sox-compliance-mcp 0.1.0

package/README.md

@@ -0,0 +1,73 @@
+# sox-compliance-mcp
+
+MCP server for **Sarbanes-Oxley (SOX) compliance** — browse internal control requirements, assess audit readiness, generate ITGC and business process control policies, evidence checklists, gap analysis, and deficiency evaluation for public companies.
+
+Built for compliance teams, internal auditors, SOX program managers, and external audit support.
+
+## Tools
+
+| Tool | Description |
+|------|-------------|
+| `browse_controls` | Browse SOX controls by section (302/404), category (ITGC/business process/entity-level/disclosure), COSO component, or control type |
+| `assess_readiness` | Score compliance readiness based on implemented controls with filer-category-aware recommendations |
+| `generate_policy` | Generate detailed policy documents for any SOX control with implementation guidance |
+| `evidence_checklist` | Generate evidence collection checklists, walkthrough templates, or testing matrices |
+| `gap_analysis` | Compare implemented controls vs. requirements with prioritized remediation timeline |
+| `evaluate_deficiency` | Classify deficiencies as material weakness, significant deficiency, or control deficiency per PCAOB AS 2201 |
+
+## Controls Coverage
+
+- **IT General Controls (ITGC):** Access management, authentication, privileged access, change management (application + infrastructure), SoD, job scheduling, backup/recovery
+- **Business Process Controls:** Journal entries, account reconciliation, financial close, revenue recognition (ASC 606), vendor master, three-way match
+- **Entity-Level Controls:** CEO/CFO Section 302 certification, risk assessment, management review/monitoring, audit committee (Section 301)
+- **Disclosure Controls:** Section 409 real-time disclosure, Section 802 record retention, Section 806 whistleblower protection
+
+## Install
+
+```bash
+npx sox-compliance-mcp
+```
+
+### Claude Desktop
+
+```json
+{
+  "mcpServers": {
+    "sox-compliance": {
+      "command": "npx",
+      "args": ["-y", "sox-compliance-mcp"]
+    }
+  }
+}
+```
+
+## Examples
+
+Browse all ITGC controls:
+```
+browse_controls({ category: "itgc" })
+```
+
+Assess readiness for an accelerated filer:
+```
+assess_readiness({ implementedControls: ["ITGC-01", "ITGC-02", "BP-01", "EL-01"], companyType: "accelerated_filer" })
+```
+
+Generate a change management policy:
+```
+generate_policy({ controlId: "ITGC-04", companyName: "Acme Corp" })
+```
+
+Get a walkthrough template for business process controls:
+```
+evidence_checklist({ category: "business_process", format: "walkthrough" })
+```
+
+Evaluate a deficiency:
+```
+evaluate_deficiency({ deficiencyDescription: "Quarterly access reviews not completed for ERP system", controlId: "ITGC-01", financialStatementImpact: "more_than_inconsequential", likelihoodOfOccurrence: "reasonably_possible", compensatingControls: false })
+```
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,829 @@
+#!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+// ── SOX Controls Database ─────────────────────────────────────────────
+const SOX_CONTROLS = [
+    // ── IT GENERAL CONTROLS (ITGC) ─────────────────────────────────────
+    {
+        id: "ITGC-01",
+        section: "404",
+        title: "Logical Access — User Provisioning",
+        description: "Formal procedures for granting, modifying, and revoking access to financially significant applications and databases.",
+        category: "itgc",
+        coso: "control_activities",
+        type: "preventive",
+        frequency: "per_transaction",
+        assertion: ["existence", "completeness", "rights_obligations"],
+        implementation: "Establish formal access request process with documented approvals. Require manager authorization for all access grants. Map access roles to job functions. Implement segregation of duties in role design. Automated provisioning/deprovisioning tied to HR events. Quarterly access review with sign-off.",
+        evidence: ["Access request forms with approvals", "Role-to-function mapping matrix", "Quarterly access review reports (signed)", "User provisioning/deprovisioning logs", "Segregation of duties conflict reports", "Terminated user access removal evidence"],
+        commonDeficiencies: ["Access granted without documented approval", "Terminated employees retain active access", "Quarterly access reviews not performed or not signed off", "Generic/shared accounts in production", "Segregation of duties conflicts not identified or remediated", "Service accounts with excessive privileges"],
+        testingApproach: "Select sample of new hires, terminations, and transfers. Verify access request approvals. Confirm termination access removal within SLA. Review quarterly access certification for completeness. Test for SoD conflicts. Verify generic accounts are documented with compensating controls.",
+        policyTemplate: "[Organization] maintains formal access management procedures for all financially significant applications. Access requests require documented approval from [role]. Access is provisioned based on role-based access control (RBAC) aligned with job function. Quarterly access reviews are completed by [role] with sign-off by [approver]. Access is removed within [N] hours of termination notification from HR. Segregation of duties conflicts are monitored using [tool/process].",
+        relatedControls: ["ITGC-02", "ITGC-03", "BP-01"],
+    },
+    {
+        id: "ITGC-02",
+        section: "404",
+        title: "Logical Access — Authentication Controls",
+        description: "Password policies, multi-factor authentication, and session management for financially significant systems.",
+        category: "itgc",
+        coso: "control_activities",
+        type: "preventive",
+        frequency: "continuous",
+        assertion: ["existence", "rights_obligations"],
+        implementation: "Enforce minimum password complexity (12+ chars, mixed case, numbers, symbols). Password rotation per policy. Multi-factor authentication for privileged access and remote access. Account lockout after failed attempts. Session timeout for inactive sessions. No shared passwords. Privileged access management (PAM) for admin accounts.",
+        evidence: ["Password policy configuration screenshots", "MFA enrollment reports", "Account lockout configuration", "Session timeout settings", "PAM solution reports", "Failed login attempt monitoring"],
+        commonDeficiencies: ["Password policy not enforced in all systems", "MFA not enabled for privileged accounts", "No account lockout configured", "Shared administrator passwords", "No PAM solution for privileged access", "Session timeouts too long or not configured"],
+        testingApproach: "Inspect password policy configuration in each in-scope system. Verify MFA enrollment for all privileged users. Test account lockout functionality. Review session timeout settings. Verify PAM usage for admin activities. Check for shared/generic accounts.",
+        policyTemplate: "[Organization] enforces strong authentication controls across all financially significant systems. Passwords must meet minimum complexity requirements of [requirements]. Multi-factor authentication is required for [scope]. Accounts lock after [N] failed attempts. Sessions timeout after [N] minutes of inactivity. Privileged access is managed through [PAM solution] with just-in-time provisioning.",
+        relatedControls: ["ITGC-01", "ITGC-03"],
+    },
+    {
+        id: "ITGC-03",
+        section: "404",
+        title: "Logical Access — Privileged Access Management",
+        description: "Controls over elevated/administrative access to operating systems, databases, and applications supporting financial reporting.",
+        category: "itgc",
+        coso: "control_activities",
+        type: "preventive",
+        frequency: "continuous",
+        assertion: ["existence", "rights_obligations", "completeness"],
+        implementation: "Separate privileged accounts from standard user accounts. Just-in-time privileged access with time-limited sessions. Privileged access monitored and logged. Break-glass procedures documented and tested. Regular review of privileged access holders. Background checks for privileged users.",
+        evidence: ["Privileged account inventory", "PAM session logs", "Break-glass procedure documentation", "Privileged access review reports", "Background check records for admins", "Monitoring alerts for privileged activity"],
+        commonDeficiencies: ["Developers with production database admin access", "No privileged access monitoring", "Break-glass accounts used routinely", "No periodic review of privileged users", "Standing admin access instead of just-in-time", "No separation between admin and user accounts"],
+        testingApproach: "Obtain privileged user listing for all in-scope systems. Verify business need and authorization for each. Review PAM logs for appropriateness. Test break-glass procedure and review usage. Verify monitoring of privileged activities.",
