feb 2026
FINALIZED Generated: Feb 7, 2026, 02:30 PM
Prepared with reference to AICPA AU-C 530, PCAOB AS 2315, SOX Section 404
Table of Contents
Restrictions on Use & Disclaimer
1. Cover Sheet & Signatures
2. Executive Summary
3. Scope & Systems
4. Scope Gap Justifications
5. Controls Matrix
6. Population & Sampling Documentation
7. Testing Results by Control
8. Traceability (Change Controls)
9. Exception Summary
10. QC Summary
11. Audit Trail
12. Evidence Index
13. Abbreviations & Glossary
2. Executive Summary 2
Ref (for reference only): AICPA AU-C 265, PCAOB AS 2201.62-70
Overall Opinion
EFFECTIVE WITH EXCEPTIONS

Based on our examination of 8 IT General Controls across 4 systems in scope, covering the period 1 Jan 2025 through 31 Dec 2025, we conclude that the entity’s IT General Controls are effective with exceptions. A total of 4 exceptions were identified during testing. Sampling was performed using random, judgmental selection methods with cryptographic seeding for reproducibility.

Controls Tested: 8
Clean Pass: 5 of 8 (63%)
Exceptions: 4 (0 critical)
QC Checks: 32 (28 passed)
8
Total Controls
5
Clean Pass
3
Pass w/ Exceptions
0
Failed
8
Signed Off
4
Exceptions
12,467
Population Items
185
Samples Tested
AI Technology Disclosure

This engagement utilized AI-assisted testing powered by Anthropic Claude language models. All AI-generated test results were subject to mandatory auditor review before acceptance. AI determinations that were rejected by the auditor are documented with override rationale. The use of AI does not diminish the auditor’s professional responsibility or judgment.

Ref: PCAOB Staff Guidance on Technology-Assisted Analysis in Auditing

Scope Memo:

This engagement covers IT General Controls supporting financial reporting for Meridian Financial Group’s FY2025 fiscal year. Testing scope includes access management, change management, IT operations, and security monitoring controls across four in-scope systems. Controls were selected based on risk assessment considering financial statement materiality, prior-year findings (none), and regulatory requirements under SOX Section 404. Reliance was placed on the managed service provider’s SOC 1 Type II report for restore testing, patch management, and monitoring controls.

3. Scope & Systems 3
Ref (for reference only): PCAOB AS 2110, AICPA AU-C 315
Areas in Scope: Access Change Operations Security
System NameTypeEnvironmentOwnerControls
Oracle EBS R12.2Financial ERPProduction (eu-west-1)IT Applications — David Park3
Microsoft Entra IDIdentity & Access ManagementProduction (Global)IT Security — Maria Santos3
ServiceNow ITSMIT Service ManagementProduction (SaaS)IT Operations — James Liu2
AWS (us-east-1)Cloud InfrastructureProductionCloud Engineering — Anna Kowalski3
4. Scope Gap Justifications 4
Ref (for reference only): PCAOB AS 2201.39-42, AICPA AU-C 530

The following scope gap justifications have been documented and approved by a Partner:

SystemControlJustificationApproved By
Entra IDA3Privileged access provisioning is managed through Entra ID Privileged Identity Management (PIM) with just-in-time elevation and automated expiration. Provisioning controls are covered under A1; periodic review under A6.Sarah Chen, ACCA
15 Nov 2025
Entra IDA4Privileged access periodic review is performed through the same quarterly review cycle tested under A6. PIM assignments are time-bound (max 8 hours) and do not persist between sessions.Sarah Chen, ACCA
15 Nov 2025
Entra IDA5Break-glass emergency access is managed through Entra ID PIM with time-bound assignments, MFA enforcement, and automated audit logging. No standing break-glass accounts exist in the environment.Sarah Chen, ACCA
15 Nov 2025
AWSA7Service account lifecycle is automated through AWS IAM roles with programmatic credential rotation (90-day policy). No interactive service accounts exist — all workloads use assumed roles with session tokens.Sarah Chen, ACCA
15 Nov 2025
Entra IDA8Authentication controls (MFA, conditional access, password complexity) are enforced at the identity provider level through Entra ID tenant-wide policies. Organizational-level IT controls outside ITGC testing scope per the agreed SOX 404 scoping framework.Sarah Chen, ACCA
15 Nov 2025
ServiceNowC2Emergency change procedures follow the same approval workflow as normal changes (C1) with expedited CAB review (4 hours vs. standard 48 hours). Emergency changes are retroactively reviewed in weekly CAB meetings. Testing coverage provided under C1.Sarah Chen, ACCA
15 Nov 2025
GitLab CIC4CI/CD pipeline security is enforced through GitLab CI with branch protection rules, mandatory merge request approvals, and automated SAST/DAST scanning. Pipeline configuration changes require senior engineer approval. Deployment controls tested under C3 (Release Controls).Sarah Chen, ACCA
15 Nov 2025
AWSC5Infrastructure-as-code changes are managed through Terraform with mandatory plan review, state locking, and approval gates. IaC changes follow the same approval workflow tested under C1 (Normal Change Approvals).Sarah Chen, ACCA
15 Nov 2025
AWSO2Restore testing is performed quarterly as part of backup validation under O1 (Backup Success Monitoring). Q3 2025 recovery test achieved RTO of 2h 47m vs. 4h target. Standalone restore testing control not required.Sarah Chen, ACCA
15 Nov 2025
ServiceNowO4Monitoring and alert response is outsourced to Meridian’s managed service provider (Kyndryl) under SOC 1 Type II report (report period: Apr 2025 – Mar 2026). Reliance placed on service organization controls per AICPA AT-C 320.Sarah Chen, ACCA
15 Nov 2025
ServiceNowO5Incident management is handled through ServiceNow ITSM with automated SLA escalation. Financial system incidents (P1/P2) are escalated to IT Security within 15 minutes. Incident response does not directly impact financial reporting ITGC controls.Sarah Chen, ACCA
15 Nov 2025
ServiceNowO6Problem management follows ITIL v4 framework through ServiceNow with automated root cause tracking. Problem records are linked to parent incidents and resolved through the normal change process (C1). No separate ITGC control required.Sarah Chen, ACCA
15 Nov 2025
AWSO7Operating system and infrastructure patch management is outsourced to Kyndryl under SOC 1 Type II report (report period: Apr 2025 – Mar 2026). Reliance placed on service organization controls per AICPA AT-C 320.Sarah Chen, ACCA
15 Nov 2025
AWSO8Audit log review is covered under S1 (Security Event Logging) which tests log coverage, retention, alerting configuration, and active monitoring across all in-scope systems. Separate audit log review control not required.Sarah Chen, ACCA
15 Nov 2025
AWSO9DR/BCP testing is performed semi-annually by the infrastructure team. Last successful DR failover test: September 14, 2025 (RTO achieved: 2h 47m vs. 4h target). DR controls are organizational-level controls outside ITGC testing scope.Sarah Chen, ACCA
15 Nov 2025
Oracle EBSS2Segregation of duties is enforced through Oracle EBS Advanced Access Controls with automated detection and preventive blocking. SOD conflicts in change management are tested under C3 (Release Controls) approval workflow. Application-level SOD is outside ITGC testing scope.Sarah Chen, ACCA
15 Nov 2025
AWSS3Annual penetration testing performed by independent third party (NCC Group). Report dated August 18, 2025 reviewed — no critical or high findings affecting financial reporting systems. Ongoing vulnerability scanning managed through AWS Inspector with automated remediation tracking.Sarah Chen, ACCA
15 Nov 2025
Entra IDS4Access review authorization is tested under A6 (User Access Reviews) which verifies reviewer authority, completion timeliness, and action on exceptions. Separate authorization control not required.Sarah Chen, ACCA
15 Nov 2025
5. Controls Matrix 5
Ref (for reference only): PCAOB AS 2201.21-33, COSO Framework
CodeControl NameCategorySystemCOSO ComponentStatusConclusionLocked
A1User Provisioning ApprovalsAccessEntra IDControl Activities (P10)PassPassSigned Off
A2User Terminations TimelinessAccessEntra IDControl Activities (P10)Pass w/ ExceptionsPass with ExceptionsSigned Off
A6User Access Reviews (UAR)AccessOracle EBSMonitoring (P16)PassPassSigned Off
C1Normal Change ApprovalsChangeServiceNowControl Activities (P10)PassPassSigned Off
C3Release ControlsChangeOracle EBSControl Activities (P11)Pass w/ ExceptionsPass with ExceptionsSigned Off
O1Backup Success MonitoringOperationsAWSControl Activities (P11)PassPassSigned Off
O3Batch Job MonitoringOperationsOracle EBSMonitoring (P16)PassPassSigned Off
S1Security Event LoggingSecurityAWSMonitoring (P16)Pass w/ ExceptionsPass with ExceptionsSigned Off
Cross-references: Testing Results (§7) | Exceptions (§9) | QC Summary (§10)
6. Population & Sampling Documentation 6
Ref (for reference only): AICPA AU-C 530, PCAOB AS 2315
ControlPopulation NameSource SystemTotal CountRisk LevelAICPA BasisSample MethodSample SizeSeed
A1New User Accounts — Entra ID Provisioning Log FY2025Entra ID847MediumAU-C 530.A11 — Standardrandom25a7f2c9...
A2Terminated Users — HR Separation Report FY2025Workday HRIS156HighAS 2315.18 — Extendedrandom30b3e8d1...
A6Active User Accounts — Oracle EBS User Directory Q4 2025Oracle EBS2,341MediumAU-C 530.A11 — Standardrandom25c4f7a2...
C1Normal Change Tickets — ServiceNow FY2025ServiceNow1,287MediumAU-C 530.A11 — Standardrandom25d9e1b5...
C3Release Deployments — Oracle EBS + GitLab CI FY2025GitLab CI423HighAS 2315.18 — Extendedrandom30e2f6c8...
O1Scheduled Backup Jobs — AWS Backup FY2025AWS Backup365LowAU-C 530.A13 — Reducedrandom15f1a3d7...
O3Batch Job Executions — Oracle Concurrent Manager Q4 2025Oracle EBS4,892LowAU-C 530.A13 — Reducedrandom15g5b9e4...
S1Security Log Sources — AWS CloudTrail + GuardDuty FY2025AWS2,156MediumAU-C 530.A11 — Standardjudgmental20
Note: All sampling uses cryptographic seeding for reproducibility. Random sampling uses SHA-256 derived seeds. Judgmental sampling (S1) uses auditor-selected items targeting critical financial system event sources.

Total: 12,467 population items, 185 samples tested.

7. Testing Results by Control 7
Ref (for reference only): AICPA AU-C 500, PCAOB AS 1105

Testing Methodology

Testing was performed using an Evidence-First approach: evidence documents are mapped to sample items and control attributes before AI-assisted analysis is executed. Each sample item is tested against all defined acceptance criteria (attributes) with results subject to mandatory auditor review.

Sampling: Per AICPA AU-C 530 / PCAOB AS 2315, samples were selected using random, judgmental selection methods with cryptographic seeding for full reproducibility. All seeds are documented in Section 6.

Risk LevelSample Size (AICPA)Basis
Low5–15Reduced testing, strong prior-year reliance
Medium15–25Standard testing, moderate reliance
High25–40+Extended testing, limited/no reliance

AI Disclosure: AI-assisted testing was performed using Anthropic Claude models. All AI results are subject to mandatory auditor review before acceptance. Confidence scores and auditor override status are documented in the AI Provenance section below each control.

