itauditgo Schedule a walkthrough
SOX ITGC · built by an auditor who ran IT

When the SOX auditors show up, hand them the packet.

ITAuditgo runs inside your own network, connects read-only to the ServiceNow and Microsoft 365 you already have, and keeps your IT general controls evidence-ready every day — not just in October.

6 ITGC domains 12 continuous control tests ServiceNow + Entra ID connectors SHA-256 hash-chained audit log
ITGC Audit Packet · FY2026
Control cadence complianceDERIVED LIVE
Access-review certifications3-PERSON SIGN-OFF
Findings & management responsesAPPEND-ONLY TRAIL
Evidence indexSHA-256 HASHED
Audit-log integrity attestationCHAIN VERIFIED ✓
one click · every period · auditor-ready
Why this exists

Section 404 is one paragraph.
The audit is not.

Our founder was the Director of IT when the Sarbanes-Oxley Act arrived. He read the law — roughly 180 words asking management to assess its internal controls — and showed the auditors the paragraph. Then the major firms wrote hundreds of pages interpreting it, and for twenty years IT departments have been audited against the book, not the paragraph.

The result, every year: change tickets exported to spreadsheets, access reviews assembled by hand, screenshots emailed as evidence, and weeks of the team's time spent reconstructing what the systems already knew. ITAuditgo was built by someone who has sat in all three chairs — the IT director being audited, the IS auditor doing the auditing, and now the toolmaker — so the evidence assembles itself.

"The controls were never the hard part. Proving them was."
— Greg Anderson, founder · former Director of IT and Senior IS Auditor
What the law asks
§404(a) … an internal control report which shall — (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment … of the effectiveness of the internal control structure …
What the audit asks: your change queue, your access listings, your terminated-user sweeps, your backup logs, your patch SLAs, your penetration-test cadence — documented, signed off, and provable, every period.
How it works

Connect. Monitor. Hand it over.

01 · CONNECT

Point it at what you already run

Read-only connectors pull your change requests and approvals from ServiceNow and your live directory — privileged roles, guest accounts, MFA state — from Microsoft Entra ID. CSV import covers everything else: HR rosters, backup logs, vulnerability scans.

02 · MONITOR

Exceptions find you

Twelve continuous tests sweep your data on schedule: terminated users with active access, changes approved by their own implementer, backup failure streaks, patch-SLA breaches, overdue control cadences. Exceptions land in one de-duplicated inbox — acknowledge, dismiss with a reason, or convert to a finding.

03 · HAND IT OVER

The packet is always ready

One click produces the ITGC audit packet: control catalog, cadence compliance, access-review certifications with enforced three-person sign-off, findings with management-response trails, an SHA-256 evidence index, and a tamper-evidence attestation for the audit log itself.

See it working

Real screens, real exceptions.

These are unretouched screenshots of ITAuditgo connected to a live ServiceNow instance and a live Entra ID tenant — the exceptions you see were found, not staged.

DALI continuous monitoring inbox showing change SoD conflicts pulled from ServiceNow
Continuous monitoringSeparation-of-duties conflicts caught in a live ServiceNow change queue — the approver and implementer are the same person, ticket numbers and all. Acknowledge, dismiss with a reason, or convert to a finding.
ITAuditgo home dashboard with cadence clocks, findings and DALI inbox summary
The daily cockpitCadence clocks, open findings, and new exceptions at a glance — with a needs-attention list where every line deep-links to the work.
SOX ITGC audit packet with monitor test history and hash-chain attestation
The audit packetTest history, evidence index, and the hash-chain integrity attestation — the page you hand to the external auditors.
Admin connectors panel showing ServiceNow and Microsoft Entra ID syncs green
Live connectorsServiceNow and Entra ID syncing on the hour, heartbeat-monitored — including an honest note when tenant licensing limits a field.
ITGC control catalog with COSO 2013 component mapping
The control catalogSeventeen ITGC controls across six domains, each mapped to its COSO 2013 component — references switch with the active framework.
What's inside

Evidence-grade, end to end.

Not a checklist app with a workflow painted on — every record carries the machinery an external auditor checks for.

UAR

Access-review campaigns

Import a listing, decide every line — certify, revoke, modify — then a server-enforced chain: preparer, reviewer, approver must be three different people. Revocations open remediation findings automatically.

Cadence

Control clocks

Pentest, DR exercise, restore tests, scans — next-due is always derived from the last logged occurrence with evidence attached. Overdue is computed, never edited.

Work papers

Immutable versions

Folder trees per campaign, source and purpose on every paper, a full snapshot on every save, and the same segregation-of-duties sign-off chain.

Findings

Findings & remediation

Never-reused FND numbers, Condition / Criteria / Cause / Effect / Recommendation structure, and an append-only management-response trail — revisions require a typed reason.

Monitoring

Continuous control tests

Twelve built-in detectors plus a no-SQL query builder over any imported dataset, schedulable as custom tests with full run history.

Evidence

Evidence locker

Every file stored with an SHA-256 content hash, size, uploader, and timestamp — linked to the occurrence, paper, or finding it supports.

Forensics

Hash-chained audit log

Append-only, tiered, reason-gated on sensitive actions, and chained record-to-record with SHA-256 — with one-click integrity verification your auditors can run themselves.

Frameworks

Framework packs

SOX ITGC and CSRD/ESRS ship today; packs are data, not code — DORA and ISO 27001 mappings arrive without re-implementation.

The connectors are the product

Your evidence already exists.
Stop hand-carrying it.

ITGC evidence collection is fundamentally a connector problem: the records your auditors want already live in the systems your team runs all day.

Live today

ServiceNow

  • Change requests with who-approved-what-when, joined from the approval table — feeding the unapproved-change and separation-of-duties tests
  • User roster as a termination cross-check against access listings
  • Read-only scopes; hourly snapshots with full provenance
Live today

Microsoft Entra ID

  • Your live directory as the access listing — privileged directory roles flagged, guest accounts surfaced
  • Last sign-in and MFA registration state on Entra ID P1 tenants — and an honest, logged note when licensing doesn't allow it
  • Read-only Graph permissions; five-minute app-registration setup
On the roadmap, by customer pull: Jira Service Management, Tenable / Microsoft Defender vulnerability data, Veeam backup results, and a collector script for on-premises Active Directory. Anything with an export can feed the monitoring engine today via CSV.
Pricing

Priced for a departmental signature.

Every tier is under $12,000 a year — below the threshold where most IT directors need a procurement cycle to say yes.

Every tier is the whole product — all modules, all connectors, all framework packs, the full packet. Tiers differ by team size and support, never by features.
Essentials
$7,500/yr
Up to 2 IT auditors
  • Full product
  • Email support
Professional
$9,500/yr
Up to 5 IT auditors
  • Full product
  • Priority support
  • Guided onboarding
Department
$11,500/yr
Unlimited auditors
  • Full product
  • Priority support
  • Quarterly review with the founder
Founding ten

The first ten customers lock their tier price for life. Not for a year — for as long as they subscribe.

Claim a founding slot

Pilot program: a small number of organizations facing a near-term external audit run ITAuditgo free for 90 days, supported directly by the founder, in exchange for candid feedback and a reference if it earns one. Deployment services available at $3,500 one-time.