+        policyTemplate: "[Organization] manages privileged access through dedicated controls separate from standard access management. Privileged accounts are inventoried and reviewed [frequency]. Just-in-time access is enforced via [PAM tool]. All privileged sessions are logged and monitored. Break-glass procedures require [process] and are reviewed after each use.",
+        relatedControls: ["ITGC-01", "ITGC-02"],
+    },
+    {
+        id: "ITGC-04",
+        section: "404",
+        title: "Change Management — Application Changes",
+        description: "Formal procedures for requesting, developing, testing, approving, and deploying changes to financially significant applications.",
+        category: "itgc",
+        coso: "control_activities",
+        type: "preventive",
+        frequency: "per_transaction",
+        assertion: ["completeness", "accuracy", "existence"],
+        implementation: "Formal change request process with business justification. Separate development, test, and production environments. Code review by independent reviewer. User acceptance testing (UAT) with sign-off. Management approval before production deployment. Post-implementation verification. Emergency change procedures with retroactive approval.",
+        evidence: ["Change request tickets with approvals", "Code review documentation", "UAT sign-off records", "Deployment approval records", "Environment separation evidence", "Post-implementation verification records", "Emergency change documentation"],
+        commonDeficiencies: ["Changes deployed without testing documentation", "No UAT sign-off from business", "Developer access to production (no SoD)", "Emergency changes without retroactive approval", "No independent code review", "Test environment not representative of production"],
+        testingApproach: "Select sample of changes deployed during audit period. Trace each from request through approval, development, testing, UAT, deployment approval, and post-implementation review. Verify SoD between development and deployment. Review emergency changes for retroactive approval.",
+        policyTemplate: "[Organization] requires all changes to financially significant applications to follow the formal change management process. Changes require: (1) documented business request, (2) independent code review, (3) testing in non-production environment, (4) UAT sign-off from business owner, (5) deployment approval from [role], (6) post-implementation verification. Emergency changes follow expedited procedures with retroactive approval within [N] business days.",
+        relatedControls: ["ITGC-05", "ITGC-06", "ITGC-01"],
+    },
+    {
+        id: "ITGC-05",
+        section: "404",
+        title: "Change Management — Infrastructure Changes",
+        description: "Controls over changes to operating systems, databases, networks, and middleware supporting financial applications.",
+        category: "itgc",
+        coso: "control_activities",
+        type: "preventive",
+        frequency: "per_transaction",
+        assertion: ["completeness", "accuracy"],
+        implementation: "Change Advisory Board (CAB) review for infrastructure changes. Impact assessment for financially significant systems. Rollback plan required. Maintenance windows defined. Patch management with testing before production. Configuration management database (CMDB) updates.",
+        evidence: ["CAB meeting minutes", "Change tickets with impact assessments", "Rollback plans", "Patch testing records", "CMDB update logs", "Maintenance window schedules"],
+        commonDeficiencies: ["Infrastructure changes bypass CAB review", "No impact assessment for financial systems", "Missing rollback plans", "Patches applied to production without testing", "CMDB out of date", "No post-change verification"],
+        testingApproach: "Review CAB minutes and change tickets for infrastructure changes. Verify impact assessment for financial systems. Confirm rollback plans exist. Review patch management process and testing evidence. Verify CMDB accuracy against actual infrastructure.",
+        policyTemplate: "[Organization] manages infrastructure changes through a formal change management process. The Change Advisory Board meets [frequency] to review proposed changes. All changes affecting financially significant systems require impact assessment and rollback plan. Patches are tested in [environment] before production deployment. The CMDB is updated within [N] days of any change.",
+        relatedControls: ["ITGC-04", "ITGC-06"],
+    },
+    {
+        id: "ITGC-06",
+        section: "404",
+        title: "Change Management — Segregation of Duties",
+        description: "Separation between those who develop/configure changes and those who promote to production for financially significant systems.",
+        category: "itgc",
+        coso: "control_activities",
+        type: "preventive",
+        frequency: "continuous",
+        assertion: ["existence", "rights_obligations"],
+        implementation: "Developers cannot deploy to production. Operations team manages production deployments. Automated deployment pipelines enforce separation. No developer access to production data. Documented exceptions with compensating controls. Regular SoD conflict scanning.",
+        evidence: ["Environment access matrices", "Deployment pipeline configuration", "SoD conflict reports", "Exception documentation with compensating controls", "Production access logs vs. development team roster"],
+        commonDeficiencies: ["Developers have production deployment access", "Same person approves and deploys", "Automated pipelines bypassed", "No monitoring of SoD violations", "Exceptions without compensating controls"],
+        testingApproach: "Review environment access for all in-scope systems. Compare developer list against production deployment access. Review deployment logs to verify separation. Test automated pipeline controls. Review exception documentation.",
+        policyTemplate: "[Organization] enforces segregation of duties between development and production environments. Developers do not have access to deploy changes to production. Production deployments are executed by [operations team/automated pipeline]. Exceptions require documented compensating controls approved by [role]. SoD conflicts are scanned [frequency] using [tool].",
+        relatedControls: ["ITGC-04", "ITGC-01"],
+    },
+    {
+        id: "ITGC-07",
+        section: "404",
+        title: "IT Operations — Job Scheduling and Processing",
+        description: "Controls ensuring batch jobs, interfaces, and automated processes execute completely and accurately.",
+        category: "itgc",
+        coso: "control_activities",
+        type: "detective",
+        frequency: "daily",
+        assertion: ["completeness", "accuracy", "cutoff"],
+        implementation: "Automated job scheduling with monitoring. Job failure alerts and escalation procedures. Reconciliation of batch processing (input vs. output counts). Interface monitoring between systems. Job dependency management. Restart/recovery procedures documented.",
+        evidence: ["Job schedule documentation", "Job monitoring dashboard screenshots", "Failure alert configurations", "Batch reconciliation reports", "Interface monitoring logs", "Recovery procedure documentation"],
+        commonDeficiencies: ["No monitoring for failed jobs", "Batch reconciliation not performed", "Interface errors not detected timely", "No documented recovery procedures", "Job schedules not reviewed periodically", "Manual interventions not logged"],
+        testingApproach: "Review job schedules for financially significant processes. Verify monitoring and alerting configuration. Review failure logs and response times. Test batch reconciliation processes. Verify interface completeness checks.",
+        policyTemplate: "[Organization] maintains automated job scheduling and monitoring for all batch processes affecting financial reporting. Job failures trigger alerts to [team] within [N] minutes. Batch processing reconciliation verifies completeness of [key processes] daily. Interface monitoring validates [input/output] for all system integrations. Recovery procedures are documented and tested [frequency].",
+        relatedControls: ["ITGC-08", "BP-03"],
+    },
+    {
+        id: "ITGC-08",
+        section: "404",
+        title: "IT Operations — Backup and Recovery",
+        description: "Controls ensuring data and systems supporting financial reporting can be restored in case of failure or disaster.",
+        category: "itgc",
+        coso: "control_activities",
+        type: "corrective",
+        frequency: "daily",
+        assertion: ["existence", "completeness"],
+        implementation: "Automated backups per defined schedule. Off-site/cloud backup storage. Backup encryption. Regular restore testing. Defined RPO/RTO for financial systems. Disaster recovery plan with financial system priority. Annual DR testing.",
+        evidence: ["Backup schedule and configuration", "Backup completion logs", "Restore test results", "RPO/RTO documentation", "DR plan with financial system scope", "Annual DR test results", "Backup encryption evidence"],