Acceptance Criteria Summary

Control Acceptance Criteria Testing Complete Evidence Mappings Status
A1 User Provisioning Approvals Request Documentation, Manager Approval, Timely Provisioning, Role Appropriateness Yes 25 (25 samples) pass
A2 User Terminations Timeliness Timely Disable, Complete Disable, No Post-Termination Activity Yes 30 (30 samples) pass with exceptions
A6 User Access Reviews (UAR) Coverage, Timely Completion, Action on Exceptions Yes 25 (25 samples) pass
C1 Normal Change Approvals Change Request, Approval, Testing Evidence, Implementation Evidence Yes 25 (25 samples) pass
C3 Release Controls Release Approval, Test Sign-off Yes 30 (30 samples) pass with exceptions
O1 Backup Success Monitoring Backup Success, Failure Resolution Yes 15 (15 samples) pass
O3 Batch Job Monitoring Job Success, Failure Handling Yes 15 (15 samples) pass
S1 Security Event Logging Log Coverage, Log Retention, Alerting Configuration, Active Monitoring Yes 20 (20 samples) pass with exceptions
Note: All acceptance criteria must be met and evidenced for controls to receive a “Pass” status.
A1User Provisioning Approvals Signed Off
pass
System: Entra ID | Category: Access | Population: 847 | Samples: 25

Verify that new user accounts are provisioned with documented access requests, manager approval, timely setup, and appropriate role assignment.

CONCLUSION NARRATIVE:

Tested 25 new user provisioning requests from a population of 847 accounts created during FY2025. All sampled items had documented access requests with business justification (A1-1), manager approval prior to access grant (A1-2), provisioning within the 2-business-day SLA (A1-3), and role assignments consistent with the approved request (A1-4). No exceptions identified. Control is operating effectively.

ATTRIBUTE-LEVEL TESTING RESULTS:
SampleA1-1: Request DocumentationA1-2: Manager ApprovalA1-3: Timely ProvisioningA1-4: Role AppropriatenessEvidence
USR-2025-00121 file(s)
USR-2025-00471 file(s)
USR-2025-01031 file(s)
USR-2025-02191 file(s)
USR-2025-03841 file(s)

Showing 5 of 25 samples — all 25 pass on all attributes

Legend: ✓ Pass | ✗ Fail | ? Inconclusive | ... Pending | − Not Tested
AI TESTING PROVENANCE (Evidence-First):
Total AI Results: 100
Samples Tested: 25
Accepted: 99
Overridden: 1
Avg Confidence: 91%
<70%: 1
≥90%: 18
SampleAttributeAI ResultConfidenceAuditorRationaleModel
USR-2025-0012A1-1: Request DocumentationPASS94%✓ AcceptedAccess request form REQ-0012 contains business justification and role specificationclaude-sonnet-4-5
USR-2025-0012A1-2: Manager ApprovalPASS92%✓ AcceptedManager approval by J. Smith dated 2025-01-15, prior to provisioning date 2025-01-16claude-sonnet-4-5
USR-2025-0012A1-3: Timely ProvisioningPASS88%✓ AcceptedAccount provisioned within 1 business day of approval (SLA: 2 days)claude-sonnet-4-5
USR-2025-0012A1-4: Role AppropriatenessPASS90%✓ AcceptedAssigned role “Financial Analyst” matches requested role in REQ-0012claude-sonnet-4-5
USR-2025-0047A1-1: Request DocumentationPASS96%✓ AcceptedServiceNow ticket INC-4701 documents access request with department and role justificationclaude-sonnet-4-5
USR-2025-0384A1-3: Timely ProvisioningPASS62%✓ Override → PASSAI confidence low due to ambiguous date format in evidence. Auditor verified provisioning within SLA via manual timestamp comparison.claude-sonnet-4-5

Total: 100 AI test results (showing 6 of 100, incl. 1 low-confidence override)

Note: All AI test results require auditor review before conclusions can be locked (Evidence-First methodology).
A2User Terminations Timeliness Signed Off
pass with exceptions
System: Entra ID | Category: Access | Population: 156 | Samples: 30

Verify that terminated users have access disabled within the 24-hour SLA, all linked systems are fully deprovisioned, and no post-termination transactional activity occurred.

CONCLUSION NARRATIVE:

Tested 30 user terminations from a population of 156 HR separations during FY2025. 28 of 30 sampled items had timely access disable within the 24-hour SLA (A2-1). Two items had delayed access disable: EMP-2847 (12 business days — HRIS-to-IAM batch sync failure; remediated with real-time webhook) and EMP-1903 (3 business days — within risk tolerance, holiday period manual delay). All 30 items had complete disable across all linked systems (A2-2). No post-termination transactional activity detected for either delayed user (A2-3). Control is effective with exceptions — the delayed termination finding was remediated and compensating monitoring confirmed no unauthorized activity.

ATTRIBUTE-LEVEL TESTING RESULTS:
SampleA2-1: Timely DisableA2-2: Complete DisableA2-3: No Post-Term ActivityEvidence
EMP-2025-01421 file(s)
EMP-2025-03871 file(s)
EMP-2025-06191 file(s)
EMP-2025-08472 file(s)
EMP-2025-10231 file(s)

Showing 5 of 30 samples — 28 pass all attributes, 2 fail on Timely Disable

Legend: ✓ Pass | ✗ Fail | ? Inconclusive | ... Pending | − Not Tested
AI TESTING PROVENANCE (Evidence-First):
Total AI Results: 90
Samples Tested: 30
Accepted: 89
Overridden: 1
Avg Confidence: 89%
<70%: 0
≥90%: 12
SampleAttributeAI ResultConfidenceAuditorRationaleModel
EMP-2025-0142A2-1: Timely DisablePASS91%✓ AcceptedEntra ID account disabled 4 hours after HR separation date; within 24-hour SLAclaude-sonnet-4-5
EMP-2025-0142A2-2: Complete DisablePASS93%✓ AcceptedAll linked systems (Entra ID, Oracle EBS, VPN) show disabled status as of termination dateclaude-sonnet-4-5
EMP-2025-0387A2-3: No Post-Term ActivityPASS95%✓ AcceptedNo login attempts or transactional activity detected in any system after separation dateclaude-sonnet-4-5
EMP-2025-0847A2-1: Timely DisableFAIL88%✗ Accepted as exceptionAccount remained active 12 business days post-separation; HRIS-to-IAM batch sync failure identified as root causeclaude-sonnet-4-5
EMP-2025-1023A2-2: Complete DisablePASS90%✓ AcceptedDeprovisioning workflow completed across all 3 linked systems within 2 hours of disable triggerclaude-sonnet-4-5

Total: 90 AI test results (showing 5 of 90)

Note: All AI test results require auditor review before conclusions can be locked (Evidence-First methodology).
EXCEPTIONS (1):
Delayed access disable for EMP-2847 — Entra ID account active 12 business days post-HR separation
High Remediated
A6User Access Reviews (UAR) Signed Off
pass
System: Oracle EBS | Category: Access | Population: 2,341 | Samples: 25

Verify that quarterly user access reviews are completed within the 90-day cycle, performed by appropriate managers, and that identified access modifications are executed within 5 business days.

