Arkova is a compliance audit automation platform in early access, built on top of a production-grade, cryptographically-anchored evidence layer. The audit-automation product — scorecard, gap detection, remediation, regulatory-change alerts, PDF export — is being built and refined with pilot customers.

How much faster is an audit with Arkova going to be vs. the manual process?

Typical compliance audits take weeks: compiling evidence across many tools, mapping it to controls, and producing a report. Arkova is designed to map evidence to the rules in your operating regimes automatically, rank gaps by severity and penalty risk, and produce an audit-ready export. Our pilot target is collapsing weeks of audit prep into hours.

Which regulations are on the roadmap?

US federal (FERPA, HIPAA, SOX, FCRA, GLBA, ADA, FLSA, GINA), EU/UK GDPR, Kenya DPA, Australia APP, Canada PIPEDA, Singapore PDPA, Japan APPI, India DPDP, South Africa POPIA, Nigeria NDPR, Colombia Law 1581, Thailand PDPA, and Malaysia PDPA. Prioritized by pilot-customer footprint.

What will the scorecard show?

A per-jurisdiction posture score and breakdown, a severity-ranked gap list, a prioritized remediation plan, a regulatory-change feed, and an audit-ready export. Designed for GRC leads, CISOs, internal audit, and outside counsel.

Is the evidence chain auditor-grade?

The evidence layer is cryptographic and independently verifiable: every anchor is a SHA-256 fingerprint committed to a public network, and lifecycle events are in an append-only audit log. Our own SOC 2 Type II and ISO 27001 work is in progress.

Is my data safe? Do you see our documents?

No. Documents never leave your device. Fingerprinting is client-side. Only PII-stripped metadata flows to our systems. Even if we were breached, your documents remain private because we never had them.

Join the waitlist on arkova.ai. We reach out to scope pilots — the best fits right now are compliance teams operating across multiple jurisdictions who are tired of the quarterly audit fire drill.

Compliance · SOX

Private Beta · Building

SOX evidence that survives every system migration.

Average audit fees for US large accelerated filers reached $6.06M in FY2024. Most of that cost is the time auditors and finance teams spend reconstructing evidence scattered across vendors that often won't be in the stack five years from now. Arkova anchors your ICFR evidence to a public ledger so your auditor can verify each test independently — no matter which GRC, ERP, or e-signature vendor you use today.

Request Early Access Read the research

What it is

The 23-year-old law every public company runs on.

The Sarbanes-Oxley Act of 2002 followed the Enron, WorldCom, and Tyco scandals. Its central premise: management is personally responsible for the integrity of financial reports, and the controls that produce those reports must be documented, tested, and attested to by both management and an external auditor.

SOX applies to every public company filing with the SEC — domestic and foreign private issuers — plus any private company that touches a public company's financial reporting (most notably outsourced service providers via SOC 1 reports). Penalties for willful violations include up to $5M in fines and 20 years imprisonment under Section 802.

In practice, "SOX compliance" means proving year over year that your internal control over financial reporting (ICFR) was designed appropriately and operated effectively throughout the fiscal year. The bulk of the operational burden lives in Section 404.

The four sections that drive operational work

How Arkova maps to the SOX sections that hurt.

Section 302

Corporate Responsibility for Financial Reports

Requirement

CEO and CFO must personally certify the accuracy of financial reports and disclose deficiencies. False certification is criminally punishable.

Arkova

Anchored attestation receipts: the exact certification document signed, the version reviewed, and the timestamp — verifiable independently of your document management vendor.

Section 404

Management Assessment of Internal Controls

Requirement

The most operationally onerous section. Public companies must establish, document, test, and report on internal control over financial reporting (ICFR). External auditor must attest to management's assessment for accelerated filers.

Arkova

Each control test, walkthrough, and remediation is anchored. The complete control narrative + testing evidence package is reconstructable on demand without trusting your GRC vendor.

Section 409

Real-Time Disclosure

Requirement

Material changes to financial condition or operations must be disclosed on a "rapid and current basis" — typically within four business days via Form 8-K.