+        commonDeficiencies: ["Backups not tested for restorability", "No defined RPO/RTO", "Backup media stored on-site only", "DR plan doesn't cover all financial systems", "DR test not performed annually", "Backup failures not monitored"],
+        testingApproach: "Review backup configuration and completion logs. Verify successful restore tests. Confirm RPO/RTO alignment with business needs. Review DR plan scope and test results. Verify off-site storage and encryption.",
+        policyTemplate: "[Organization] maintains comprehensive backup and recovery controls for all systems supporting financial reporting. Backups run [frequency] with [RPO]. Restore tests are performed [frequency] with documented results. Off-site backup storage is maintained at [location/provider]. The Disaster Recovery Plan covers all financially significant systems with [RTO]. DR tests are conducted annually with lessons learned documented.",
+        relatedControls: ["ITGC-07"],
+    },
+    // ── BUSINESS PROCESS CONTROLS ───────────────────────────────────────
+    {
+        id: "BP-01",
+        section: "404",
+        title: "Financial Close — Journal Entry Controls",
+        description: "Controls over the initiation, review, approval, and posting of journal entries to ensure completeness and accuracy of financial records.",
+        category: "business_process",
+        coso: "control_activities",
+        type: "preventive",
+        frequency: "per_transaction",
+        assertion: ["completeness", "accuracy", "existence", "cutoff"],
+        implementation: "Standard journal entry authorization matrix. Segregation of duties: preparer vs. approver. System-enforced approval workflows. Management review of non-standard/manual entries. Threshold-based review (all entries above materiality). Restricted posting access. Automated reversals flagged.",
+        evidence: ["Journal entry policy with authorization matrix", "Sample entries with approval evidence", "Non-standard entry review documentation", "Access control report for posting privileges", "Automated reversal monitoring reports", "Period-end journal entry review sign-off"],
+        commonDeficiencies: ["Journal entries posted without approval", "Same person prepares and approves entries", "No review of non-standard/manual entries", "Excessive posting access", "No monitoring of automated reversals", "Back-dated entries not controlled"],
+        testingApproach: "Select sample of journal entries (standard, non-standard, manual, automated reversals). Verify authorization per policy. Test SoD for preparation vs. approval. Review management sign-off on non-standard entries. Verify posting access restriction.",
+        policyTemplate: "[Organization] requires all journal entries to be authorized per the Journal Entry Authorization Matrix. Standard entries follow automated workflows. Non-standard and manual entries require review by [role] before posting. Entries exceeding [threshold] require [additional approval]. The journal entry preparer cannot approve their own entries. Management reviews all period-end adjusting entries with documented sign-off.",
+        relatedControls: ["BP-02", "BP-03", "ITGC-01"],
+    },
+    {
+        id: "BP-02",
+        section: "404",
+        title: "Financial Close — Account Reconciliation",
+        description: "Timely preparation, review, and approval of balance sheet account reconciliations to ensure accuracy and completeness.",
+        category: "business_process",
+        coso: "control_activities",
+        type: "detective",
+        frequency: "monthly",
+        assertion: ["existence", "completeness", "valuation", "rights_obligations"],
+        implementation: "All balance sheet accounts reconciled per closing calendar. Reconciliation prepared by account owner, reviewed by independent party. Aging of reconciling items tracked. Materiality thresholds for investigation. Reconciliation tool or standardized template. Escalation for overdue reconciliations.",
+        evidence: ["Reconciliation policy and calendar", "Completed reconciliations with reviewer sign-off", "Aging reports for reconciling items", "Escalation records for overdue items", "Reconciliation completeness tracker"],
+        commonDeficiencies: ["Reconciliations not completed timely", "No independent review of reconciliations", "Stale reconciling items not investigated", "Incomplete reconciliation scope", "Reconciliation sign-off missing", "No tracking of reconciliation completion"],
+        testingApproach: "Select sample of balance sheet accounts. Verify reconciliation completion within policy deadlines. Confirm independent review and sign-off. Examine reconciling items for aging and resolution. Verify mathematical accuracy. Test completeness of reconciliation scope.",
+        policyTemplate: "[Organization] requires all balance sheet accounts to be reconciled [frequency] within [N] days of period close. Reconciliations are prepared by the account owner and independently reviewed by [role]. Reconciling items exceeding [N] days are escalated to [management level]. The reconciliation tracker is maintained by [role] and reviewed by [Controller/CFO] to ensure 100% completion.",
+        relatedControls: ["BP-01", "BP-03"],
+    },
+    {
+        id: "BP-03",
+        section: "404",
+        title: "Financial Close — Close Process and Checklist",
+        description: "Formal financial close process with defined steps, deadlines, owners, and management review to ensure complete and accurate period-end reporting.",
+        category: "business_process",
+        coso: "control_activities",
+        type: "detective",
+        frequency: "monthly",
+        assertion: ["completeness", "cutoff", "accuracy"],
+        implementation: "Detailed close checklist with task assignments and deadlines. Status tracking and escalation for delays. Management review of close package. Intercompany elimination procedures. Consolidation controls. Sub-certification by business units. Analytics review of financial results.",
+        evidence: ["Close checklist with completion evidence", "Close calendar with deadlines", "Management review sign-off on close package", "Sub-certification letters", "Analytical review documentation", "Intercompany elimination reconciliation"],
+        commonDeficiencies: ["Close process informal or undocumented", "No tracking of close task completion", "Management review is perfunctory (rubber stamp)", "Intercompany eliminations not reconciled", "No analytical review of results", "Sub-certifications missing or incomplete"],
+        testingApproach: "Review close checklists for sampled periods. Verify task completion within deadlines. Review management sign-off and evidence of substantive review. Test intercompany eliminations. Verify analytical review was performed and documented.",
+        policyTemplate: "[Organization] maintains a formal financial close process managed through a standardized close checklist. The close calendar defines deadlines for all tasks, with [role] responsible for tracking completion. Management reviews the close package including [key analyses] and provides documented sign-off. Business units provide sub-certifications for their results. Analytical review of financial results is performed by [role] comparing to [budget/prior period/forecast].",
+        relatedControls: ["BP-01", "BP-02", "EL-03"],
+    },
+    {
+        id: "BP-04",
+        section: "404",
+        title: "Revenue — Revenue Recognition Controls",
+        description: "Controls ensuring revenue is recognized in accordance with ASC 606 / IFRS 15 with proper evidence of performance obligations.",
+        category: "business_process",
+        coso: "control_activities",
+        type: "preventive",
+        frequency: "per_transaction",
+        assertion: ["existence", "completeness", "accuracy", "cutoff", "valuation"],
+        implementation: "Revenue recognition policy aligned with ASC 606 five-step model. Contract review for performance obligation identification. System-enforced revenue recognition rules where possible. Manual adjustments reviewed by accounting management. Cutoff testing at period end. Variable consideration estimation review. Bill-and-hold, consignment, and right-of-return procedures.",
+        evidence: ["Revenue recognition policy (ASC 606 aligned)", "Contract review documentation", "System configuration for revenue rules", "Manual adjustment review evidence", "Cutoff testing workpapers", "Variable consideration estimation documentation", "Revenue disaggregation analysis"],
+        commonDeficiencies: ["Revenue recognition policy not updated for ASC 606", "Performance obligations not properly identified", "Cutoff errors at period end", "Variable consideration not estimated properly", "Bill-and-hold criteria not evaluated", "No review of manual revenue adjustments"],
