Skip to main content
Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
SOX · ICFR Continuous, not year-end

SOX compliance software that keeps a material weakness out of your 10-K.

A material weakness lands in the 10-K, the external auditor escalates, and your year-end becomes a six-week fire drill. It almost always traces back to the same place: control evidence collected once a year, in spreadsheets, after the deficiency already compounded. RiskWatch pulls ICFR evidence from the tools you already run, all year, so the auditor finds confirmation instead of surprises, and a material weakness gets flagged before it reaches the report. (Covers Sections 302 and 404; ITGCs, MRC documentation, and material-weakness early-warning. 2025 KPMG SOX Survey: program budgets rose 44% while fully automated controls dropped from 21% to 17%.)

  • Section 302 quarterly + Section 404 annual ICFR coverage
  • ITGC evidence pulled continuously from Okta, Jira, GitHub, Splunk, ERP
  • MRC documentation builder with the 4 elements auditors review
  • Material weakness early-warning before deficiencies compound
Start 30-day free trialWatch 4-min platform tour
No credit card · Continuous ICFR ships day 1
app.riskwatch.com / sox / 10-k-cycle
ICFR · live
Next 10-K filing window (large accelerated filer · Feb 28)
246
days
Section 404 management assessment + (for accelerated filers) external auditor attestation must be filed.
Your SOX cycle · current quarter highlighted
Q1
Risk-based scoping
Q1-Q2
Design + implement
Q3
Operating effectiveness testing
Q4
Management cert + 10-K
What it is

What is SOX compliance software?

Year-end testing stops being a fire drill. ITGC evidence pulls continuously from the tools your team already runs, Okta, Jira, GitHub, Splunk, your ERP. MRC documentation captures all four elements auditors actually look for. Material-weakness compounding gets flagged before the auditor sees it. Section 302 quarterly cycles inherit the same evidence as Section 404, no rework, no overtime, no fourth quarter that ate the year. Aligned to SOX Sections 302 and 404.

Section 302 vs Section 404

Two sections. Same underlying evidence. Different cadences and signers.

SectionCadenceWho signsWhat’s certifiedExternal auditor
§ 302QuarterlyCEO + CFODisclosure controls + procedures + ICFR internal controlsNo external attestation
§ 404(a)AnnualManagementICFR effectiveness assessment in 10-KManagement's report only
§ 404(b)AnnualExternal auditorIndependent attestation on management's ICFR assessmentRequired for accelerated + large accelerated filers
Why teams move to RiskWatch

The deficiency the auditor finds first is rarely the only one.

Material weaknesses do not show up alone. They cluster in the same three places year after year, and one missed deficiency tends to pull the others in behind it until a clean opinion turns into a restatement risk. Catch the first one early and the cascade never starts. Here is where ICFR consistently fails, and how RiskWatch flags it before the external auditor does. (2025 KPMG SOX Survey: more spend, less automation, same year-end fire drill.)

Pain #1

SOX budget up 44%. Automation share dropped.

2025 KPMG SOX Survey: program budgets rose 44% from FY22 to FY24; fully automated controls dropped from 21% to 17%. More headcount, less automation, same year-end fire drill. ITGC automation pulls evidence continuously from your existing tools, access reviews from Okta/AD, change tickets from Jira/ServiceNow, log monitoring from SIEM. Year-end testing becomes confirmation, not data-collection.

Pain #2

Material weakness rarely happens alone. They compound.

Pervasive control failures intersect: ITGCs + segregation of duties + management review controls are the most-reported weaknesses, and they typically surface together. Continuous monitoring catches the first deficiency before it compounds. Material-weakness early-warning fires before the auditor finds it.

Pain #3

Year-end testing in spreadsheets. Q1 next year, you start over.

Year-end testing happens once. Then Q1 starts and the cycle repeats. Most teams retest manually each year because evidence wasn't captured continuously. Evidence linked to controls year-round. Year-end testing extracts from the same vault. Q1 inherits the prior year's structure, no rework.

ITGC continuous evidence

Why should year-end testing be confirmation, not collection?

ITGCs, access management, change management, computer operations, are the single most-reported source of material weaknesses. They're also the easiest to automate. RiskWatch pulls control evidence from the tools your engineering team already uses: Okta and Azure AD for identity, Jira and ServiceNow for change, GitHub and GitLab for code, Splunk and Datadog for monitoring, your ERP for financial system controls.

