Pre-IPO B2B SaaS, ~400 employees (anonymized)
Used closegate as the controls-evidence layer for SOX 404 readiness; passed first Big-4 walkthrough
A late-stage pre-IPO SaaS used closegate's audit-evidence-export bundle as the foundation of their SOX 404 readiness. Big-4 signed off on the controls walkthrough in two sessions.
Outcomes
- First Big-4 controls walkthrough completed in 2 sessions (typical: 5-8)
- SOC 2 Type 2 monitoring loop running nightly with zero false positives in 90 days
- Audit-evidence-export PBC bundle adopted as the standard close-cycle deliverable
- Estimated $200K+ savings vs custom SOX-readiness tooling build
The CFO and audit-committee chair were preparing for a 2027 IPO and starting the SOX 404 readiness program 18 months out. The existing close-cycle setup was a mix of BlackLine, custom Python scripts, and a partially-implemented AI assistant. The audit-readiness gap: the controls evidence was scattered across three systems with no single source of truth.
The starting point
- 400 FTEs, multi-entity (US parent + UK sub + 2 acquisition entities)
- ~6-day close cycle
- Existing tools: BlackLine for the close-cycle UI; custom AI for matching; ad-hoc audit logging
- SOX readiness timeline: 18 months to first attestation
- Big-4 audit firm engaged; walkthrough scheduled for Q3 2026
The CFO’s brief: “We need a defensible audit-evidence story across our existing tools. We don’t want to rip out BlackLine; we want to add the controls evidence layer underneath it.”
The architecture
The deployment is the hybrid case — closegate alongside BlackLine, not replacing it:
- BlackLine continues handling the close-task-workflow UI for the accounting team
- closegate-engine runs as the policy chokepoint underneath BlackLine; BlackLine’s workflows call into closegate’s
evaluate()before any state-changing action - closegate’s audit log is the single source of truth for SOX evidence
- Custom AI matching integrates via the MCP server; the LLM uses closegate’s MCP tools rather than direct DB access
The Big-4 walkthrough
Two sessions, 90 minutes each.
Session 1: controls design review. The audit team walked the policy.yaml, the gate’s evaluate() function, and the audit-log schema. Their assessment: “the controls are well-designed and the code is auditable in a way that the BlackLine alone isn’t.”
Session 2: operating effectiveness review. The team ran:
- 90 days of nightly SOC 2 monitor JSON output (all green; zero regressions)
- Sample of 50 audit events with verbatim policy clause text
- 3 forced-violation demonstrations (same-actor confirm, missing rationale on above-materiality match, dual-HITL bypass attempt — all three denied as expected)
The Big-4 partner’s assessment: “this is the most efficient SOX walkthrough we’ve done on an AI-assisted system. Sign off.”
The TCO upside
The team had been quoted $250K+ for a custom SOX-readiness tooling build (combination of audit-log infrastructure + control-mapping documentation + monitoring tooling). closegate covered the same scope for:
| Cost line | Annual |
|---|---|
| Existing BlackLine subscription | (existing) |
| closegate infrastructure (Kubernetes, 5-node deploy) | $7,200/yr |
| Anthropic API | ~$24,000/yr |
| One-time implementation (in-house eng, ~100 hours) | $20,000 |
| Year 1 incremental | ~$51,200 |
| Estimated savings vs custom SOX-tooling build | ~$200,000 |
The savings funded a dedicated audit-readiness analyst hire.
What worked
- The hybrid architecture. BlackLine’s UI for the accounting team + closegate’s chokepoint underneath. Neither tool had to do everything; each did what it was good at.
- The audit-evidence-export PBC bundle. One CLI command produced everything the Big-4 firm asked for. Auditor never asked for ad-hoc spreadsheets.
- The control-mapping document (file.py:line citations) was something the Big-4 audit team specifically called out as “above what we typically see.”
What was uncomfortable
The legal review of using an open-source framework as the SOX-controls evidence layer took 6 weeks. The legal team’s concern: “what if closegate the project disappears?” The team’s answer: it’s Apache-2.0; they have the code; they can fork and maintain in-house if Neul Labs walks away. The audit firm accepted this; legal eventually signed off.
The other discomfort: the BlackLine relationship management. BlackLine’s CSM asked “why are you reviewing your AP workflow with another tool?” The team’s answer: “we’re not replacing you; we’re adding controls evidence underneath.” That conversation took 2-3 cycles to land.
What’s next
- Migration of the matching workflow from custom AI to closegate’s MCP server
- Multi-entity rollout to the UK + 2 acquisition entities (currently US-only)
- Pre-IPO board observer is reviewing the controls architecture for D&O insurance implications
This case study is published with the design partner’s permission. Company name + revealing details anonymized at their request; financial figures cited are accurate to within ±5%.
Case study published with the design partner's permission; company name and revealing details anonymized at their request. The numbers cited are real.