+        testingApproach: "Select sample of revenue transactions across periods. Trace from contract to revenue recognition. Verify performance obligation identification. Test cutoff for transactions near period end. Review variable consideration estimates. Verify ASC 606 disclosure completeness.",
+        policyTemplate: "[Organization] recognizes revenue in accordance with ASC 606 using the five-step model: (1) identify contracts, (2) identify performance obligations, (3) determine transaction price, (4) allocate transaction price, (5) recognize revenue when/as performance obligations are satisfied. Contract reviews for complex arrangements are performed by [role]. Variable consideration is estimated using [method] and constrained appropriately. Revenue cutoff procedures are performed at each period end.",
+        relatedControls: ["BP-01", "BP-03", "EL-03"],
+    },
+    {
+        id: "BP-05",
+        section: "404",
+        title: "Procure-to-Pay — Vendor Master Controls",
+        description: "Controls over creation, modification, and deactivation of vendor master records to prevent unauthorized payments.",
+        category: "business_process",
+        coso: "control_activities",
+        type: "preventive",
+        frequency: "per_transaction",
+        assertion: ["existence", "rights_obligations", "accuracy"],
+        implementation: "Formal vendor onboarding with W-9/tax documentation. Segregation: vendor master changes vs. payment processing. Approval required for new vendors and banking changes. Duplicate vendor detection. Regular vendor master review. Vendor banking change verification (callback, email confirmation). Deactivation of dormant vendors.",
+        evidence: ["Vendor onboarding procedures", "Vendor master change approvals", "SoD matrix for vendor master vs. AP", "Duplicate detection reports", "Vendor master review sign-off", "Banking change verification evidence"],
+        commonDeficiencies: ["No approval for vendor master changes", "Same person creates vendors and processes payments", "No verification of banking changes (BEC fraud risk)", "Duplicate vendors active", "Dormant vendors not deactivated", "No W-9 on file for 1099 vendors"],
+        testingApproach: "Select sample of new vendors and vendor changes. Verify approvals and documentation. Test SoD between vendor master and AP. Review banking change verifications. Run duplicate vendor analysis. Review dormant vendor list.",
+        policyTemplate: "[Organization] controls vendor master data through formal procedures. New vendors require [documentation] and approval from [role]. Banking information changes require verification through [callback/confirmation method] before activation. Vendor master changes are segregated from payment processing. Duplicate vendor scans run [frequency]. Vendors inactive for [N] months are deactivated and reviewed before reactivation.",
+        relatedControls: ["BP-06", "ITGC-01"],
+    },
+    {
+        id: "BP-06",
+        section: "404",
+        title: "Procure-to-Pay — Three-Way Match",
+        description: "Automated or manual matching of purchase orders, receiving documents, and invoices before payment to ensure only legitimate obligations are paid.",
+        category: "business_process",
+        coso: "control_activities",
+        type: "preventive",
+        frequency: "per_transaction",
+        assertion: ["existence", "accuracy", "completeness"],
+        implementation: "System-enforced three-way match (PO, receipt, invoice). Tolerance thresholds for auto-match. Exception queue for mismatches with defined resolution procedures. Non-PO invoice approval workflow. Duplicate invoice detection. Payment authorization levels.",
+        evidence: ["Three-way match configuration", "Match exception reports and resolutions", "Non-PO invoice approval records", "Duplicate invoice detection reports", "Payment authorization matrix"],
+        commonDeficiencies: ["Three-way match bypassed for certain transaction types", "Tolerance thresholds too high", "Match exceptions not resolved timely", "No duplicate invoice detection", "Non-PO invoices approved without scrutiny", "Payment runs not reviewed before release"],
+        testingApproach: "Select sample of payments. Verify three-way match evidence. Review exception handling. Test duplicate invoice detection. Verify non-PO invoice approvals. Review payment authorization against policy.",
+        policyTemplate: "[Organization] requires three-way matching of purchase orders, receiving documents, and vendor invoices before payment. The system enforces matching with [tolerance %]. Match exceptions are routed to [role] for investigation and resolution within [N] days. Non-PO invoices require approval from [role] above [threshold]. Duplicate invoice detection runs automatically. Payment runs exceeding [threshold] require [additional approval].",
+        relatedControls: ["BP-05", "BP-01"],
+    },
+    // ── ENTITY-LEVEL CONTROLS ──────────────────────────────────────────
+    {
+        id: "EL-01",
+        section: "302",
+        title: "Tone at the Top — CEO/CFO Certification",
+        description: "CEO and CFO certifications under Section 302 regarding the effectiveness of disclosure controls and procedures.",
+        category: "entity_level",
+        coso: "control_environment",
+        type: "detective",
+        frequency: "quarterly",
+        assertion: ["completeness", "accuracy", "existence"],
+        implementation: "Quarterly Section 302 certifications by CEO and CFO. Sub-certification process from business unit leaders and functional executives. Disclosure committee review of significant items. Evaluation of disclosure controls and procedures effectiveness. Documentation of evaluation basis.",
+        evidence: ["Signed 302 certifications", "Sub-certification letters from business units", "Disclosure committee meeting minutes", "Evaluation documentation", "List of significant disclosure items reviewed"],
+        commonDeficiencies: ["Sub-certification process not implemented", "Disclosure committee meets infrequently or informally", "No documentation of evaluation methodology", "CEO/CFO sign without substantive review", "Significant items not surfaced to disclosure committee"],
+        testingApproach: "Review signed 302 certifications. Verify sub-certification process and coverage. Review disclosure committee meeting minutes for substantive discussion. Verify evaluation documentation supports certification.",
+        policyTemplate: "[Organization]'s CEO and CFO provide Section 302 certifications quarterly supported by a sub-certification process. Business unit leaders and functional executives submit sub-certifications covering [scope] by [deadline]. The Disclosure Committee meets [frequency] to review significant items and assess disclosure controls effectiveness. The evaluation methodology is documented and covers [scope].",
+        relatedControls: ["EL-02", "EL-03", "BP-03"],
+    },
+    {
+        id: "EL-02",
+        section: "404",
+        title: "Risk Assessment — Financial Reporting Risk",
+        description: "Formal process for identifying and assessing risks to financial reporting, including fraud risk, and mapping controls to address those risks.",
+        category: "entity_level",
+        coso: "risk_assessment",
+        type: "detective",
+        frequency: "annual",
+        assertion: ["completeness", "accuracy", "valuation"],
+        implementation: "Annual financial reporting risk assessment. Fraud risk assessment per ASC 240 / SAS 99. Significant account and disclosure identification. Relevant assertion identification for each significant account. Control mapping to risks and assertions. Materiality determination. Scoping of locations and business units.",
+        evidence: ["Financial reporting risk assessment", "Fraud risk assessment", "Significant account identification with materiality", "Risk-control mapping matrix", "Scoping documentation", "Materiality calculation"],
+        commonDeficiencies: ["No formal risk assessment process", "Fraud risk assessment not performed", "Risk assessment not updated for business changes", "Significant accounts not properly identified", "Controls not mapped to specific risks and assertions", "Materiality not calculated or not appropriate"],
+        testingApproach: "Review risk assessment methodology and results. Verify fraud risk assessment completeness. Confirm significant account identification and materiality basis. Verify control-to-risk mapping. Assess whether scoping captures all material locations.",
+        policyTemplate: "[Organization] performs an annual financial reporting risk assessment covering fraud risk, significant accounts and disclosures, and control mapping. Materiality is calculated using [methodology]. The risk assessment drives the scoping of locations, business units, and controls for SOX compliance. Fraud risk assessment follows [ASC 240/SAS 99] guidance. The risk-control matrix is maintained by [role] and reviewed by [approver].",
+        relatedControls: ["EL-01", "EL-03"],
+    },
+    {
+        id: "EL-03",
+        section: "404",
+        title: "Monitoring — Management Review Controls",