  • Access reviews, quarterly user-access certifications automated from Okta/AD/Azure with reviewer attestation
  • Change management, every change ticket linked to migration + approval + post-impl review
  • Segregation of duties, real-time conflict detection across ERP roles + departments
  • IPE reliability, custom-report completeness + accuracy controls per ICFR-relevant report
ITGC continuous evidence pipeline
Where year-end SOX testing actually comes from
Your existing tools
Identity
Okta / AD / Azure
Change tickets
Jira / ServiceNow
Code changes
GitHub / GitLab
Log monitoring
Splunk / Datadog
Financial systems
ERP (NetSuite, SAP)
ITGC families · auto-mapped
Access Management
  • ·Quarterly user-access reviews
  • ·Privileged-access tracking
  • ·Segregation of duties (SoD)
Change Management
  • ·Change ticket → migration linkage
  • ·Approver evidence
  • ·Post-implementation review
Computer Operations
  • ·Backup verification
  • ·Job scheduling + monitoring
  • ·Incident logging
Continuous · 365 days/yearYear-end testing = confirmation, not collection
Management Review Control · audit-defensible documentation
The 4 elements auditors review on every MRC
Element 1·Selection criteria

What triggered this review? Materiality threshold + risk category + sample size, documented in advance.

ExampleVariance exceeding $50K and 5% of expected, sampled 25 transactions per quarter from each business segment.
Element 2·Review evidence

What did the reviewer actually see? Source documents, system queries, calculations, not just a checkmark.

ExamplePulled GL detail for accounts 4100-4199; recalculated revenue per ASC 606 5-step model; verified to contract terms in Salesforce.
Element 3·Investigation outcome

What did the reviewer find? Anomaly investigation + resolution + sign-off path documented.

Example3 items > materiality flagged; investigated with sales ops; 2 confirmed correct, 1 adjusted via JE-2024-1147 with controller approval.
Element 4·Reviewer accountability

Who reviewed, when, with what authority, captured for the auditor's walkthrough.

ExampleSenior FP&A Manager reviewed 2026-04-15; CFO reviewed and signed quarterly attestation 2026-04-18; both timestamped.
All 4 captured per MRCAuditor walks through · no rework
Management Review Controls

The #1 cited material weakness cluster. Almost always documentation depth.

Most teams document MRCs as “reviewed by Jane on 4/15.” Auditors don't accept that. Defensible MRC documentation has 4 elements, selection criteria, review evidence, investigation outcome, reviewer accountability, captured per control, every quarter, with an audit trail. The MRC Builder makes those 4 elements unavoidable.

When the auditor walks through your MRC sample during the Q3 testing phase, they see what they need to see, selection rationale, source documents, anomaly investigation, sign-off path, without a separate request for clarification. That's the difference between a clean opinion and an MRC-related deficiency note.

See the MRC builder in a real review
Material weakness early-warning

Pervasive control failures don't happen alone.

The auditor pattern is consistent: an ITGC weakness compounds with an MRC documentation gap which compounds with an IPE reliability problem, and what starts as a deficiency becomes a material weakness becomes a restatement risk. Catching the first compound point is what prevents the cascade.

  • Pattern detection, deficiencies flagged when they cluster across control types
  • Auditor-aligned scoring, severity model trained on PCAOB AS 2201 deficiency definitions
  • Remediation tracker, compounding deficiencies prioritized by restatement-risk impact
Material Weakness · how they compound
Rarely a single MW. Almost always 2 or 3 intersecting.
ITGC weakness

Access mgmt + change + SoD

MRC documentation gap

Selection criteria + review evidence missing

IPE reliability gap

Custom reports w/o C&A controls

Compounded
Restatement risk
1 weakness ≠ small problemCatch the first; prevent the cascade
Year-end SOX testing used to take 6 weeks of overtime. With evidence captured continuously, it's a 10-day confirmation cycle.
PJ
Patricia J.
Director of Internal Audit · Mid-cap public company · 4,200 employees
Year-end testing
↓ 70%
6 weeks → 10 days
Material weaknesses
0
for 3 cycles running
Time-to-deploy
8 weeks
first ICFR cycle
SOX 404 ICFR Pack · 38 pages
SOX 404
ICFR Continuous Pack, ITGCs + ELCs + PLCs
PDF · 38 pages · ICFR-aligned

SOX 404 ICFR Continuous Pack

Thirty-eight pages covering ITGCs + ELCs + PLCs library, MRC documentation guide, SoD conflict matrix, and material weakness early-warning template. Built for the controller, the internal audit director, and the SOX program manager.

