Every quarter, every US public company has the same week. The external auditor — PCAOB-registered, paid by you, beholden to standards that say they have to find something — sits down with the controller and starts asking. Walk us through this revenue-recognition entry. Show us the approval chain. Prove the supporting evidence hasn't been modified since Q3 close.
In most stacks, this is a three-week project. Your ICFR documentation is spread across SharePoint, NetSuite, Workiva, and DocuSign. The auditor asks for fourteen things. Your team finds twelve. The other two take a week to track down. Your big-four firm bills you SOX-advisory uplift while they wait. Material weakness risk if anything is missing. Restatement risk if a control demonstrably failed.
The financial cost is real — $150,000 to $300,000 per walk-through cycle. The strategic cost is bigger. A material-weakness disclosure affects your stock price. A restatement triggers shareholder litigation. The CEO's and CFO's 302/906 certifications get more nervous every quarter, because nobody on the inside fully trusts that nothing has been silently edited.
What the auditor is actually testing
AS-1105, the PCAOB standard on audit evidence, has one core requirement: the evidence must be reliable. In SOX terms that's three things.
- The journal entry as it stood at close. Not the entry as it stands today. Not the entry from a backup somebody made. The entry, with every supporting field, as the system held it at Q3 close.
- The approval chain. Every signature, every authority delegation, every dual-approval check.
- Non-modification. The evidence must be provably unmodified between close and today.
If your stack is a bitemporal graph with a chained audit log, all three become one query.
The reconstruction
MATCH (je:JournalEntry) AT RECORDED '2026-09-30T23:59:00Z'
WHERE je.id = '2026-Q3-44218'
OPTIONAL MATCH (je)-[:APPROVED_BY]->(a:Approver)
OPTIONAL MATCH (je)-[:SUPPORTED_BY]->(d:Document)
OPTIONAL MATCH (je)-[:TESTED_BY]->(c:ControlTest)
OPTIONAL MATCH (je)-[:MATERIALITY_BY]->(m:Threshold)
RETURN je, collect(a), collect(d), c, m
The financials graph rolls back to 23:58 on September 30. The entry. Every approver in the chain, with their delegation authority at that moment. Every supporting document. The control test that ran on the entry. The materiality threshold check. The ASC 606 memo. The complete walk-through, in six minutes.
The non-modification proof
This is the part most stacks can't actually deliver. The auditor wants to know that the entry, the approval chain, and the control evidence have not been edited between close and today. In a SHA-256-chained audit log, the answer is one procedure:
CALL db.verifyAclChain('je:2026-Q3-44218', from='2026-09-30', to='now')
YIELD entries, tampered
RETURN entries, tampered
For a well-formed entry, the chain returns zero tampered entries. If any single field had been silently edited between close and today, the chain would name the broken link. AS-1105's evidence-integrity requirement, met cryptographically.
The lineage walk
The auditor's third question is "what other entries depend on the same control?" One lineage walk. Twenty-three additional entries share control C-312. All passed. None overridden. The materiality assessment for the entire control's blast radius is immediate.
The 302/906 certification
Every quarter, the CEO and CFO sign certifications attesting to the design and operating effectiveness of the company's internal controls. With a chain underneath, those certifications stop being a leap of faith. The chain proves the controls fired. The chain proves no entry was modified. The certification is backed by math, not by hope.
The numbers
A three-week, $200,000 SOX walk-through cycle becomes a six-minute query. No material weakness disclosure. No restatement. No going-concern footnote. The 302/906 certification gains the property every CFO actually wants: defensible.