Box, AuditBoard & BlackLine stalled IPO readiness — Workiva centralizes audit evidence

Overview

IPO readiness at a fintech firm bogged down because controls, policies, and evidentiary artifacts sat in different systems and formats. Policies lived in Box, control testing results were tracked in AuditBoard, and financial close evidence resided in BlackLine, while leadership and auditors expected a single record with lineage, ownership, and approvals. Intelligex automated the collection of policies, control test results, and close artifacts into Workiva, layered role-based approvals and evidence checks, and standardized tags and calendars. The leadership team saw fewer gaps, consistent evidence, and smoother auditor reviews because every control, policy, and sample tied back to an approved source with a clear trail.

Client Profile

• Industry: Financial technology
• Company size (range): High-growth enterprise preparing for a public listing
• Stage: Pre-IPO, formalizing controls and reporting processes
• Department owner: Strategy, Analytics & Executive Leadership (IPO Program Management Office / Corporate Finance)
• Other stakeholders: Finance & Accounting, Internal Audit/SOX, Legal & Compliance, Information Security, HR, Data Engineering, IT, External Auditors

The Challenge

IPO readiness requires a cohesive picture of policies, control design and operating effectiveness, and financial close evidence. In practice, policies and procedures were authored and stored in Box folders with inconsistent naming; control testing lived in AuditBoard with its own tags and calendars; and close artifacts—reconciliations, journal approvals, and variance analyses—were managed in BlackLine. Requests for information traveled through spreadsheets and emails, and preparing support for walkthroughs or samples often meant searching multiple systems for the “right” version.

Timelines slipped when definitions and evidence didn’t align. AuditBoard control IDs didn’t map cleanly to Workiva tie-outs, BlackLine verification dates didn’t match control operating windows, and Box file versions made it hard to prove which policy was in effect during a test period. Reviews devolved into reconciling artifacts and owners. Leaders wanted to keep their existing tools but needed a unified operating layer that pulled governed evidence into a single system, enforced role-based approvals, and produced auditor-ready packages aligned to Internal Control over Financial Reporting (ICFR) expectations.

Why It Was Happening

Identities and calendars were fragmented. Control IDs, policy names, and account mappings varied by system; effective dates and test periods used different cut-offs; and versioning schemes differed across teams. Evidence acceptance criteria were unclear, so similar artifacts were uploaded with inconsistent annotations, and reviewers lacked a consistent checklist for completeness.

Governance arrived late. Approvals were captured in email threads, not as part of the artifact itself. There was no lightweight path to validate that a control test referenced the correct policy version and close artifacts. Without a shared workflow for intake, review, and publication, support packages were assembled ad hoc, and the same gaps reappeared across controls and quarters.

The Solution

We implemented a governed evidence pipeline and approval workflow that centralized IPO readiness artifacts in Workiva while preserving existing authoring and testing tools. Box policy documents and procedures were ingested with metadata; AuditBoard control testing results flowed on a schedule; and BlackLine close artifacts were linked by account and period. A conformed model harmonized IDs, calendars, and acceptance criteria; reviewers validated completeness through a queue; and Workiva housed the auditor-ready record with role-based access. Nothing was replatformed: Box remained the policy repository, AuditBoard the testing hub, and BlackLine the close platform; the orchestration layer standardized intake, review, lineage, and approvals across them.

• Policy document ingestion from Box with version, owner, and effective-date metadata
• Control testing results and deficiencies from AuditBoard mapped to control IDs, processes, and test periods
• Financial close artifacts from BlackLine Financial Close Management linked by account, period, and preparer/reviewer
• Centralized evidence repository and workflow in Workiva with standardized tags, checklists, and approval steps
• Shared calendar and identity mapping for controls, policies, and close periods, with validations to detect mismatches
• Role-based access using identity groups (for example, Microsoft Entra groups) to scope preparer, reviewer, and auditor views
• Review gates for completeness: policy version check, sample traceability, evidence clarity, and tie-outs to control IDs
• Change log and audit trail capturing uploads, edits, approvals, and publication, aligned to ICFR expectations (see PCAOB AS 2201)
• Dashboards for readiness tracking: open deficiencies, missing evidence by control, and approval status by function
• Human-in-the-loop queue for exceptions and policy updates impacting test periods

