SOX ITGC — Claude Skill

Expert-level Sarbanes-Oxley Section 404 IT General Controls (ITGC) compliance guidance — installed as a Claude Skill.

Grounded in PCAOB AS 2201, COSO 2013 Internal Control Integrated Framework, SEC Final Rule 33-8238, and Big Four ITGC audit methodology. Built by Build Flow Labs.

---

Why this exists

Public-company SOX 404 ITGC is one of the most frequently asked compliance topics in engineering, internal audit, and SOX PMO circles — and it's missing from most open-source GRC skill sets. This skill fills the gap with:

• The four ITGC domain taxonomy (Access to Programs and Data, Change Management, Computer Operations, SDLC)
• PCAOB AS 2201 deficiency classification (DD / SD / MW)
• IPE and EUC scoping
• Cross-framework mappings to SOC 2, ISO 27001:2022, NIST CSF 2.0, COBIT 2019, NIST SP 800-53 Rev 5
• A modern engineering control pattern — Build Chain of Custody (BCoC) — for satisfying SOX in CI/CD, IaC, and GitOps environments through forensic attestation rather than ticket-based CAB

What you can do with it

• Gap assessments — structured 🔴/🟡/🟢 analysis across all four ITGC domains with remediation roadmaps
• Control narratives — audit-ready statements with ID, objective, activity, frequency, owner, evidence, test procedure, IPE/EUC flags, assertion mapping
• Deficiency analysis — PCAOB AS 2201 likelihood × magnitude framework, compensating control analysis, aggregation, MW disclosure thresholds
• Testing plans — AICPA AAG-SAM sample sizes, walkthroughs, design vs operating effectiveness, IPE completeness and accuracy validation
• Policy drafting — Logical Access, Change Management, SDLC, Computer Operations, Segregation of Duties, End-User Computing — all with document control blocks
• Cross-framework mappings — when you need SOX, SOC 2, and ISO 27001 to share one control matrix without duplicate evidence

Install

1. Download sox-itgc.skill from this repo.
2. In Claude: Customize → Skills → Upload Skill.
3. Select the .skill file.
4. Start a new conversation. The skill activates automatically when you ask about SOX, ITGC, ICFR, or related topics — no need to invoke by name.

Sample prompts

Run a SOX ITGC gap assessment for our Oracle Fusion ERP across all four domains.

Draft a control narrative for our quarterly user access review of the financial
consolidation system, including IPE C&A requirements.

We deployed a hotfix to production without a change ticket. Walk through the
deficiency classification — DD, SD, or MW?

Design a change management control for our GitOps pipeline that an external
auditor will accept. We deploy 50+ times per day.

Map our existing SOC 2 CC6 controls to SOX ITGC APD requirements. What gaps remain?

Trigger phrases

The skill activates on any of: SOX, Section 404, ITGC, ICFR, internal control over financial reporting, 302/404 certification, PCAOB AS 2201, COSO 2013, key reports, IPE, EUC, control deficiency, significant deficiency, material weakness, design effectiveness, operating effectiveness, walkthrough, control testing, sampling, key control, change management controls, logical access controls, computer operations, SDLC controls, segregation of duties, user access review, privileged access, in-scope applications, audit evidence, remediation, PCAOB inspection, Build Chain of Custody, BCoC — even if SOX is not explicitly named.

Structure

sox-itgc/
├── SKILL.md              # Main skill — task router, core concepts, workflows
└── references/
    ├── scoping.md        # In-scope determination, key reports, IPE/EUC
    ├── controls.md       # Full ITGC control catalog (APD/CM/CO/SDLC/DBA)
    ├── testing.md        # Walkthroughs, sampling, TOD/TOE, working papers
    ├── deficiencies.md   # Severity classification, MW disclosure
    ├── mappings.md       # SOC 2, ISO 27001, NIST CSF, COBIT, 800-53
    ├── evidence.md       # Evidence catalog, IPE C&A, retention
    ├── policies.md       # Policy templates for all four domains + EUC + SoD
    └── bcoc.md           # Build Chain of Custody pattern for modern engineering

Uses Claude's progressive disclosure pattern: SKILL.md loads when the skill triggers; reference files load on demand based on the task.

Who this is for

• SOX PMO leads running annual ICFR programs
• Internal audit scoping ITGC and managing remediation
• Engineering teams whose systems are in scope and want to design controls that don't destroy velocity
• External auditor liaisons preparing PBC requests and walkthrough materials
• GRC consultants and advisors supporting public-company clients

What this is not

This skill is not a substitute for an external auditor. Final scoping, deficiency classification, and remediation acceptance rest with the auditor of record and management. This is an expert advisor that accelerates your work; the auditor's professional judgment is the source of truth.

This skill is not legal advice. Material weakness disclosure decisions, 10-K Item 9A language, and SOX 302/404 certifications involve securities law and require qualified counsel.

License

MIT — use it, fork it, share it. Copyright © 2026 Build Flow Labs.

About Build Flow Labs

Build Flow Labs builds software supply chain security and compliance tooling for regulated environments. Visit buildflowlabs.com or reach out to advisory@buildflowlabs.com.

---

Roadmap

• v0.1.0 (this release): Core SOX ITGC skill with all four domains, deficiency framework, cross-framework mappings, BCoC pattern.
• v0.2 (planned): SOX 302 management certification companion module; key control vs key report distinction expanded; auditor PBC list templates.
• v0.3 (planned): J-SOX (Japan), NI 52-109 (Canada), UK Audit Reform alignment.
• Future: Eval benchmark suite (gap assessment, deficiency classification, control narrative quality).

Contributions and feedback welcome via GitHub issues.