CONCLUSION NARRATIVE:

Tested 25 user accounts from the Q4 2025 quarterly access review cycle (population of 2,341 active Oracle EBS users). All sampled items had completed reviews within the 90-day cycle (A6-1), reviews were performed by the appropriate department manager or delegate (A6-2), and identified access modifications were executed within 5 business days of review completion (A6-3). No exceptions identified. Control is operating effectively.

ATTRIBUTE-LEVEL TESTING RESULTS:
SampleA6-1: CoverageA6-2: Timely CompletionA6-3: Action on ExceptionsEvidence
UAR-Q4-00231 file(s)
UAR-Q4-01561 file(s)
UAR-Q4-04121 file(s)
UAR-Q4-07891 file(s)
UAR-Q4-11051 file(s)

Showing 5 of 25 samples — all 25 pass on all attributes

Legend: ✓ Pass | ✗ Fail | ? Inconclusive | ... Pending | − Not Tested
AI TESTING PROVENANCE (Evidence-First):
Total AI Results: 75
Samples Tested: 25
Accepted: 75
Overridden: 0
Avg Confidence: 93%
<70%: 0
≥90%: 20
SampleAttributeAI ResultConfidenceAuditorRationaleModel
UAR-Q4-0023A6-1: CoveragePASS94%✓ AcceptedUser included in Q4 review cycle; review completed on 2025-10-18, within 90-day windowclaude-sonnet-4-5
UAR-Q4-0023A6-2: Timely CompletionPASS92%✓ AcceptedReview completed by department manager R. Chen within 45 days of cycle startclaude-sonnet-4-5
UAR-Q4-0156A6-3: Action on ExceptionsPASS96%✓ AcceptedExcess AP_INVOICE_ENTRY role removed within 3 business days of review findingclaude-sonnet-4-5
UAR-Q4-0789A6-1: CoveragePASS91%✓ AcceptedUser account reviewed as part of Finance department quarterly cycle; sign-off documentedclaude-sonnet-4-5
UAR-Q4-1105A6-2: Timely CompletionPASS93%✓ AcceptedReview completed by delegate M. Patel (authorized by VP Operations) within 60-day windowclaude-sonnet-4-5

Total: 75 AI test results (showing 5 of 75)

Note: All AI test results require auditor review before conclusions can be locked (Evidence-First methodology).
C1Normal Change Approvals Signed Off
pass
System: ServiceNow | Category: Change | Population: 1,287 | Samples: 25

Verify that normal changes have documented change requests, CAB approval prior to production, testing evidence, and implementation evidence with deployment logs.

CONCLUSION NARRATIVE:

Tested 25 normal change tickets from a population of 1,287 ServiceNow change requests during FY2025. All sampled items had documented change requests (C1-1), CAB approval prior to production implementation (C1-2), documented testing evidence (C1-3), and implementation evidence with deployment logs (C1-4). Complete change traceability chain verified for all samples. No exceptions identified. Control is operating effectively.

ATTRIBUTE-LEVEL TESTING RESULTS:
SampleC1-1: Change RequestC1-2: ApprovalC1-3: Testing EvidenceC1-4: Implementation EvidenceEvidence
CHG-2025-00342 file(s)
CHG-2025-01892 file(s)
CHG-2025-04561 file(s)
CHG-2025-07212 file(s)
CHG-2025-09981 file(s)

Showing 5 of 25 samples — all 25 pass on all attributes

Legend: ✓ Pass | ✗ Fail | ? Inconclusive | ... Pending | − Not Tested
AI TESTING PROVENANCE (Evidence-First):
Total AI Results: 100
Samples Tested: 25
Accepted: 100
Overridden: 0
Avg Confidence: 94%
<70%: 0
≥90%: 22
SampleAttributeAI ResultConfidenceAuditorRationaleModel
CHG-2025-0034C1-1: Change RequestPASS96%✓ AcceptedServiceNow CHG-0034 contains business justification, impact assessment, and rollback planclaude-sonnet-4-5
CHG-2025-0034C1-2: ApprovalPASS95%✓ AcceptedCAB approval dated 2025-01-22 by Change Manager K. Williams, 3 days prior to implementationclaude-sonnet-4-5
CHG-2025-0189C1-3: Testing EvidencePASS93%✓ AcceptedUAT sign-off by business owner attached; test plan covers 12 scenarios with all passingclaude-sonnet-4-5
CHG-2025-0456C1-4: Implementation EvidencePASS91%✓ AcceptedJenkins deployment log DEP-0456-PROD confirms successful production release at 2025-04-15 02:00 UTCclaude-sonnet-4-5
CHG-2025-0998C1-1: Change RequestPASS94%✓ AcceptedChange request includes security review sign-off and infrastructure dependency mappingclaude-sonnet-4-5

Total: 100 AI test results (showing 5 of 100)

Note: All AI test results require auditor review before conclusions can be locked (Evidence-First methodology).
C3Release Controls Signed Off
pass with exceptions
System: Oracle EBS | Category: Change | Population: 423 | Samples: 30

Verify that production releases have documented release manager approval and test sign-off prior to deployment.