+        description: "Ongoing monitoring activities and management reviews that provide oversight of internal controls over financial reporting.",
+        category: "entity_level",
+        coso: "monitoring",
+        type: "detective",
+        frequency: "quarterly",
+        assertion: ["completeness", "accuracy", "valuation"],
+        implementation: "Quarterly management review of financial results (budget vs. actual, trend analysis, KPIs). Board/audit committee oversight. Internal audit program. Deficiency evaluation process (significant deficiency vs. material weakness). Remediation tracking. Annual control self-assessment.",
+        evidence: ["Management review meeting minutes with financial analysis", "Board/audit committee materials and minutes", "Internal audit reports", "Deficiency evaluation documentation", "Remediation tracking reports", "Control self-assessment results"],
+        commonDeficiencies: ["Management reviews lack rigor or documentation", "Audit committee not independent or not financial experts", "Internal audit function absent or under-resourced", "Deficiency evaluation process not formalized", "Remediation plans not tracked to completion", "No control self-assessment"],
+        testingApproach: "Review management review documentation for evidence of substantive analysis. Verify board/audit committee independence and expertise. Review internal audit charter, plan, and reports. Test deficiency evaluation process for sampled deficiencies. Verify remediation status.",
+        policyTemplate: "[Organization] maintains ongoing monitoring of internal controls through: (1) quarterly management reviews of financial results including [analyses performed], (2) audit committee oversight with [frequency] meetings, (3) internal audit program covering [scope], (4) formal deficiency evaluation classifying findings as control deficiency, significant deficiency, or material weakness, (5) remediation tracking with [role] accountability.",
+        relatedControls: ["EL-01", "EL-02", "BP-03"],
+    },
+    {
+        id: "EL-04",
+        section: "301",
+        title: "Audit Committee — Independence and Oversight",
+        description: "Audit committee composition, independence, financial expertise, and oversight responsibilities under Section 301.",
+        category: "entity_level",
+        coso: "control_environment",
+        type: "preventive",
+        frequency: "annual",
+        assertion: ["existence", "rights_obligations"],
+        implementation: "Audit committee charter defining responsibilities. All members independent directors. At least one financial expert. Direct authority over external auditor. Whistleblower complaint procedures. Regular private sessions with external and internal auditors. Review of related party transactions.",
+        evidence: ["Audit committee charter", "Member independence assessments", "Financial expert designation", "Meeting minutes", "Whistleblower procedure documentation", "External auditor engagement letter"],
+        commonDeficiencies: ["Committee member not independent", "No designated financial expert", "Charter not updated", "Insufficient meeting frequency", "No private sessions with auditors", "Whistleblower procedures not communicated"],
+        testingApproach: "Review audit committee charter and composition. Verify independence of all members. Confirm financial expert designation and qualifications. Review meeting minutes for rigor. Verify whistleblower procedures are operational.",
+        policyTemplate: "[Organization]'s Audit Committee consists of [N] independent directors with [name] designated as the financial expert per SEC rules. The Committee meets [frequency], maintains direct authority over the external auditor, and conducts private sessions with external and internal auditors at each meeting. Whistleblower complaints are received through [channel] and reviewed by the Committee per the complaint handling procedures.",
+        relatedControls: ["EL-01", "EL-03"],
+    },
+    // ── DISCLOSURE CONTROLS ────────────────────────────────────────────
+    {
+        id: "DC-01",
+        section: "409",
+        title: "Real-Time Disclosure — Material Event Reporting",
+        description: "Procedures for identifying and reporting material events on a rapid and current basis through 8-K filings.",
+        category: "disclosure",
+        coso: "information_communication",
+        type: "detective",
+        frequency: "continuous",
+        assertion: ["completeness", "accuracy", "cutoff"],
+        implementation: "Disclosure triggers matrix defining reportable events. Escalation procedures for material events. Disclosure committee rapid-response protocol. 8-K filing procedures within 4 business days. Legal review of disclosure language. Communication channels from business units to legal/finance.",
+        evidence: ["Disclosure triggers matrix", "Escalation procedure documentation", "8-K filing log with timing", "Disclosure committee rapid-response records", "Legal review sign-off", "Communication channel documentation"],
+        commonDeficiencies: ["No disclosure triggers matrix", "Business units not aware of escalation obligations", "8-K filings late (more than 4 business days)", "No legal review of disclosure language", "Disclosure committee not convened for triggering events", "Incomplete coverage of reportable events"],
+        testingApproach: "Review disclosure triggers matrix for completeness against SEC requirements. Test notification and escalation procedures. Verify 8-K filing timeliness for sampled events. Confirm legal review process. Assess communication channels from business units.",
+        policyTemplate: "[Organization] maintains real-time disclosure procedures per Section 409. The Disclosure Triggers Matrix defines [N] categories of reportable events. Business units are required to notify [legal/finance] within [N] hours of a potential triggering event. The Disclosure Committee convenes within [N] hours. 8-K filings are prepared, legally reviewed, and filed within 4 business days. The disclosure triggers matrix is reviewed [frequency].",
+        relatedControls: ["EL-01", "DC-02"],
+    },
+    {
+        id: "DC-02",
+        section: "802",
+        title: "Record Retention — Document Preservation",
+        description: "Controls ensuring retention of audit workpapers, financial records, and electronic communications per SOX Section 802.",
+        category: "disclosure",
+        coso: "information_communication",
+        type: "preventive",
+        frequency: "continuous",
+        assertion: ["existence", "completeness"],
+        implementation: "Document retention policy covering SOX requirements (7-year minimum for audit workpapers). Electronic communication preservation. Litigation hold procedures. Document destruction schedule with compliance checkpoints. Audit workpaper protection and access controls. Training on retention obligations.",
+        evidence: ["Document retention policy", "Retention schedule by document type", "Litigation hold procedures", "Electronic communication archiving system", "Audit workpaper access controls", "Training records"],
+        commonDeficiencies: ["No formal retention policy", "Audit workpapers destroyed prematurely", "No litigation hold procedures", "Electronic communications not preserved", "Retention policy not communicated to employees", "Auto-deletion policies conflict with retention requirements"],
+        testingApproach: "Review retention policy against SOX requirements. Verify electronic communication archiving. Test litigation hold procedures. Verify audit workpaper retention and access controls. Confirm retention schedule compliance for sampled document types.",
+        policyTemplate: "[Organization] maintains document retention controls per SOX Section 802. Audit workpapers and supporting documents are retained for [7+] years. Electronic communications are archived using [system]. Litigation holds are managed by [legal] with preservation notices to [scope]. Document destruction follows the approved retention schedule with compliance review before execution.",
+        relatedControls: ["DC-01", "EL-04"],
+    },
+    {
+        id: "DC-03",
+        section: "806",
+        title: "Whistleblower Protection",
+        description: "Procedures for receiving, retaining, and responding to complaints regarding accounting, internal controls, or auditing matters, with whistleblower protection.",
+        category: "disclosure",
+        coso: "control_environment",
+        type: "detective",
+        frequency: "continuous",
+        assertion: ["completeness", "existence"],
+        implementation: "Anonymous reporting channels (hotline, web portal, email). Complaints routed to audit committee. Investigation procedures. Protection against retaliation. Record retention for complaints. Regular reporting to audit committee. Third-party hotline provider recommended.",
