Skip to main content
Discuss your scope
Purpose-built for ITGC

We operate the testing workflow. Your auditor concludes and signs.

muratov.io is the platform our team runs to execute IT general controls testing — population through evidence-tested workpaper. We operate the workflow and produce the documentation; your licensed auditor reviews, concludes, and signs. We issue no audit opinion, assurance, or attestation. Below is the provenance every test in the 13-section workpaper carries — what makes each conclusion defensible on its own, after the export leaves our platform for your review file.

FIG. 01The provenance model · what every test carries

We don’t publish a sample engagement — real client work is confidential and a fabricated one proves nothing. What we can show is the structure: for every sampled test, the exported 13-section HTML workpaper embeds the following, so a reviewer defends the conclusion from the file alone, without access to our platform.

Per-test provenance embedded in the workpaper
AI ⇄ AUDThe AI's original determination shown beside the auditor's disposition — a reviewer sees what the model concluded, what the human accepted or overrode, and why. Never blended into one value.
EVIDENCEThe filename and SHA-256 hash of each evidence file backing the test, so the reviewer can verify the exact bytes were what was tested — tampering is detectable from the file.
TIMESTAMPSWhen the test was run and when it was reviewed, each with the responsible identity — the who-and-when of the work, not just the result.
MATCHThe evidence match-quality signal (exact / partial / raw-search / no-match) that grades how directly the evidence supports the determination.
FACTSThe specific facts the test extracted from the evidence, listed alongside the rationale — the conclusion points at data, not an unverifiable assertion.
SAMPLINGThe method, size, and statistical basis of the draw (AICPA AU-C 530), with the deterministic seed — any auditor reconstructs the exact sample. No fabricated basis; unentered factors are marked, not invented.
AUDITEvery state-changing action recorded append-only with actor and timestamp; the database refuses to mutate audit rows — the trail can't be quietly edited.
Auditor-signed HTML workpaper · CSV-pivotable evidence index · browser-print-to-PDF for archive
§ 01   Why this is a platform, not a spreadsheet
01

Reproducible sampling

A SHA-256-seeded draw re-derives identically from its stored seed — any auditor reconstructs the exact sample across time. Excel RAND() reseeds on every open.

02

Enforced sign-off gates

Lock is blocked when QC exceptions are unacknowledged, attributes untested, or AI results unreviewed — 10 distinct named gates. Excel cells are freely editable.

03

Immutable audit trail

Every state-changing action is recorded append-only with actor + timestamp; mutation is refused at two layers — the application role holds no UPDATE/DELETE grant, and database triggers reject it for every role. Excel edits leave no trace.

04

Mandatory AI accept/override

The auditor must accept or override every AI determination; rejected-without-override blocks sign-off. AI never auto-finalizes.

05

SHA-256 evidence integrity

Every uploaded file is hashed at upload; the hash rides into the workpaper so tampering is detectable. Excel has no integrity manifest.

§ 02   The control library

37 ITGC control templates across four categories

Each template carries attributes, QC rules, exception guidance, and a narrative skeleton, plus SOX 404, COSO, and SOC 2 mapping fields — documented mappings, not certifications. Some controls are optional and some attributes are informational and non-scored.

ITGC control library by category
A1–A11Access — provisioning, terminations, privileged access, UAR, cloud IAM (A9), MFA (A10), sub‑processor risk (A11)11
C1–C9Change — normal & emergency approvals, release controls, CI/CD, configuration/IaC, SDLC & acquisition approvals (C6–C8), data migration/conversion (C9); traceability-driven9
O1–O11Operations — backups, restore testing, batch jobs, incident & problem mgmt, patch, logging, DR/BCP, backup immutability (O10), interface & data-transfer monitoring (O11)11
S1–S6Security — event logging, segregation of duties, vulnerability mgmt, access review, key management (S5), AI-governance (S6)6
§ 03   The methodology engine

Enforced workflows with gates that can’t be skipped

An 8-step workflow for Access, Security, and Change, and a 9-step workflow for Operations (which adds a scoping step). Change controls swap expectations for a traceability step.