  • ITGCs + ELCs + PLCs library
  • MRC documentation guide (4-element framework)
  • Material weakness early-warning template
  • Section 302 + 404 cycle planner
Get the pack

Looking for SOX ↔ SOC 2 ↔ ISO 27001 crosswalk or the platform buyer's guide? Find them on the compliance frameworks hub.

FAQ

Common questions, answered up front.

About SOX 302/404, ICFR continuous monitoring, ITGC automation, MRC documentation, material weakness early-warning, and how RiskWatch covers all of them.

What is SOX compliance software?
SOX compliance software is a platform that helps public companies (and pre-IPO companies pursuing readiness) design, operate, monitor, test, and document the internal controls over financial reporting (ICFR) required by Sections 302 and 404 of the Sarbanes-Oxley Act. The 2026 reality: SOX is no longer year-end; it's autonomous assurance with real-time ICFR validation. RiskWatch covers ITGCs (access + change + operations), entity-level controls, process-level controls, segregation of duties, management review controls, and information produced by the entity (IPE) reliability, with cross-mapping to SOC 2 and ISO 27001 available on the compliance-frameworks hub.
What's the difference between SOX 302 and SOX 404?
Section 302 requires CEO and CFO to certify quarterly that disclosure controls and procedures are effective, including the design and operation of ICFR. Section 404(a) requires management to assess and report annually on ICFR effectiveness in the 10-K; Section 404(b) requires accelerated filers' external auditors to attest to that assessment. Section 302 is quarterly self-assessment; Section 404 is annual third-party validation. Both rely on the same continuous control evidence, which is why the platform unifies them.
Where do material weaknesses consistently appear?
Three areas account for most material weaknesses year over year: ITGCs (especially user access management and segregation of duties), Management Review Controls (MRC documentation depth, selection criteria, review evidence, investigation outcomes), and Information Produced by the Entity reliability (custom reports without completeness/accuracy controls). Pervasive control failures intersect, when one of these fails, the others typically do too. Material weakness early-warning detection in continuous monitoring catches them before they compound into a restatement risk.
How does the MRC documentation builder help?
Management Review Controls are the #1 cited material weakness cluster because most teams document MRCs as 'reviewed by Jane on 4/15.' That's not what auditors actually need. Defensible MRC documentation has 4 elements: selection criteria (what triggered the review, materiality threshold + risk + sample size), review evidence (what the reviewer actually looked at, source documents, system queries, calculations), investigation outcome (anomaly investigation, resolution, sign-off path), and reviewer accountability (who, when, with what authority). The MRC builder captures all 4 per control and produces the auditor-walkthrough package.
How does ITGC continuous monitoring work?
Traditional SOX runs as an annual cycle: testing in Q3, remediation through Q4, certification at year-end. Continuous ICFR pulls evidence from your existing tooling year-round, access reviews from Okta/AD/Azure, change tickets from Jira/ServiceNow, log monitoring from SIEM, financial system controls from ERPs. Year-end testing becomes confirmation rather than data collection. The 2025 KPMG SOX Survey found this is the path forward: more automation, less reliance on year-end manual effort.
Does the platform support SOX + SOC 2 + ISO 27001 simultaneously?
Yes, but cross-framework mapping lives on the /compliance-frameworks/ hub rather than on this page. SOX ITGCs map to SOC 2 trust services and ISO 27001 Annex A controls. Public SaaS typically runs all three; running them together with one evidence vault reduces combined audit work by 50%+. See the hub page for the full crosswalk.
Is there a free trial?
Yes. The 30-day free trial includes full access, ITGCs + ELCs + PLCs + MRC documentation builder + SoD engine + IPE reliability tracking + material weakness early-warning. You can run a real ICFR cycle against your own environment and decide before purchasing.
Ready to make SOX continuous?

Run your first ICFR cycle this week.

Start a 30-day free trial, ITGCs + ELCs + PLCs, MRC documentation builder, SoD engine, IPE reliability tracking, and material weakness early-warning. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime

Request a Demo