+        evidence: ["Whistleblower policy", "Hotline/reporting channel configuration", "Complaint log and investigation records", "Audit committee complaint reports", "Anti-retaliation policy", "Training records on whistleblower procedures"],
+        commonDeficiencies: ["No anonymous reporting channel", "Complaints not routed to audit committee", "Investigation procedures informal", "No anti-retaliation protections documented", "Employees unaware of reporting channels", "Complaint log not maintained"],
+        testingApproach: "Review whistleblower policy and reporting channels. Verify anonymity capability. Confirm routing to audit committee. Review investigation procedures for sampled complaints. Verify anti-retaliation policy communication.",
+        policyTemplate: "[Organization] maintains confidential whistleblower reporting channels including [hotline number, web portal URL, email]. Reports are received by [third-party provider] and routed to the Audit Committee. Investigations follow documented procedures managed by [role]. Anti-retaliation protections are communicated to all employees during [onboarding/annual training]. Complaint activity is reported to the Audit Committee [frequency].",
+        relatedControls: ["EL-04", "DC-01"],
+    },
+];
+// ── Readiness Assessment ──────────────────────────────────────────────
+function assessReadiness(implementedControls) {
+    const implemented = new Set(implementedControls.map((c) => c.toUpperCase()));
+    const total = SOX_CONTROLS.length;
+    let totalImplemented = 0;
+    const byCategory = {};
+    for (const control of SOX_CONTROLS) {
+        const cat = control.category;
+        if (!byCategory[cat])
+            byCategory[cat] = { implemented: 0, total: 0, score: 0 };
+        byCategory[cat].total++;
+        if (implemented.has(control.id)) {
+            totalImplemented++;
+            byCategory[cat].implemented++;
+        }
+    }
+    for (const cat of Object.keys(byCategory)) {
+        byCategory[cat].score = Math.round((byCategory[cat].implemented / byCategory[cat].total) * 100);
+    }
+    const score = Math.round((totalImplemented / total) * 100);
+    const criticalGaps = SOX_CONTROLS.filter((c) => !implemented.has(c.id) && (c.section === "404" || c.section === "302"));
+    const recommendations = [];
+    if (!implemented.has("EL-02"))
+        recommendations.push("IMMEDIATE: Perform financial reporting risk assessment — this drives all other SOX compliance activities");
+    if (!implemented.has("ITGC-01"))
+        recommendations.push("CRITICAL: Implement formal access management — auditors test this in every engagement");
+    if (!implemented.has("ITGC-04"))
+        recommendations.push("CRITICAL: Formalize change management — uncontrolled changes are a common material weakness");
+    if (!implemented.has("BP-01"))
+        recommendations.push("HIGH: Implement journal entry controls — most common area for fraud and material misstatement");
+    if (!implemented.has("BP-02"))
+        recommendations.push("HIGH: Implement account reconciliation process — detective control for catching errors");
+    if (!implemented.has("EL-01"))
+        recommendations.push("REQUIRED: Establish Section 302 certification and sub-certification process");
+    if (!implemented.has("EL-04"))
+        recommendations.push("REQUIRED: Ensure audit committee independence and financial expertise per Section 301");
+    if (byCategory["itgc"]?.score < 50)
+        recommendations.push("ITGC are the foundation — auditors can't rely on automated controls if ITGCs fail");
+    if (recommendations.length === 0)
+        recommendations.push("Strong posture — focus on testing effectiveness and documentation quality");
+    return { score, total, implemented: totalImplemented, byCategory, criticalGaps, recommendations };
+}
+// ── MCP Server ────────────────────────────────────────────────────────
+const server = new McpServer({
+    name: "sox-compliance-mcp",
+    version: "0.1.0",
+});
+// Tool 1: Browse Controls
+server.tool("browse_controls", "Browse SOX control requirements by section (302/404/906/etc.), category (itgc/business_process/entity_level/disclosure), COSO component, or control type.", {
+    section: z.enum(["302", "404", "906", "409", "802", "806", "301"]).optional().describe("Filter by SOX section"),
+    category: z.enum(["itgc", "business_process", "entity_level", "it_dependent_manual", "disclosure"]).optional().describe("Filter by control category"),
+    coso: z.enum(["control_environment", "risk_assessment", "control_activities", "information_communication", "monitoring"]).optional().describe("Filter by COSO component"),
+    type: z.enum(["preventive", "detective", "corrective"]).optional().describe("Filter by control type"),
+    search: z.string().optional().describe("Search control titles and descriptions"),
+}, async ({ section, category, coso, type, search }) => {
+    let results = [...SOX_CONTROLS];
+    if (section)
+        results = results.filter((c) => c.section === section);
+    if (category)
+        results = results.filter((c) => c.category === category);
+    if (coso)
+        results = results.filter((c) => c.coso === coso);
+    if (type)
+        results = results.filter((c) => c.type === type);
+    if (search) {
+        const q = search.toLowerCase();
+        results = results.filter((c) => c.title.toLowerCase().includes(q) || c.description.toLowerCase().includes(q) || c.id.toLowerCase().includes(q));
+    }
+    if (results.length === 0) {
+        return { content: [{ type: "text", text: "No controls match your criteria." }] };
+    }
+    const output = [
+        `# SOX Controls (${results.length} results)`,
+        ``,
+        ...results.map((c) => [
+            `## ${c.id}: ${c.title}`,
+            `**Section:** ${c.section} | **Category:** ${c.category} | **COSO:** ${c.coso} | **Type:** ${c.type} | **Frequency:** ${c.frequency}`,
+            `**Assertions:** ${c.assertion.join(", ")}`,
+            ``,
+            c.description,
+            ``,
+            `**Implementation:** ${c.implementation}`,
+            ``,
+            `**Common Deficiencies:**`,
+            ...c.commonDeficiencies.map((d) => `- ${d}`),
+            ``,
+            `**Testing Approach:** ${c.testingApproach}`,
+            ``,
+        ].join("\n")),
+        `---`,
+        `Automate your SOX compliance: https://complianceiq.site`,
+    ].join("\n");
+    return { content: [{ type: "text", text: output }] };
+});
+// Tool 2: Assess Readiness
+server.tool("assess_readiness", "Score your SOX compliance readiness based on which controls you've implemented. Provide the IDs of controls you have in place.", {
+    implementedControls: z.array(z.string()).describe("Array of control IDs you have implemented (e.g., ['ITGC-01', 'BP-01', 'EL-01'])"),
+    companyType: z.enum(["large_accelerated_filer", "accelerated_filer", "non_accelerated_filer", "emerging_growth"]).default("accelerated_filer").describe("SEC filer category — affects SOX requirements"),
+}, async ({ implementedControls, companyType }) => {
+    const result = assessReadiness(implementedControls);
+    const filerNote = companyType === "emerging_growth"
+        ? "\n**Note:** As an Emerging Growth Company, Section 404(b) external auditor attestation is not required (but 404(a) management assessment is)."
+        : companyType === "non_accelerated_filer"
+            ? "\n**Note:** Non-Accelerated Filers are exempt from Section 404(b) external auditor attestation."
+            : "";
+    const output = [
+        `# SOX Compliance Readiness Assessment`,
+        ``,
+        `## Overall Score: ${result.score}%`,
+        `- **Controls Implemented:** ${result.implemented}/${result.total}`,
+        `- **Filer Category:** ${companyType.replace(/_/g, " ")}${filerNote}`,
+        ``,
+        `## Readiness by Category`,
+        ...Object.entries(result.byCategory)
+            .filter(([, v]) => v.total > 0)
+            .map(([cat, v]) => `- **${cat.replace(/_/g, " ")}:** ${v.implemented}/${v.total} (${v.score}%) ${v.score < 50 ? "-- CRITICAL GAP" : v.score < 80 ? "-- needs attention" : "-- good"}`),
+        ``,
+        `## Section 404/302 Controls Missing (${result.criticalGaps.length})`,
+        ...result.criticalGaps.map((g) => `- **${g.id}:** ${g.title} (Section ${g.section})`),
+        ``,
+        `## Priority Recommendations`,
+        ...result.recommendations.map((r, i) => `${i + 1}. ${r}`),
+        ``,
+        `## Audit Readiness`,
+        result.score >= 80 ? "**READY** — Strong control environment. Focus on testing documentation and operating effectiveness evidence." :
+            result.score >= 50 ? "**AT RISK** — Significant gaps may result in significant deficiencies or material weaknesses. Remediate before audit period." :
+                "**NOT READY** — Major control gaps exist. Material weakness likely if audited. Prioritize ITGC and entity-level controls immediately.",
+        ``,
+        `---`,
+        `Track your SOX compliance: https://complianceiq.site`,
+    ].join("\n");
+    return { content: [{ type: "text", text: output }] };
+});
+// Tool 3: Generate Policy
