Overview
Problem
SOX programs often rely on spreadsheets, fragmented ownership, and manual follow-up to keep control work moving.
Back to Projects
ReactNestJSPostgreSQLEnterprise Controls
2026 · enterprise rollout · Actual product screens
ZOX
Actual SOX Control Operating System
A SOX control automation platform for ownership, evidence collection, review, exceptions, and audit trail management.
Implementation
Built system
A SOX control operating system built to manage execution, evidence, review, routing, and accountability in one governed workspace.
Actual product screens
ZOX
Screens use synthetic demo data.
Select a screen to review full size
How it works
How the system works
- Role-based workflow for owners, reviewers, and auditors
- Shared control lifecycle with evidence routing and review states
- Visibility into overdue work, missing evidence, and failure handling
- Audit-oriented traceability across changes, actions, status history, snapshots, and exports
System boundary
Application boundary
ZOX is a running SOX control workflow system covering ownership, evidence routing, review state, exceptions, reporting, snapshots, and audit-oriented traceability. Hosting, network, identity-provider, and infrastructure controls remain enterprise responsibilities.
Enterprise delivery
Application and handoff details
ZOX includes a defined delivery package for application handoff, local runbook use, and enterprise deployment review.
System Boundary
Application architecture
01
React workspace
02
NestJS service layer
03
PostgreSQL control record
The application governs workflow, evidence, review state, traceability, and recovery operations. Hosting, network, identity-provider, and endpoint controls sit outside the application boundary.
Delivery package
Implementation and handoff
- React operating workspace and NestJS API
- PostgreSQL schema with versioned Prisma migrations
- Seeded demonstration environment and documented local runbook
- Operational views for execution, catalog, scope, reporting, audit, and recovery
- Application-layer evidence structured as a CISO evidence pack for review
- Source-first CTO adoption documentation covering setup, boundaries, and handoff
Application security evidence
Controls implemented in the repository and running application
Access boundary
Role-aware page and API access with authenticated sessions
Change trace
Audit events preserve actor, action, entity, time, and request context
Recovery path
Snapshots, archive exports, preview, and restore workflows
Data boundary
Portfolio captures use the repository’s synthetic local seed only
Capabilities
System capabilities
Operating-model control
Maps the lifecycle of controls, evidence, review, and remediation in one governed workflow.
Role-specific routing
Routes work to owners, reviewers, and auditors without spreadsheet coordination.
Audit-grade traceability
Maintains a clear record of actions, changes, evidence, and review history.
Outcome
Result
An enterprise rollout package that replaces spreadsheet coordination with governed workflows and clear operational ownership.
Why it matters
Practical value
ZOX brings ownership, evidence collection, review, and audit trail management into one clear operating system.
Related field notes
Operating patterns behind the system
SOX & Internal Controls
Why SOX Programs Still Run on Spreadsheets
Why SOX programs keep returning to spreadsheets, and what a governed control workflow changes.
Evidence & Audit Trails
The Hidden Cost of Manual Evidence Collection
How manual evidence collection consumes time, weakens review consistency, and fragments the audit trail.
SOX & Internal Controls
From Control Matrix to Operating System
A practical pattern for turning a control matrix into owned, reviewable, and traceable execution.
Explore More
Related projects worth exploring