CONCLUSION NARRATIVE:

Tested 30 release deployments from a population of 423 Oracle EBS releases during FY2025. 27 of 30 sampled items had proper release approval and test sign-off. Three exceptions identified: (1) REL-2025-0847 — release deployed to production without documented approval from release manager; post-deployment review completed within 24 hours by senior developer as compensating control; accepted as risk. (2) REL-2025-1203 — test sign-off bypassed for release classified as ‘minor configuration’ that modified GL posting rules; CI/CD pipeline updated to enforce mandatory test sign-off for all Oracle EBS releases. (3) Sample #22 — AI initially flagged as FAIL for missing approval but auditor review confirmed compensating post-deployment validation was in place. Control is effective with exceptions — root causes addressed through process and tooling improvements.

ATTRIBUTE-LEVEL TESTING RESULTS:
SampleC3-1: Release ApprovalC3-2: Test Sign-offEvidence
REL-2025-01022 file(s)
REL-2025-03991 file(s)
REL-2025-06152 file(s)
REL-2025-08471 file(s)
REL-2025-12031 file(s)

Showing 5 of 30 samples — 27 pass all attributes, 3 with exceptions

Legend: ✓ Pass | ✗ Fail | ? Inconclusive | ... Pending | − Not Tested
AI TESTING PROVENANCE (Evidence-First):
Total AI Results: 60
Samples Tested: 30
Accepted: 58
Overridden: 1
Avg Confidence: 92%
<70%: 0
≥90%: 16
SampleAttributeAI ResultConfidenceAuditorRationaleModel
REL-2025-0102C3-1: Release ApprovalPASS95%✓ AcceptedRelease manager L. Torres approved deployment on 2025-01-18; approval timestamp precedes production push by 6 hoursclaude-sonnet-4-5
REL-2025-0102C3-2: Test Sign-offPASS93%✓ AcceptedQA lead sign-off on test report TST-0102; 47 test cases executed with 100% pass rateclaude-sonnet-4-5
REL-2025-0847C3-1: Release ApprovalFAIL89%✗ Accepted as exceptionNo release approval found in ServiceNow or email; deployment initiated by developer without manager sign-offclaude-sonnet-4-5
REL-2025-1203C3-2: Test Sign-offFAIL91%✗ Accepted as exceptionRelease classified as “minor config” but modified GL posting rules; no test evidence attachedclaude-sonnet-4-5
REL-2025-0615C3-1: Release ApprovalPASS94%✓ AcceptedCAB approval CAB-2025-05-22 with release manager and security team sign-off documentedclaude-sonnet-4-5

Total: 60 AI test results (showing 5 of 60)

Note: All AI test results require auditor review before conclusions can be locked (Evidence-First methodology).
EXCEPTIONS (2):
Release REL-2025-0847 deployed to Oracle EBS production without documented release approval
High Accepted
Test sign-off bypassed for REL-2025-1203 — GL posting rules modified without documented test evidence
High Remediated
O1Backup Success Monitoring Signed Off
pass
System: AWS | Category: Operations | Population: 365 | Samples: 15

Verify that scheduled backups complete successfully and that any failures are detected and resolved within the 4-hour SLA through automated re-run or manual intervention.

CONCLUSION NARRATIVE:

Tested 15 scheduled backup jobs from a population of 365 daily AWS Backup executions during FY2025. All sampled items completed successfully (O1-1). Two sampled items had initial failures but documented resolution within the 4-hour SLA through automated re-run and alert acknowledgment (O1-2). No exceptions identified. Control is operating effectively.

ATTRIBUTE-LEVEL TESTING RESULTS:
SampleO1-1: Backup SuccessO1-2: Failure ResolutionEvidence
BKP-2025-00421 file(s)
BKP-2025-01181 file(s)
BKP-2025-02031 file(s)
BKP-2025-02872 file(s)
BKP-2025-03411 file(s)

Showing 5 of 15 samples — all 15 pass on all attributes

Legend: ✓ Pass | ✗ Fail | ? Inconclusive | ... Pending | − Not Tested
AI TESTING PROVENANCE (Evidence-First):
Total AI Results: 30
Samples Tested: 15
Accepted: 30
Overridden: 0
Avg Confidence: 96%
<70%: 0
≥90%: 14
SampleAttributeAI ResultConfidenceAuditorRationaleModel
BKP-2025-0042O1-1: Backup SuccessPASS97%✓ AcceptedAWS Backup job completed at 2025-02-12 03:15 UTC; vault recovery point verified with matching checksumclaude-sonnet-4-5
BKP-2025-0042O1-2: Failure ResolutionPASS95%✓ AcceptedNo failure detected for this backup job; successful on first attemptclaude-sonnet-4-5
BKP-2025-0287O1-1: Backup SuccessPASS96%✓ AcceptedInitial backup failed at 03:00 UTC; automated re-run succeeded at 03:45 UTC within 4-hour SLAclaude-sonnet-4-5
BKP-2025-0287O1-2: Failure ResolutionPASS98%✓ AcceptedCloudWatch alarm triggered at 03:02 UTC; PagerDuty alert acknowledged by on-call engineer at 03:08 UTCclaude-sonnet-4-5
BKP-2025-0341O1-1: Backup SuccessPASS97%✓ AcceptedFull database snapshot completed in 42 minutes; restore test validated within same backup windowclaude-sonnet-4-5

Total: 30 AI test results (showing 5 of 30)

Note: All AI test results require auditor review before conclusions can be locked (Evidence-First methodology).
O3Batch Job Monitoring Signed Off
pass
System: Oracle EBS | Category: Operations | Population: 4,892 | Samples: 15

Verify that batch jobs complete successfully with validated output and that failures trigger alerts with resolution within the 4-hour SLA.

CONCLUSION NARRATIVE:

Tested 15 batch job executions from a population of 4,892 Oracle Concurrent Manager jobs during Q4 2025. All sampled items either completed successfully with validated output (O3-1, 13 items) or had documented failure alerts with resolution within the 4-hour SLA (O3-2, 2 items — job IDs GLPOST-20251108 and ARAGING-20251203). Monitoring controls detected and escalated failures appropriately. No exceptions identified. Control is operating effectively.