+server.tool("generate_policy", "Generate a SOX-compliant policy document for a specific control. Includes implementation requirements, evidence needed, and common deficiencies to avoid.", {
+    controlId: z.string().describe("Control ID to generate policy for (e.g., 'ITGC-01', 'BP-01', 'EL-01')"),
+    companyName: z.string().default("[Organization]").describe("Company name for the policy document"),
+}, async ({ controlId, companyName }) => {
+    const control = SOX_CONTROLS.find((c) => c.id === controlId.toUpperCase());
+    if (!control) {
+        return { content: [{ type: "text", text: `Control ${controlId} not found. Use browse_controls to see available IDs.` }] };
+    }
+    const output = [
+        `# ${companyName} — ${control.title} Policy`,
+        `**Control ID:** ${control.id} | **SOX Section:** ${control.section} | **Category:** ${control.category}`,
+        `**COSO Component:** ${control.coso} | **Type:** ${control.type} | **Frequency:** ${control.frequency}`,
+        ``,
+        `## 1. Purpose`,
+        control.description,
+        ``,
+        `## 2. Scope`,
+        `This policy applies to all financially significant systems, processes, and personnel involved in ${control.title.toLowerCase()}.`,
+        ``,
+        `## 3. Policy Statement`,
+        control.policyTemplate.replace(/\[Organization\]/g, companyName),
+        ``,
+        `## 4. Implementation Requirements`,
+        control.implementation,
+        ``,
+        `## 5. Assertions Addressed`,
+        ...control.assertion.map((a) => `- **${a.replace(/_/g, " ")}**`),
+        ``,
+        `## 6. Evidence Requirements`,
+        ...control.evidence.map((e, i) => `${i + 1}. ${e}`),
+        ``,
+        `## 7. Testing Approach`,
+        control.testingApproach,
+        ``,
+        `## 8. Common Deficiencies to Avoid`,
+        ...control.commonDeficiencies.map((d) => `- ${d}`),
+        ``,
+        `## 9. Related Controls`,
+        ...control.relatedControls.map((id) => {
+            const related = SOX_CONTROLS.find((c) => c.id === id);
+            return related ? `- **${id}:** ${related.title}` : `- ${id}`;
+        }),
+        ``,
+        `## 10. Review and Approval`,
+        `| Role | Name | Date | Signature |`,
+        `|------|------|------|-----------|`,
+        `| Policy Owner | | | |`,
+        `| SOX Program Manager | | | |`,
+        `| CFO / Controller | | | |`,
+        ``,
+        `**Effective Date:** ___________`,
+        `**Next Review:** ___________`,
+        `**Version:** 1.0`,
+        ``,
+        `---`,
+        `Automate SOX policy generation: https://complianceiq.site`,
+    ].join("\n");
+    return { content: [{ type: "text", text: output }] };
+});
+// Tool 4: Evidence Checklist
+server.tool("evidence_checklist", "Generate a comprehensive evidence collection checklist for SOX audit readiness, either for a specific control or an entire category.", {
+    controlId: z.string().optional().describe("Specific control ID (e.g., 'ITGC-01'). If omitted, generates checklist for the entire category."),
+    category: z.enum(["itgc", "business_process", "entity_level", "disclosure"]).optional().describe("Category to generate checklist for (used when controlId is omitted)"),
+    format: z.enum(["checklist", "walkthrough", "testing_matrix"]).default("checklist").describe("Output format"),
+}, async ({ controlId, category, format }) => {
+    let controls;
+    let title;
+    if (controlId) {
+        const control = SOX_CONTROLS.find((c) => c.id === controlId.toUpperCase());
+        if (!control) {
+            return { content: [{ type: "text", text: `Control ${controlId} not found.` }] };
+        }
+        controls = [control];
+        title = `${control.id}: ${control.title}`;
+    }
+    else if (category) {
+        controls = SOX_CONTROLS.filter((c) => c.category === category);
+        title = `${category.replace(/_/g, " ").toUpperCase()} Controls`;
+    }
+    else {
+        controls = SOX_CONTROLS;
+        title = "All SOX Controls";
+    }
+    let output;
+    if (format === "walkthrough") {
+        output = [
+            `# SOX Walkthrough Template: ${title}`,
+            ``,
+            ...controls.map((c) => [
+                `## ${c.id}: ${c.title}`,
+                `**Section:** ${c.section} | **Frequency:** ${c.frequency} | **Type:** ${c.type}`,
+                ``,
+                `### Process Description`,
+                c.implementation,
+                ``,
+                `### Walkthrough Questions`,
+                `1. Who performs this control? (Name, title, department)`,
+                `2. How frequently is it performed?`,
+                `3. What triggers the control execution?`,
+                `4. What is reviewed/checked during execution?`,
+                `5. What evidence is generated?`,
+                `6. Where is evidence stored?`,
+                `7. What happens when an exception is identified?`,
+                `8. Who reviews the control performer's work?`,
+                ``,
+                `### Evidence Observed During Walkthrough`,
+                ...c.evidence.map((e) => `- [ ] ${e}`),
+                ``,
+                `### Walkthrough Conclusion`,
+                `- [ ] Control is designed effectively`,
+                `- [ ] Control is operating as designed`,
+                `- [ ] Exception/deficiency identified: ___________`,
+                ``,
+            ].join("\n")),
+            `---`,
+            `Streamline SOX walkthroughs: https://complianceiq.site`,
+        ].join("\n");
+    }
+    else if (format === "testing_matrix") {
+        output = [
+            `# SOX Testing Matrix: ${title}`,
+            ``,
+            `| Control ID | Control Title | Type | Frequency | Sample Size | Test Procedure | Result | Exception |`,
+            `|-----------|--------------|------|-----------|-------------|---------------|--------|-----------|`,
+            ...controls.map((c) => {
+                const sampleSize = c.frequency === "annual" ? "1" : c.frequency === "quarterly" ? "2-4" : c.frequency === "monthly" ? "2-5" : c.frequency === "daily" ? "25-40" : "25-60";
+                return `| ${c.id} | ${c.title} | ${c.type} | ${c.frequency} | ${sampleSize} | ${c.testingApproach.slice(0, 80)}... | [ ] Pass [ ] Fail | |`;
+            }),
+            ``,
+            `## Sample Size Guidance (PCAOB AS 2201)`,
+            `- **Annual controls:** 1 instance`,
+            `- **Quarterly controls:** 2-4 instances`,
+            `- **Monthly controls:** 2-5 instances`,
+            `- **Weekly controls:** 5-15 instances`,
+            `- **Daily/per-transaction controls:** 25-60 instances (based on risk)`,
+            ``,
+            `---`,
+            `Automate SOX testing: https://complianceiq.site`,
+        ].join("\n");
+    }
+    else {
+        output = [
+            `# SOX Evidence Checklist: ${title}`,
+            ``,
+            ...controls.map((c) => [
+                `## ${c.id}: ${c.title}`,
+                `**Section:** ${c.section} | **Category:** ${c.category} | **Frequency:** ${c.frequency}`,
+                ``,
+                ...c.evidence.map((e) => `- [ ] ${e}`),
+                ``,
+                `**Deadline:** ___________`,
+                `**Owner:** ___________`,
+                `**Status:** Not Started / In Progress / Complete`,
+                ``,
+            ].join("\n")),
+            `---`,
+            `Track SOX evidence collection: https://complianceiq.site`,
+        ].join("\n");
+    }
+    return { content: [{ type: "text", text: output }] };
+});
+// Tool 5: Gap Analysis
+server.tool("gap_analysis", "Compare your current SOX controls against requirements and identify gaps with prioritized remediation recommendations.", {
+    implementedControls: z.array(z.string()).describe("Array of control IDs you have implemented"),
+    auditTimeline: z.enum(["under_3_months", "3_to_6_months", "6_to_12_months", "over_12_months"]).default("6_to_12_months").describe("Time until SOX audit/assessment"),
+    firstYearSOX: z.boolean().default(false).describe("Is this the company's first year of SOX compliance (e.g., post-IPO)?"),
+}, async ({ implementedControls, auditTimeline, firstYearSOX }) => {
+    const implemented = new Set(implementedControls.map((c) => c.toUpperCase()));
+    const gaps = SOX_CONTROLS.filter((c) => !implemented.has(c.id));
+    const urgencyMap = {
+        under_3_months: 4,
+        "3_to_6_months": 3,
+        "6_to_12_months": 2,
+        over_12_months: 1,
+    };
+    const urgency = urgencyMap[auditTimeline] || 2;
+    const prioritized = gaps.map((g) => {
+        let priority = 0;
+        if (g.section === "404")
+            priority += 3;
+        if (g.section === "302")
+            priority += 3;
+        if (g.category === "itgc")
+            priority += 2;
+        if (g.category === "entity_level")
+            priority += 2;
+        if (g.type === "preventive")
+            priority += 1;
+        return { ...g, priority };
+    }).sort((a, b) => b.priority - a.priority);
