Skip to main content
Discuss your scope
Purpose-built for ITGC

We operate the testing workflow. Your auditor concludes and signs.

muratov.io is the platform our team runs to execute IT general controls testing — population through evidence-tested workpaper. We operate the workflow and produce the documentation; your licensed auditor reviews, concludes, and signs. We issue no audit opinion, assurance, or attestation. Below is a fully rendered workpaper from a fictional SOX 404 assessment — same export code, same 13-section structure we deliver.

FIG. 01Sample workpaper · fictional engagementOpen ↗
sha-256: 9f3c…a1b7Per-file SHA-256 integrity hash recorded in the Evidence Indexseed: 4815162342Deterministic sampling seed — the draw reconstructs from itAuditor-signed HTML workpaper · CSV-pivotable evidence index · browser-print-to-PDF for archive
Open full workpaperTalk to us about this workpaper
§ 01   Why this is a platform, not a spreadsheet
01

Reproducible sampling

A SHA-256-seeded draw re-derives identically from its stored seed — any auditor reconstructs the exact sample across time. Excel RAND() reseeds on every open.

02

Enforced sign-off gates

Lock is blocked when QC exceptions are unacknowledged, attributes untested, or AI results unreviewed — 10 distinct named gates. Excel cells are freely editable.

03

Immutable audit trail

Every state-changing action is recorded append-only with actor + timestamp; database triggers prevent mutation. Excel edits leave no trace.

04

Mandatory AI accept/override

The auditor must accept or override every AI determination; rejected-without-override blocks sign-off. AI never auto-finalizes.

05

SHA-256 evidence integrity

Every uploaded file is hashed at upload; the hash rides into the workpaper so tampering is detectable. Excel has no integrity manifest.

§ 02   The control library

32 ITGC control templates across four categories

Each template carries attributes, QC rules, exception guidance, and a narrative skeleton, plus SOX 404, COSO, and SOC 2 mapping fields — documented mappings, not certifications. Some controls are optional and some attributes are informational and non-scored.

ITGC control library by category
A1–A11Access — provisioning, terminations, privileged access, UAR, cloud IAM (A9), MFA (A10), sub‑processor risk (A11)11
C1–C5Change — normal & emergency approvals, release controls, CI/CD, configuration/IaC (traceability-driven)5
O1–O10Operations — backups, restore testing, batch jobs, incident & problem mgmt, patch, logging, DR/BCP, backup immutability (O10)10
S1–S6Security — event logging, segregation of duties, vulnerability mgmt, access review, key management (S5), AI-governance (S6)6
§ 03   The methodology engine

Enforced workflows with gates that can’t be skipped

An 8-step workflow for Access, Security, and Change, and a 9-step workflow for Operations (which adds a scoping step). Change controls swap expectations for a traceability step.

  1. Scope
  2. Population
  3. Sampling
  4. Evidence
  5. AI Testing
  6. Exceptions
  7. QC
  8. Review
  9. Sign-off
  • stage
  • sequence
  • sign-off lock

Before a control can lock, ten distinct named gates must clear — hard blockers separated from informational warnings.

  1. GATE 01Testing complete
  2. GATE 02Quality review run
  3. GATE 03Critical / high QC findings acknowledged
  4. GATE 04All AI results reviewed
  5. GATE 05Every attribute tested
  6. GATE 06No rejected AI results outstanding
  7. GATE 07Exceptions closed or accepted
  8. GATE 08SLA-overdue critical/high exceptions resolved
  9. GATE 09Change-control traceability complete
  10. GATE 10Testing coverage ≥ 80%

Sign-off is locked until every gate passes

Plus a no-sample-without-evidence blocker. The auditor is the authoritative gate.

§ 04   Sampling

Risk-based sampling aligned to AICPA AU-C 530

Recommended sample sizes derive from the AICPA AU-C 530 attribute table for Tests of Controls, not heuristics. Three unified risk presets (Low / Medium / High; High tightens the tolerable deviation rate), four methods — random (Fisher-Yates), stratified, systematic interval, and judgmental — bounded at 500 samples / 10,000 population rows.

The embedded grid covers Expected-Deviation-Rate 0% rows only; non-zero EDR resolves to an explicitly flagged out-of-table basis, never fabricated. A drawn sample reconstructs from its stored seed.

§ 05   AI testing

Evidence-first AI testing — transparent, and never the final word

AI tests each sample against each control attribute and stores full provenance: extracted facts with a 0–100% confidence score, evidence excerpts, rationale, and the model used (Claude Haiku for drafts, Sonnet for testing, Opus available for advanced analysis). Evidence-first by design: no mapped evidence returns INCONCLUSIVE; an empty fact value is FAIL, never PASS. Every AI determination must be accepted or overridden by the auditor before sign-off — the platform is designed to support PCAOB AS 1215 documentation practice, while customers remain responsible for their own audit-documentation posture.

Full AI provenance per resultMandatory auditor reviewDesigned with AS 1215 in mind
§ 06   The deliverable

One integrated HTML workpaper, 13 sections, plus CSV side-exports

HTML, optimized for in-browser print-to-PDF; legacy ?format=pdf / ?format=xlsx return HTTP 400. Two RFC 4180 CSV side-exports accompany it — an Evidence Index (with SHA-256 hashes) and Testing Results. Every page carries a CONFIDENTIAL watermark and a required, non-omittable legal preamble: muratov.io is not a CPA, audit, or law firm.

Workpaper sections, 1 through 7
01Cover Sheet & Signatures
02Executive Summary
03Scope & Systems
04Scope Gap Justifications
05Controls Matrix
06Population & Sampling
07Testing Results
Workpaper sections, 8 through 13
08Traceability
09Exception Summary
10Quality Review
11Audit Trail
12Evidence Index (SHA-256)
13Abbreviations & Glossary
§ 07   Security & trust

Tenant isolation, evidence integrity, US data residency

PostgreSQL Row-Level Security binds every query to a session tenant on all 22 tables, backed by defense-in-depth application-layer filters; cross-tenant access returns 404 (not 403) to avoid leaking existence. Evidence files are SHA-256 hashed and served only through authenticated, tenant-verified download proxies. AI runs on the Anthropic Claude API (US) with no training on your evidence per Anthropic's commercial terms and 7-day API log retention; primary data is stored in the US on Neon.

These descriptions document implemented control mechanics — the platform carries no certification or compliance audit against SOX 404 or SOC 2, and we make no uptime-SLA claim.

§ 08   Beyond ITGC

We build custom audit-workflow platforms for other streams

This ITGC platform is proof of what we design and ship. We can architect and build comparable custom platforms for other audit and assurance streams — scoped to your methodology, evidence model, and sign-off gates.

We make no compliance, certification, or assurance guarantees about any bespoke build; the engagement is platform engineering, and your professionals own the audit judgments the software supports. No reference build for another audit stream has shipped yet.

Ready to put this behind your ITGC testing?

Tell us your systems and scope — for managed delivery or a custom audit-workflow build. We'll confirm fit and next steps.

Request access