ATTRIBUTE-LEVEL TESTING RESULTS:
SampleO3-1: Job SuccessO3-2: Failure HandlingEvidence
BATCH-2025-11081 file(s)
BATCH-2025-14271 file(s)
BATCH-2025-20031 file(s)
BATCH-2025-31562 file(s)
BATCH-2025-42011 file(s)

Showing 5 of 15 samples — all 15 pass on all attributes

Legend: ✓ Pass | ✗ Fail | ? Inconclusive | ... Pending | − Not Tested
AI TESTING PROVENANCE (Evidence-First):
Total AI Results: 30
Samples Tested: 15
Accepted: 30
Overridden: 0
Avg Confidence: 90%
<70%: 0
≥90%: 10
SampleAttributeAI ResultConfidenceAuditorRationaleModel
BATCH-2025-1108O3-1: Job SuccessPASS92%✓ AcceptedGL posting batch GLPOST-20251108 completed at 04:23 UTC; output reconciled with 847 journal entries postedclaude-sonnet-4-5
BATCH-2025-1108O3-2: Failure HandlingPASS88%✓ AcceptedInitial failure at 03:00 UTC due to lock contention; OEM alert fired at 03:01 UTC, auto-retry succeeded at 04:23 UTCclaude-sonnet-4-5
BATCH-2025-1427O3-1: Job SuccessPASS91%✓ AcceptedAR aging report completed successfully; output file size consistent with expected record countclaude-sonnet-4-5
BATCH-2025-3156O3-2: Failure HandlingPASS90%✓ AcceptedARAGING-20251203 failed at 02:15 UTC; PagerDuty incident created at 02:16 UTC, DBA resolved within 45 minutesclaude-sonnet-4-5
BATCH-2025-4201O3-1: Job SuccessPASS89%✓ AcceptedInventory valuation batch completed at 05:10 UTC; 12,483 items revalued with audit trail loggedclaude-sonnet-4-5

Total: 30 AI test results (showing 5 of 30)

Note: All AI test results require auditor review before conclusions can be locked (Evidence-First methodology).
S1Security Event Logging Signed Off
pass
System: AWS | Category: Security | Population: 2,156 | Samples: 20

Verify that security event logs have complete coverage, meet the 365-day retention minimum, have proper alerting configuration, and are actively monitored through AWS Security Hub.

CONCLUSION NARRATIVE:

Tested 20 security log sources from a population of 2,156 AWS CloudTrail and GuardDuty log entries during FY2025 (judgmental selection targeting critical financial system event sources). All sampled items had complete log coverage (S1-1), proper alerting configuration (S1-3), and active monitoring through AWS Security Hub (S1-4). One item had a log retention policy of 90 days instead of the required 365-day minimum (S1-2) — S3 bucket lifecycle policy for the Oracle EBS CloudTrail log bucket was misconfigured during a cost optimization exercise. Retention policy corrected to 365 days on January 10, 2026, verified through bucket policy review. Control is effective with exceptions — the retention finding was an isolated configuration drift (remediated Jan 2026), not a systemic gap.

ATTRIBUTE-LEVEL TESTING RESULTS:
SampleS1-1: Log CoverageS1-2: Log RetentionS1-3: Alerting ConfigurationS1-4: Active MonitoringEvidence
LOG-2025-00141 file(s)
LOG-2025-02231 file(s)
LOG-2025-05671 file(s)
LOG-2025-08912 file(s)
LOG-2025-14561 file(s)

Showing 5 of 20 samples — 19 pass all attributes, 1 fail on Log Retention

Legend: ✓ Pass | ✗ Fail | ? Inconclusive | ... Pending | − Not Tested
AI TESTING PROVENANCE (Evidence-First):
Total AI Results: 80
Samples Tested: 20
Accepted: 80
Overridden: 0
Avg Confidence: 88%
<70%: 0
≥90%: 8
SampleAttributeAI ResultConfidenceAuditorRationaleModel
LOG-2025-0014S1-1: Log CoveragePASS90%✓ AcceptedCloudTrail logging enabled for all API calls; management and data events both captured for Entra ID integrationclaude-sonnet-4-5
LOG-2025-0014S1-3: Alerting ConfigurationPASS87%✓ AcceptedGuardDuty findings routed to SNS topic with PagerDuty integration; escalation policy verifiedclaude-sonnet-4-5
LOG-2025-0567S1-4: Active MonitoringPASS85%✓ AcceptedSecurity Hub dashboard shows active monitoring; 14 findings triaged in past 30 days with documented resolutionclaude-sonnet-4-5
LOG-2025-0891S1-2: Log RetentionFAIL92%✗ Accepted as exceptionS3 lifecycle policy shows 90-day expiration for Oracle EBS CloudTrail bucket; below 365-day minimum requirementclaude-sonnet-4-5
LOG-2025-1456S1-1: Log CoveragePASS89%✓ AcceptedVPC Flow Logs enabled for all production subnets; CloudWatch Logs group configured with cross-account accessclaude-sonnet-4-5

Total: 80 AI test results (showing 5 of 80)

Note: All AI test results require auditor review before conclusions can be locked (Evidence-First methodology).
EXCEPTIONS (1):
CloudTrail log retention for Oracle EBS audit trail reduced to 90 days — below 365-day minimum
Medium Remediated
8. Traceability (Change Controls) 8
Ref (for reference only): PCAOB AS 2201.34-38, COBIT DSS06

Traceability chains apply to Change Management controls only (C1, C3). Each chain traces a change through 5 nodes: Ticket → Approval → Testing → Deployment → Closure.