  1. Scope
  2. Population
  3. Sampling
  4. Evidence
  5. AI Testing
  6. Exceptions
  7. QC
  8. Review
  9. Sign-off
  • stage
  • sequence
  • sign-off lock

Before a control can lock, ten distinct named gates must clear — hard blockers separated from informational warnings.

  1. GATE 01Testing complete
  2. GATE 02Quality review run
  3. GATE 03Critical / high QC findings acknowledged
  4. GATE 04All AI results reviewed
  5. GATE 05Every attribute tested
  6. GATE 06No rejected AI results outstanding
  7. GATE 07Exceptions closed or accepted
  8. GATE 08SLA-overdue critical/high exceptions resolved
  9. GATE 09Change-control traceability complete
  10. GATE 10Testing coverage ≥ 80%

Sign-off is locked until every gate passes

Plus a no-sample-without-evidence blocker. The auditor is the authoritative gate.

§ 04   Sampling

Risk-based sampling aligned to AICPA AU-C 530

Recommended sample sizes derive from the AICPA AU-C 530 attribute table for Tests of Controls, not heuristics. Three unified risk presets (Low / Medium / High; High tightens the tolerable deviation rate), three methods — random (Fisher-Yates), stratified (systematic-interval draw), and judgmental — bounded at 500 samples / 10,000 population rows.

The embedded grid covers Expected-Deviation-Rate 0% rows only; non-zero EDR resolves to an explicitly flagged out-of-table basis, never fabricated. A drawn sample reconstructs from its stored seed.

§ 05   AI testing

Evidence-first AI testing — transparent, and never the final word

AI tests each sample against each control attribute and stores full provenance: extracted facts with a 0–100% confidence score, evidence excerpts, rationale, and the model used (Claude Haiku for drafts, Sonnet for testing, Opus available for advanced analysis). Evidence-first by design: no mapped evidence returns INCONCLUSIVE; an empty fact value is FAIL, never PASS. Every AI determination must be accepted or overridden by the auditor before sign-off — the platform is designed to support PCAOB AS 1215 documentation practice, while customers remain responsible for their own audit-documentation posture.

Full AI provenance per resultMandatory auditor reviewDesigned with AS 1215 in mind
§ 06   The deliverable

One integrated HTML workpaper, 13 sections, plus CSV side-exports

HTML, optimized for in-browser print-to-PDF; legacy ?format=pdf / ?format=xlsx return HTTP 400. Two RFC 4180 CSV side-exports accompany it — an Evidence Index (with SHA-256 hashes) and Testing Results. Every page carries a CONFIDENTIAL watermark and a required, non-omittable legal preamble: muratov.io is not a CPA, audit, or law firm.

Workpaper sections, 1 through 7
01Cover Sheet & Signatures
02Executive Summary
03Scope & Systems
04Scope Gap Justifications
05Controls Matrix
06Population & Sampling
07Testing Results
Workpaper sections, 8 through 13
08Traceability
09Exception Summary
10Quality Review
11Audit Trail
12Evidence Index (SHA-256)
13Abbreviations & Glossary
§ 07   Security & trust

Tenant isolation, evidence integrity, US data residency

PostgreSQL Row-Level Security binds every query to a session tenant on all 22 tables — in FORCE mode, so the policies apply even to the table owner, not only the application role — backed by defense-in-depth application-layer filters; cross-tenant access returns 404 (not 403) to avoid leaking existence. Evidence files are SHA-256 hashed and served only through authenticated, tenant-verified download proxies. AI runs on the Anthropic Claude API (US) with no training on your evidence per Anthropic's commercial terms and 7-day API log retention; primary data is stored in the US on Neon.

These descriptions document implemented control mechanics — the platform carries no certification or compliance audit against SOX 404 or SOC 2, and we make no uptime-SLA claim.

§ 08   Beyond ITGC

We build custom audit-workflow platforms for other streams

This ITGC platform is proof of what we design and ship. We can architect and build comparable custom platforms for other audit and assurance streams — scoped to your methodology, evidence model, and sign-off gates.

We make no compliance, certification, or assurance guarantees about any bespoke build; the engagement is platform engineering, and your professionals own the audit judgments the software supports. No reference build for another audit stream has shipped yet.

Ready to put this behind your ITGC testing?

Tell us your systems and scope — for managed delivery or a custom audit-workflow build. We'll confirm fit and next steps.