Operated ITGC testing that produces a reviewer-ready workpaper.
We operate the testing workflow end-to-end across 32 ITGC control templates, draft conclusions with AI under full provenance, and hand your engagement team a single integrated HTML workpaper plus two CSV side-exports. Your licensed auditor reviews every determination, accepts or overrides, and signs. We issue no opinion, assurance, or attestation — the professional judgment is yours.
Every engagement produces these artifacts
Each is re-derivable from primary evidence, and in every case your licensed auditor reviews, accepts or overrides, and signs. We operate the workflow and produce documentation; we do not conclude.
| WP | 13-section HTML workpaper · CSV-pivotable evidence index · browser-print-to-PDF for archive; subject to auditor professional judgment |
|---|---|
| CSV | Evidence Index (10 columns incl. SHA-256 file hash) + Testing Results (12 columns incl. AI result, confidence, auditor decision, model) — RFC 4180, UTF-8 BOM, CRLF |
| POP | Population analysis + risk-based sampling from AICPA AU-C 530 attribute tables, reconstructable from a stored seed |
| AI | AI test results — extracted facts, evidence excerpts, confidence scores, per-attribute rationale; every result reviewed and accepted or overridden before lock |
| EXC | Exception log with severity, root cause, SLA tracking, and remediation status |
| QC | 6 control-level reviews + 29 per-sample data-integrity check types; critical/high findings acknowledged before sign-off |
Managed delivery, end to end
We operate the testing workflow and produce the workpapers as a service: population, sampling, evidence mapping, AI testing, QC, and exception tracking — and deliver the reviewer-ready workpaper plus CSVs. Your licensed auditor reviews, concludes, and signs. Single-auditor architecture: one operating user per engagement, no preparer/reviewer teaming required.
We are the platform operator, not your auditor — we produce documentation; we do not issue opinions, assurance, or attestation. The licensed auditor's conclusion is always the authoritative gate.
32 ITGC control templates across four categories
The library is the catalog — the controls in scope are defined per engagement, not all 32 by default. Count reads from the source, never hard-coded.
| A1 | User Provisioning Approvals |
|---|---|
| A2 | User Terminations Timeliness |
| A3 | Privileged Access Grant & Justification |
| A4 | Privileged Access Periodic Review |
| A5 | Break-Glass Emergency Access |
| A6 | User Access Reviews (UAR) |
| A7 | Service Accounts Lifecycle |
| A8 | Authentication Controls |
| A9 | Cloud IAM Policy and Identity Review |
| A10 | MFA Enrollment and Resilience |
| A11 | Third-Party / Sub-processor Risk Review |
| C1 | Normal Change Approvals |
|---|---|
| C2 | Emergency Changes |
| C3 | Release Controls |
| C4 | CI/CD Pipeline Controls |
| C5 | Configuration/IaC Changes |
| S1 | Security Event Logging |
|---|---|
| S2 | Segregation of Duties |
| S3 | Vulnerability Management |
| S4 | Access Review Authorization |
| S5 | Encryption Key Management |
| S6 | AI-Governance Controls |
| O1 | Backup Success Monitoring |
|---|---|
| O2 | Restore Testing |
| O3 | Batch Job Monitoring |
| O4 | Monitoring & Alert Response |
| O5 | Incident Management |
| O6 | Problem Management |
| O7 | Patch Management |
| O8 | Logging & Audit Log Review |
| O9 | DR/BCP Testing |
| O10 | Backup Immutability and Ransomware Readiness |
Added to the library — A9, A10, A11, O10, S5, S6
Cloud IAM Policy and Identity Review
IAM provisioning, role drift, service-principal hygiene, and federated-identity controls across AWS / Azure / GCP.
MFA Enrollment and Resilience
Enrollment coverage at the appropriate strength tier, exception tracking, and challenge-bypass conditions across the in-scope population.
Third-Party / Sub-processor Risk Review
Onboarding due-diligence, ongoing monitoring, and contract-renewal triggers.
Backup Immutability and Ransomware Readiness
Immutability + isolation of backup tiers, restore validation, and ransomware-readiness drills (optional per engagement).
Encryption Key Management
FIPS-validated key storage, rotation cadence, separation-of-duties on key administration, and audit logging.
AI-Governance Controls
Model inventory, prompt-injection guardrails, human-review gates, and data-leakage controls (includes an informational EU AI Act attribute, non-scored for US engagements).
AI tests every sample against every attribute — and never finalizes
Evidence-first by design: no mapped evidence = INCONCLUSIVE; an empty fact value = FAIL, never an assumed PASS. Full provenance per result — extracted facts, evidence excerpts, rationale, evidence IDs, model used, and a 0–100% confidence score. Per-category confidence thresholds (Access 75%, Change 80%, Operations 75%, Security 85%) with higher bulk-accept floors. A tenant-keyed circuit breaker isolates one tenant's failures from another's. Sign-off is blocked unless every AI result is reviewed and accepted or overridden.
Inference runs on Anthropic Claude (US); per Anthropic's commercial terms your evidence is not used for model training, and Anthropic retains API request logs for 7 days per those terms.
Gates that can’t be skipped
Reproducible SHA-256-seeded sampling, an immutable audit trail, and ten distinct named sign-off gates ensure a reviewer can re-derive every conclusion from primary evidence.
- GATE 01Testing complete
- GATE 02Quality review run
- GATE 03Critical QC findings acknowledged
- GATE 04High QC findings acknowledged
- GATE 05All AI results reviewed
- GATE 06Every attribute tested (PCAOB AS 2110.20-22)
- GATE 07No rejected AI results outstanding
- GATE 08Exceptions closed or accepted
- GATE 09SLA-overdue critical/high exceptions resolved
- GATE 10Change-control traceability complete
Locked until every gate passes
Plus a ≥80% testing-coverage blocker and a no-sample-without-evidence blocker. Hard blockers are separated from acknowledgeable warnings.
Isolation, evidence integrity, and an immutable trail
Row-Level Security enforces session-bound tenant isolation on all 22 tables, backed by application-layer filters; cross-tenant access returns 404 (not 403) so existence isn't leaked. Evidence files are SHA-256 hashed and served only through authenticated, tenant-verified download proxies. Append-only audit trail, immutable by trigger. US-hosted: Vercel iad1, Neon US.
Describes implemented mechanics; not a certification or compliance attestation.
We also build custom audit-workflow platforms for other streams.
On the same tenant-isolated, append-only-audit architecture. A portfolio of capability — no outcome, certification, or compliance guarantee. No reference build for another audit stream has shipped yet.
See these capabilities in a real workpaper
Browse a sample workpaper produced by the platform — same controls, same methodology, same output format — or discuss a managed engagement.