C1Normal Change Approvals
Pass

25 of 25 samples have complete traceability chains

SampleTicketApprovalTestingDeploymentClosureStatus
CHG-2025-0412✓ CHG-2025-0412✓ CAB-2025-02-14✓ TST-0412-R1✓ DEP-0412-PROD✓ 2025-02-18Complete
CHG-2025-0891✓ CHG-2025-0891✓ CAB-2025-04-22✓ TST-0891-R1✓ DEP-0891-PROD✓ 2025-04-25Complete
CHG-2025-1156✓ CHG-2025-1156✓ CAB-2025-08-11✓ TST-1156-R2✓ DEP-1156-PROD✓ 2025-08-14Complete

Showing 3 of 25 samples — all 25 have complete 5-node chains

C3Release Controls
Pass w/ Exceptions

27 of 30 samples have complete traceability chains

SampleTicketApprovalTestingDeploymentClosureStatus
REL-2025-0847✓ REL-2025-0847✗ Missing✓ TST-0847✓ DEP-0847✓ 2025-06-12Incomplete
REL-2025-1203✓ REL-2025-1203✓ CAB-2025-09-05✗ Missing✓ DEP-1203✓ 2025-09-08Incomplete
REL-2025-2956✓ REL-2025-2956✓ Post-review✓ TST-2956✓ DEP-2956✓ 2025-11-20Complete (Override)

Showing 3 of 30 samples — 27 complete, 3 incomplete (2 missing nodes, 1 auditor override)

Note: The traceability chain ensures each change can be traced from initial request through approval, testing, deployment, and closure. Incomplete chains indicate potential control gaps that are documented as exceptions.
9. Exception Summary 9
Ref (for reference only): AICPA AU-C 265.07-08, PCAOB AS 2201.62-70 — See Testing Results
4
Total
0
Open
0
Critical
2
High
By category: access: 1, change: 2, security: 1.
4 exceptions were auto-created from accepted AI test failures. 2 remediated. 1 accepted as risk. 1 remediated (test sign-off bypass).
ControlTitleSeverityStatusRoot CauseRemediationRaised
A2 AI Delayed access disable for EMP-2847 — Entra ID account active 12 business days post-HR separation High Remediated HRIS-to-IAM batch sync failure on Oct 3, 2025 — Workday API schema change caused silent failure Real-time webhook deployed Nov 15, 2025; Datadog sync alert added 5 Dec 2025
Closed: 15 Jan 2026
C3 AI Release REL-2025-0847 deployed to Oracle EBS production without documented release approval High Accepted Release manager on leave; developer had legacy “Release Deployer” role enabling self-deployment Risk accepted; post-deployment review within 24h; GitLab CI approval rules updated 5 Dec 2025
C3 AI Test sign-off bypassed for REL-2025-1203 — GL posting rules modified without documented test evidence High Remediated Release classified as “minor config” bypassed mandatory test gate despite modifying GL posting rules CI/CD pipeline updated to enforce mandatory test sign-off for all Oracle EBS releases regardless of classification 5 Dec 2025
Closed: 20 Jan 2026
S1 AI CloudTrail log retention for Oracle EBS audit trail reduced to 90 days — below 365-day minimum Medium Remediated S3 lifecycle policy modified during cost optimization sprint in Aug 2025 Policy restored to 365 days 10 Jan 2026; AWS Config drift rule deployed 5 Dec 2025
Closed: 15 Jan 2026
10. QC Summary 10
Ref (for reference only): PCAOB AS 1220, AICPA QC 10
32
Total Checks
28
Passed
3
Failed
1
Warning
88%
Pass Rate

Pass rate excludes N/A checks from denominator.

ControlTotal ChecksPassedFailedPass Rate
A1440100%
A243175%
A6440100%
C1440100%
C341225%
O1440100%
O3440100%
S1440100%

Detailed Check Results (Non-Pass Only)

ControlCheck TypeCheck NameSeverityResultAcknowledgment
A2 post_termination_activity Post-Termination Activity Critical Fail ✓ Acknowledged: “Finding confirmed. EMP-2847 had active Entra ID account for 12 business days post-termination. No transactional activity detected during delay period. Root cause: HRIS sync batch failure. Remediated — see Exception #1.”
C3 missing_approval Missing Approval High Fail ✓ Acknowledged: “Release REL-2025-0847 deployed without documented release manager approval. Compensating control (24-hour post-deployment independent review) verified. GitLab CI approval rules updated — see Exception #2.”
C3 self_approval Self-Approval Critical Fail ✗ Disputed: “QC check flagged REL-2025-1203 as self-approval, but the developer did not approve the release — they bypassed the test sign-off requirement, which is a C3-2 failure, not C3-1. The C3 test sign-off bypass was documented as a process gap in the C3 narrative.”
C3 date_sequence Approval After Grant High Warn ✓ Acknowledged: “2 of 30 release deployment timestamps preceded final approval timestamps by 1–3 minutes. After timezone normalization (UTC vs CET), all deployments occurred after approval. Timestamp display issue only.”
11. Audit Trail 11
Ref (for reference only): PCAOB AS 1215, AICPA AU-C 230
Engagement Created
Sarah Chen, ACCA
FY2025 SOX 404 ITGC Assessment
15 Nov 2025 09:12 UTC
Scope Gap Justified
Sarah Chen, ACCA
18 controls documented as out of scope
15 Nov 2025 10:45 UTC
Population Uploaded
Sarah Chen, ACCA
A1: Entra ID Provisioning Log (847 items)
18 Nov 2025 14:20 UTC
Population Uploaded
Sarah Chen, ACCA
A2: HR Separation Report (156 items)
18 Nov 2025 14:22 UTC
Population Uploaded
Sarah Chen, ACCA
A6: Oracle EBS Users (2,341 items)
18 Nov 2025 14:25 UTC
Population Uploaded
Sarah Chen, ACCA
C1: ServiceNow Changes (1,287 items)
19 Nov 2025 09:30 UTC
Population Uploaded
Sarah Chen, ACCA
C3: Release Deployments (423 items)
19 Nov 2025 09:32 UTC
Population Uploaded
Sarah Chen, ACCA
O1, O3, S1 (3 populations)
19 Nov 2025 09:40 UTC
Sampling Run Generated
Sarah Chen, ACCA
8 runs — Method: random(7)/judgmental(1)
20 Nov 2025 11:15 UTC
Evidence Uploaded
Sarah Chen, ACCA
22 evidence files (32.8 MB total)
2 Dec 2025 16:45 UTC
AI Tests Executed
Sarah Chen, ACCA
8 controls, 185 samples
5 Dec 2025 10:30 UTC
AI Results Accepted
Sarah Chen, ACCA
182 accepted, 3 overridden
5 Dec 2025 14:20 UTC
Exception Raised
Sarah Chen, ACCA
A2: Delayed disable EMP-2847 (High)
5 Dec 2025 14:35 UTC
Exception Raised
Sarah Chen, ACCA
C3: Missing approval REL-2025-0847 (High)
5 Dec 2025 14:38 UTC
Exception Raised
Sarah Chen, ACCA
S1: Log retention below minimum (Medium)
5 Dec 2025 14:42 UTC
Exception Updated
Sarah Chen, ACCA
A2 #1 → Remediated
15 Jan 2026 11:00 UTC
Exception Updated
Sarah Chen, ACCA
S1 #3 → Remediated
15 Jan 2026 11:05 UTC
QC Checks Executed
Sarah Chen, ACCA
Rules: 32 | Passed: 28 | Failed: 3
20 Jan 2026 09:15 UTC
QC Finding Acknowledged
Sarah Chen, ACCA
A2: post_termination_activity
20 Jan 2026 09:30 UTC
QC Finding Acknowledged
Sarah Chen, ACCA
C3: missing_approval
20 Jan 2026 09:32 UTC
Testing Completed
Sarah Chen, ACCA
8 controls signed off
1 Feb 2026 15:00 UTC
Engagement Finalized
Sarah Chen, ACCA
Status: review → finalized
7 Feb 2026 14:30 UTC

