Why Your SOX ITGC Auditor Will Love Automated Change Evidence
SOX ITGC auditors spend hundreds of hours assembling change evidence packages. Automated capture at merge time eliminates 95% of that work while improving evidence quality and consistency.
The SOX Change Evidence Burden
Public companies under Sarbanes-Oxley spend disproportionate time on IT General Controls for change management. PCAOB Auditing Standard AS 2201 requires evidence that changes to financial systems are authorized, tested, and approved. The 22 COBIT control objectives across four PCAOB domains (Program Change Management, Access to Programs and Data, Computer Operations, and Systems Development) generate thousands of evidence items per audit period. For a company processing 200 or more code changes per month, the audit team must be able to produce authorization, review, testing, and approval evidence for any change the auditor selects. That is not 200 evidence items. It is 200 changes times four evidence elements times however many controls are in scope, producing a documentation burden that scales linearly with engineering velocity.
What Auditors Actually Request
A typical SOX ITGC change management review proceeds as follows. The auditor selects a stratified random sample of 25 to 60 changes from the audit period, weighted toward high-risk changes, emergency changes, and weekend deployments. For each sampled change, they request a full evidence package: the change request or ticket proving authorization, the code review or peer sign-off proving oversight, the test execution results proving validation, the deployment approval proving final sign-off, and the deployment record proving controlled implementation. Assembling this package manually for one change takes 30 to 90 minutes. For a 45-change sample, that is 22 to 67 hours of manual work per sampling cycle. With two cycles per year (interim and year-end), organizations report 400 to 600 hours annually spent solely on change evidence for SOX.
Why Auditors Prefer Automated Evidence
Auditors do not enjoy requesting evidence any more than you enjoy assembling it. Manual evidence packages are inconsistent (different people document at different quality levels), incomplete (missing elements are discovered during review, triggering follow-up requests), and slow (the back-and-forth adds weeks to the audit timeline). Automated evidence solves all three problems. Every change is documented at the same quality level because the same system captures the same elements every time. Completeness is enforced by gap detection that identifies missing evidence in real time, not months later. And delivery is instant because evidence packages are pre-assembled and exportable on demand. Several auditing firms have told us that consistent, structured evidence reduces their review time by 40 to 60 percent, which means lower audit fees and faster completion.
The Stratified Sampling Engine
SOX audit sampling follows PCAOB AS 2201 methodology, which calls for risk-based stratification. High-risk changes (large diffs, production-critical systems) receive higher sampling rates than routine changes. Emergency and weekend changes are sampled separately because they present elevated control risk. MergeWhy includes a built-in SOX sampling engine that classifies changes into four strata (high-risk, emergency, weekend, standard), performs proportional allocation with a seeded random number generator for reproducibility, and generates complete evidence packages for every sampled change. Auditors can verify the sampling methodology, reproduce the selection with the same seed, and export results directly. The reproducibility feature is particularly valued because it eliminates questions about sample selection bias.
AuditBoard Export: From Merge to Workpaper
Many public companies use AuditBoard as their audit management platform. MergeWhy generates AuditBoard-compatible CSV packages that import directly via AuditBoard's Visual Import feature. Three CSV files cover the full evidence surface: a changes file with 23 columns mapping to AuditBoard issue fields, a control testing file mapping each change to its COBIT control evaluation results, and an evidence gaps file documenting any deficiencies found. All 22 SOX ITGC controls are mapped to their PCAOB domains and human-readable control names. The export includes UTF-8 BOM headers for Excel compatibility and a README explaining the file structure. This eliminates the manual translation step between engineering evidence and audit workpapers, creating a direct pipeline from code merge to audit deliverable.
The ROI Calculation
The math is straightforward. Manual SOX ITGC change evidence costs 400 to 600 hours per year at a blended rate of 100 to 200 dollars per hour, totaling 40,000 to 120,000 dollars annually in labor costs alone. That figure excludes the opportunity cost of pulling engineers off product work, the risk of material weakness findings from incomplete evidence, and the audit fee premium for inefficient evidence delivery. Automated evidence capture reduces the manual component by 95 percent. The remaining 5 percent covers auditor communication, exception handling, and remediation of genuine control failures (which you want to find). For a mid-cap public company, the annual savings typically exceed 50,000 dollars in direct labor costs and deliver measurable audit timeline compression. The evidence quality improvement often reduces audit fees as well, as auditors can complete their testing faster with consistent, structured evidence packages.
Ready to automate your change evidence?
Install the GitHub App and start capturing compliance evidence from your first PR merge. Free 14-day trial, no credit card.
Get Started Free