Implementation

• Discovery: Cataloged policy document structures and Box hierarchies, AuditBoard control libraries and test calendars, and BlackLine close processes and artifact types. Mapped current evidence acceptance criteria, approval roles, and recurring gaps surfaced by Internal Audit and external auditors.
• Design: Defined a shared control-policy-account mapping and a unified calendar for test periods and close cycles. Authored intake templates and checklists for policies, test results, and close artifacts. Designed role-based approval flows in Workiva and exception categories. Planned readiness dashboards and audit fields for lineage and approvals.
• Build: Implemented connectors to ingest policy files from Box with metadata, scheduled extracts from AuditBoard for control testing results, and linked BlackLine artifacts by account and period. Configured Workiva to house evidence packages with required fields, approvals, and publication steps. Established identity groups and access scopes; enabled change logs and dashboarding.
• Testing and QA: Replayed recent quarters to reconcile control tests with policy versions and close artifacts. Validated mappings and calendar alignment, exercised review gates and exception handling, and verified that Workiva packages contained complete, consistent evidence with a traceable approval trail. Dry-ran walkthroughs with Internal Audit to confirm usability.
• Rollout: Launched the pipeline in parallel with the legacy email- and spreadsheet-based process. After teams validated completeness and approvals, moved active controls to the governed flow and enabled auditor access to published packages. Retained a manual exception path for urgent items with post-review documentation.
• Training and hand-off: Delivered quick guides for preparers on intake requirements and metadata, for reviewers on checklists and exceptions, and for control owners on readiness dashboards. Established stewardship for mappings, calendars, and acceptance criteria, with a cadence for updates ahead of each quarter-end.
• Human-in-the-loop review: Routed conflicting mappings, policy updates affecting open tests, and ambiguous evidence to designated reviewers in Internal Audit and Finance before publication, capturing rationale in the change log.

Results

Control owners, Finance, and Internal Audit worked from a single source of truth. Each control test tied to the correct policy version and relevant close artifacts, and reviewers saw required fields and approvals before packages were marked ready. External auditors received consistent, linked evidence with clear lineage and ownership, which reduced iterative requests and meeting time spent reconciling versions.

Leaders monitored readiness through dashboards that surfaced missing artifacts, overdue approvals, and open deficiencies by process. Evidence quality improved because acceptance criteria and checklists were embedded in the workflow, and exceptions carried documented rationale. IPO readiness meetings shifted from hunting documents to resolving true issues and sequencing remediation.

What Changed for the Team

• Before: Policies, control tests, and close artifacts lived in separate tools with ad hoc links. After: Workiva housed governed evidence packages with lineage and approvals.
• Before: Control IDs and periods didn’t align across systems. After: A shared calendar and mapping harmonized identities with validations for mismatches.
• Before: Approvals and edits happened in email. After: Role-based gates captured preparer and reviewer sign-offs with checklists and change logs.
• Before: Auditor requests triggered repeated fishing expeditions. After: Published packages linked policies, tests, and close support in one place.
• Before: Readiness status was tracked in spreadsheets. After: Dashboards showed open gaps, ownership, and due dates by function and process.

Key Takeaways

• Keep Box, AuditBoard, and BlackLine; add a governed intake and approval layer in Workiva to unify evidence and lineage.
• Harmonize control IDs, policy versions, and close calendars; shared mappings and cut-offs prevent last-minute reconciliations.
• Embed acceptance criteria and role-based approvals in the workflow; quality improves when completeness is checked upstream.
• Capture audit trails for uploads, edits, and sign-offs; traceability eases walkthroughs and supports ICFR expectations.
• Use dashboards to manage readiness; make gaps and ownership visible so leadership can intervene early.

FAQ

What tools did this integrate with?
We ingested policies from Box, control testing results and deficiencies from AuditBoard, and close artifacts from BlackLine. Evidence packages, approvals, and publication lived in Workiva, with access governed by identity groups such as Microsoft Entra groups.

How did you handle quality control and governance?
We defined acceptance criteria and required metadata for each artifact type, enforced a shared calendar and mappings for controls and policies, and embedded preparer and reviewer gates in Workiva. Validations flagged mismatched periods, missing policy versions, and incomplete samples. Change logs captured uploads, edits, approvals, and publication, aligning with ICFR expectations under PCAOB AS 2201.

How did you roll this out without disruption?
We operated the pipeline alongside the legacy process while teams validated completeness, mappings, and approval behavior. After confidence grew, active controls moved into the governed flow and auditor access was granted to published packages. Existing tools remained; the Workiva layer orchestrated intake, review, and publication.

How did you manage evidence versioning and tie-outs?
Box files were ingested with version and effective-date metadata, and evidence in Workiva referenced the exact version used. Control tests and close artifacts were tied by control ID, account, and period under the shared calendar. Reviewers confirmed tie-outs using checklists, and the system prevented publication until required links were present.

How did this align with SOX/ICFR expectations?
Controls, policies, and evidence were mapped under a unified model with clear ownership, effective dates, and approvals. Walkthrough and sample support carried traceable links and change histories. The audit trail and completeness checks supported a reliable assessment of design and operating effectiveness consistent with ICFR guidance, while preserving the firm’s existing tools and processes.