22 material events of 266 total audit entries

Additionally: 47 conclusion updates, 185 evidence mappings, 12 other routine events recorded.
12. Evidence Index 12
Ref (for reference only): PCAOB AS 1215.04, AICPA AU-C 500
Evidence Sufficiency: 185 of 185 samples have mapped evidence (100%).
#File NameTypeSizeSHA-256Controls
1Entra_ID_Provisioning_Audit_Log_FY2025.csvCSV2.4 MBa7f2c9e4...A1 A2
2Workday_HR_Separation_Report_FY2025.xlsxExcel847 KBb3e8d1f7...A2
3Entra_ID_User_Account_Status_Export_Oct2025.pdfPDF1.1 MBc4f7a2b9...A2
4Oracle_EBS_Active_Users_Q4_2025.csvCSV3.8 MBd9e1b5c3...A6
5Oracle_EBS_Access_Review_Completion_Q4_2025.pdfPDF2.1 MBe2f6c8a1...A6
6ServiceNow_Change_Tickets_FY2025.csvCSV5.2 MBf1a3d7e4...C1
7ServiceNow_CAB_Meeting_Minutes_Sample.pdfPDF890 KBg5b9e4f2...C1
8GitLab_CI_Release_Deployment_Log_FY2025.csvCSV1.7 MBh8c2a6d1...C3
9Oracle_EBS_Release_Deployment_Audit_Trail.pdfPDF3.2 MBj4e7b3f9...C3
10ServiceNow_Work_Notes_REL-2025-0847.pdfPDF245 KBk9f1c5a8...C3
11GitLab_CI_Approval_Rules_Update_Dec2025.pngPNG198 KBm2d8e6b4...C3
12AWS_Backup_Vault_Inventory_FY2025.csvCSV1.3 MBn7a3f9c1...O1
13AWS_Backup_Recovery_Test_Q3_2025.pdfPDF567 KBp5b2d4e8...O1
14Oracle_Concurrent_Manager_Job_Log_Q4_2025.csvCSV8.4 MBq1c6a7f3...O3
15Oracle_Batch_Failure_Alert_GLPOST_20251108.pngPNG342 KBr8e4b9d2...O3
16Oracle_Batch_Resolution_ARAGING_20251203.pdfPDF156 KBs3f7c1a6...O3
17AWS_CloudTrail_Log_Sources_Inventory_FY2025.csvCSV4.1 MBt6d2e8b5...S1
18AWS_S3_Lifecycle_Policy_Correction_Jan2026.pdfPDF423 KBu9a4f3c7...S1
19Datadog_HRIS_Sync_Alert_Configuration.pngPNG287 KBv2b8d6e1...A2
20Workday_Webhook_Integration_Deployment.pdfPDF178 KBw5c1a9f4...A2
21AWS_Config_Retention_Drift_Rule.pngPNG312 KBx8e3b7d2...S1
22GitLab_CI_Oracle_EBS_Approval_Gate_Config.pdfPDF234 KBy1f6c4a9...C3
Total: 22 files | 32.8 MB
Note: Evidence files are managed within the engagement platform with role-based access controls. SHA-256 hashes are computed at upload for integrity verification.
13. Abbreviations & Glossary 13
Standard terminology used throughout this workpaper
Abbreviation Definition
AICPAAmerican Institute of Certified Public Accountants
BCPBusiness Continuity Plan
CABChange Advisory Board
COBITControl Objectives for Information and Related Technologies
COSOCommittee of Sponsoring Organizations (2013 Framework)
DASTDynamic Application Security Testing
DRDisaster Recovery
EQCREngagement Quality Control Review
IaCInfrastructure as Code
ITGCIT General Controls
MFAMulti-Factor Authentication
PCAOBPublic Company Accounting Oversight Board
PIMPrivileged Identity Management
QCQuality Control
RTORecovery Time Objective
SASTStatic Application Security Testing
SHA-256Secure Hash Algorithm (256-bit)
SLAService Level Agreement
SNSSimple Notification Service (AWS)
SODSegregation of Duties
SOXSarbanes-Oxley Act
TDRTolerable Deviation Rate
UARUser Access Review
VPCVirtual Private Cloud (AWS)

muratov.io — ITGC Workpaper Factory

Prepared with reference to AICPA AU-C 530 • PCAOB AS 2315 • SOX 404

Meridian Financial Group — FY2025 SOX 404 IT General Controls Assessment

Period: 1 Jan 2025 – 31 Dec 2025 • Generated: Feb 7, 2026, 02:30 PM

This document is confidential and intended for authorized use only. Unauthorized distribution or disclosure is prohibited.

Document ID: WP-MER-2025-7F2A