Arkova

Material-event disclosure timeline anchored from internal awareness through public filing. Audit trail proves disclosure timing met SOX 409 requirements.

Section 802

Document Retention

Requirement

Audit work papers must be retained for seven years. Knowing alteration or destruction with intent to obstruct an investigation is criminally punishable (up to 20 years imprisonment).

Arkova

Append-only audit log on a public ledger. Records cannot be retroactively altered or destroyed without detection — addresses both the retention and the anti-destruction mandate.

The annual SOX cycle

Four phases. The same ones every year.

Risk assessment + scoping

Identify in-scope financial reporting processes, key controls, and material accounts. Update from prior year for new systems, M&A, and regulatory changes.

Q2–Q3

Control testing

Walk through each key control. Test design effectiveness, then operating effectiveness. Document deficiencies. Remediate where possible before year-end.

Management assessment + external audit

Management certifies ICFR effectiveness. External auditor (for accelerated filers) performs Section 404(b) attestation. Disclosure of any material weaknesses.

FY-end

Form 10-K filing

Annual report including management's ICFR assessment, auditor attestation (for accelerated filers), and material weakness disclosure if applicable. CEO and CFO 302 certifications attached.

Most of the cost lives in Q4. When evidence must be regenerated under deadline pressure because the original artifacts can't be independently verified, control testing becomes a fire drill instead of a queryable property of the records themselves. That's the cycle Arkova breaks.

What a SOX 404 auditor asks for

Five evidence categories every ICFR audit needs.

Process narratives + flowcharts. Documented description of each financial reporting process (revenue, expenditure, payroll, treasury, financial close) showing inputs, processing steps, controls, and outputs. Updated for any system or process change in the period.
Risk and control matrices (RCMs). For each in-scope process, the financial-statement assertions at risk, the controls that mitigate those risks, control owner, frequency, and test plan.
Walkthrough documentation. Evidence that the team has traced one transaction end-to-end through each key control — source documents, system screenshots, approval evidence, output reconciliations.
Test of operating effectiveness samples. For each key control, a sample of executions across the year with supporting evidence. IT general controls require year-long population evidence (access reviews, change management, batch monitoring).
Deficiency log + remediation evidence. Identified control deficiencies, severity classification (deficiency / significant deficiency / material weakness), remediation plan, and proof of remediation effectiveness.

Why SOX prep gets painful

Four failure modes Arkova removes.

Evidence collection drags into Q4

Walkthrough screenshots, system access reviews, change-management evidence, and journal-entry approvals get gathered manually from 10+ systems in the last 6 weeks of the year.

Vendor migrations break audit chains

A new ERP, HRIS, or e-signature platform mid-year means historical audit evidence is scattered across the old vendor (often via expensive legacy access) and the new one.

404(b) auditor "reperformance" doubles the work

External auditors re-test a sample of controls. Without reproducible evidence, the team produces fresh walkthroughs for the auditor that mostly duplicate what management already did.

ITGC scope creep

IT general controls (access, change, operations) keep expanding as the company adopts more SaaS. Each new system adds 5–15 controls that need annual testing.

Who's in scope

Public companies, foreign private issuers, and most service providers.

SOX applies to every issuer registered with the SEC, domestic or foreign. The cost tier depends on classification:

Large accelerated filers (≥$700M public float) — full Section 404(b) external auditor attestation required. Highest audit cost.
Accelerated filers ($75M–$700M public float) — also require 404(b) auditor attestation.
Smaller reporting companies + non-accelerated filers — 404(a) management assessment only. No external auditor attestation requirement (except in narrow circumstances).
Service providers (third-party SaaS, cloud, payroll, transaction processing) — typically issue SOC 1 reports because their customers' SOX ICFR depends on them.

Stop rebuilding SOX evidence from scratch every year.

If you're a public company looking for ICFR evidence that doesn't live inside your GRC vendor's database, we'd like to discuss an early-access pilot.

Arkova is in private beta. Features described on this page are being built and refined with pilot customers right now. Some controls and integrations are live today; others are in active development. Talk to us about the parts most relevant to your workload.

Request Early Access

Or read The State of Compliance in 2026 for the broader regulatory picture.