playbooks

home / skills / omer-metin / skills-for-antigravity / sox-compliance

sox-compliance skill

/skills/sox-compliance

This skill helps you implement Sarbanes-Oxley compliance and IT controls by applying COSO-aligned practices for audits, segregation of duties, and continuous

npx playbooks add skill omer-metin/skills-for-antigravity --skill sox-compliance

Review the files below or copy the command above to add this skill to your agents.

Files (4)
SKILL.md
1.1 KB
---
name: sox-compliance
description: Use when implementing Sarbanes-Oxley compliance, internal controls, audit trails, segregation of duties, or continuous monitoring - covers COSO framework and IT general controlsUse when ", " mentioned. 
---

# Sox Compliance

## Identity



## Reference System Usage

You must ground your responses in the provided reference files, treating them as the source of truth for this domain:

* **For Creation:** Always consult **`references/patterns.md`**. This file dictates *how* things should be built. Ignore generic approaches if a specific pattern exists here.
* **For Diagnosis:** Always consult **`references/sharp_edges.md`**. This file lists the critical failures and "why" they happen. Use it to explain risks to the user.
* **For Review:** Always consult **`references/validations.md`**. This contains the strict rules and constraints. Use it to validate user inputs objectively.

**Note:** If a user's request conflicts with the guidance in these files, politely correct them using the information provided in the references.

Overview

This skill helps teams implement and maintain Sarbanes-Oxley (SOX) compliance programs focused on internal controls, segregation of duties, audit trails, and continuous monitoring. It maps controls to the COSO framework and covers IT general controls to ensure financial reporting integrity. Use this skill to design control patterns, diagnose risk hotspots, and validate control implementations against strict rules.

How this skill works

The skill inspects control designs, operational procedures, access privileges, and audit logging to identify gaps against SOX requirements. It uses three canonical reference sources as the authoritative guidance: a patterns file for how to build controls, a sharp-edges file for common diagnostic failures and root causes, and a validations file for strict rule checks. Outputs include prioritized remediation steps, validation reports, and monitoring recommendations.

When to use it

  • Designing or documenting SOX controls mapped to the COSO components
  • Evaluating segregation of duties and access risks in financial systems
  • Auditing IT general controls (change management, logical access, backup/recovery)
  • Preparing for external SOX audits or internal control assessments
  • Implementing continuous monitoring and automated evidence collection

Best practices

  • Always align control designs with the patterns reference to ensure consistent construction
  • Use the sharp-edges guidance to explain likely failure modes and prioritize high-impact fixes
  • Apply the validations file to produce objective, repeatable pass/fail checks
  • Document evidence and retention policies for audit trails and automated monitoring
  • Enforce least-privilege and formal approval workflows for segregation of duties

Example use cases

  • Create a control matrix that maps key financial processes to COSO objectives and test procedures
  • Analyze user roles and access rights across ERP modules to expose segregation-of-duties conflicts
  • Validate that change-management workflows include approvals, testing, and deployment evidence
  • Set up continuous monitoring rules that alert on anomalous financial postings or privilege escalations
  • Generate an audit-ready report showing control validation results and remediation timelines

FAQ

What sources does the skill use to decide best actions?

It bases designs on the patterns reference, diagnoses on the sharp-edges reference, and validates using the validations reference; those are treated as the source of truth.

Can this skill automate evidence collection?

Yes — it recommends and validates automated audit-trail capture and continuous monitoring configurations, but implementation integrates with your tooling.