+    const firstYearNote = firstYearSOX
+        ? `\n**First-Year SOX Note:** Focus on design effectiveness first. Operating effectiveness testing requires controls to be in place for a sufficient period (typically 2-3 quarters minimum for key controls). Prioritize ITGC and entity-level controls as the foundation.\n`
+        : "";
+    const output = [
+        `# SOX Gap Analysis`,
+        ``,
+        `## Summary`,
+        `- **Controls Implemented:** ${implementedControls.length}/${SOX_CONTROLS.length}`,
+        `- **Gaps Identified:** ${gaps.length}`,
+        `- **Time to Audit:** ${auditTimeline.replace(/_/g, " ")}`,
+        `- **Urgency Level:** ${urgency >= 3 ? "HIGH" : urgency >= 2 ? "MEDIUM" : "LOW"}`,
+        firstYearNote,
+        `## Prioritized Gaps (Highest Priority First)`,
+        ``,
+        ...prioritized.map((g, i) => [
+            `### ${i + 1}. ${g.id}: ${g.title}`,
+            `**Section:** ${g.section} | **Category:** ${g.category} | **Priority Score:** ${g.priority}/8`,
+            ``,
+            g.description,
+            ``,
+            `**To Implement:**`,
+            g.implementation,
+            ``,
+            `**Evidence Needed:**`,
+            ...g.evidence.map((e) => `- ${e}`),
+            ``,
+            `**Risk if Not Addressed:**`,
+            ...g.commonDeficiencies.slice(0, 3).map((d) => `- ${d}`),
+            ``,
+        ].join("\n")),
+        `## Remediation Timeline`,
+        urgency >= 3
+            ? `**URGENT:** With audit in <6 months, prioritize top 5 gaps immediately. Consider engaging a SOX consulting firm for rapid remediation.`
+            : urgency >= 2
+                ? `**Manageable:** Implement 2-3 controls per month. Start with ITGC and entity-level controls.`
+                : `**Comfortable:** Build the program methodically. Start with risk assessment (EL-02) to drive scoping decisions.`,
+        ``,
+        `---`,
+        `Automate your SOX gap analysis: https://complianceiq.site`,
+    ].join("\n");
+    return { content: [{ type: "text", text: output }] };
+});
+// Tool 6: Material Weakness Evaluator
+server.tool("evaluate_deficiency", "Evaluate whether a control deficiency constitutes a significant deficiency or material weakness using the PCAOB AS 2201 framework.", {
+    deficiencyDescription: z.string().describe("Description of the control deficiency"),
+    controlId: z.string().optional().describe("Related control ID if applicable"),
+    financialStatementImpact: z.enum(["material", "more_than_inconsequential", "inconsequential"]).describe("Potential magnitude of financial statement impact"),
+    likelihoodOfOccurrence: z.enum(["reasonably_possible", "remote", "probable"]).describe("Likelihood that the deficiency could result in a misstatement"),
+    compensatingControls: z.boolean().default(false).describe("Are there compensating controls that mitigate the deficiency?"),
+}, async ({ deficiencyDescription, controlId, financialStatementImpact, likelihoodOfOccurrence, compensatingControls }) => {
+    const control = controlId ? SOX_CONTROLS.find((c) => c.id === controlId.toUpperCase()) : null;
+    let classification;
+    let explanation;
+    if (financialStatementImpact === "material" && likelihoodOfOccurrence === "probable") {
+        classification = "MATERIAL WEAKNESS";
+        explanation = "A material misstatement is probable. This must be reported in management's assessment and will result in an adverse opinion on ICFR from the auditor.";
+    }
+    else if (financialStatementImpact === "material" && likelihoodOfOccurrence === "reasonably_possible") {
+        classification = compensatingControls ? "SIGNIFICANT DEFICIENCY (with compensating controls)" : "MATERIAL WEAKNESS";
+        explanation = compensatingControls
+            ? "The potential for material misstatement exists but compensating controls reduce likelihood. Document compensating controls thoroughly — auditor may still disagree."
+            : "A material misstatement is more than remote. Per PCAOB AS 2201, a reasonable possibility of material misstatement = material weakness.";
+    }
+    else if (financialStatementImpact === "more_than_inconsequential") {
+        classification = compensatingControls ? "CONTROL DEFICIENCY" : "SIGNIFICANT DEFICIENCY";
+        explanation = compensatingControls
+            ? "Impact exceeds inconsequential but compensating controls provide coverage. Document and monitor closely."
+            : "Severity exceeds a control deficiency but doesn't rise to material weakness. Still must be communicated to audit committee.";
+    }
+    else {
+        classification = "CONTROL DEFICIENCY";
+        explanation = "Impact is inconsequential and/or occurrence is remote. Document and include in management's tracking but doesn't require disclosure.";
+    }
+    const output = [
+        `# Deficiency Evaluation`,
+        ``,
+        `## Classification: ${classification}`,
+        ``,
+        `## Deficiency Description`,
+        deficiencyDescription,
+        control ? `\n**Related Control:** ${control.id} — ${control.title} (Section ${control.section})` : "",
+        ``,
+        `## Evaluation Factors`,
+        `- **Financial Statement Impact:** ${financialStatementImpact.replace(/_/g, " ")}`,
+        `- **Likelihood of Occurrence:** ${likelihoodOfOccurrence.replace(/_/g, " ")}`,
+        `- **Compensating Controls:** ${compensatingControls ? "Yes" : "No"}`,
+        ``,
+        `## Analysis`,
+        explanation,
+        ``,
+        `## Required Actions by Classification`,
+        classification.includes("MATERIAL WEAKNESS") ? [
+            `### Material Weakness Requirements`,
+            `1. Disclose in management's Section 404 assessment`,
+            `2. Cannot conclude ICFR is effective`,
+            `3. Auditor will issue adverse opinion on ICFR`,
+            `4. Must remediate — most companies target remediation before next annual assessment`,
+            `5. SEC may increase scrutiny of future filings`,
+            `6. Consider impact on Section 302 certifications`,
+            `7. Board/audit committee notification required`,
+        ].join("\n") : classification.includes("SIGNIFICANT") ? [
+            `### Significant Deficiency Requirements`,
+            `1. Communicate in writing to audit committee`,
+            `2. Include in management's deficiency tracking`,
+            `3. Develop remediation plan with timeline`,
+            `4. Monitor for aggregation with other deficiencies (could aggregate to MW)`,
+            `5. External auditor will include in their communication to audit committee`,
+        ].join("\n") : [
+            `### Control Deficiency Requirements`,
+            `1. Document in management's deficiency log`,
+            `2. Include in periodic control monitoring`,
+            `3. Remediate per normal course`,
+            `4. Monitor for recurrence or aggregation`,
+        ].join("\n"),
+        ``,
+        `## PCAOB AS 2201 Framework Reference`,
+        `Per PCAOB Auditing Standard 2201:`,
+        `- **Material Weakness:** Reasonable possibility that material misstatement won't be prevented/detected timely`,
+        `- **Significant Deficiency:** Less severe than MW but important enough to merit audit committee attention`,
+        `- **Control Deficiency:** Design or operation doesn't allow prevention/detection of misstatements timely`,
+        ``,
+        `*Note: Multiple control deficiencies can aggregate to a significant deficiency or material weakness.*`,
+        ``,
+        `---`,
+        `Track deficiency remediation: https://complianceiq.site`,
+    ].join("\n");
+    return { content: [{ type: "text", text: output }] };
+});
+// ── Start Server ──────────────────────────────────────────────────────
+async function main() {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}
+main().catch((error) => {
+    console.error("Server error:", error);
+    process.exit(1);
+});

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "sox-compliance-mcp",
+  "version": "0.1.0",
+  "description": "MCP server for Sarbanes-Oxley (SOX) compliance — browse control requirements, assess readiness, generate ITGC/business process control templates, evidence checklists, and gap analysis for public companies",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "sox-compliance-mcp": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/index.js",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "sox",
+    "sarbanes-oxley",
+    "compliance",
+    "itgc",
+    "internal-controls",
+    "financial-reporting",
+    "section-302",
+    "section-404",
+    "coso",
+    "pcaob",
+    "audit",
+    "risk-assessment",
+    "material-weakness",
+    "significant-deficiency",
+    "control-testing",
+    "walkthrough",
+    "segregation-of-duties",
+    "change-management",
+    "access-controls",
+    "regtech",
+    "complianceiq"
+  ],
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.12.1",
+    "zod": "^3.24.4"
+  },
+  "devDependencies": {
+    "@types/node": "^25.8.0",
+    "typescript": "^5.8.3"
+  }
+}