SOX Plugin

Plans a control area's testing for a period: builds the control matrix, sizes and draws samples, scaffolds the workpaper, and coordinates evidence annotation and deterministic procedures. Calls /sox-python for any deterministic step, /sox-annotate-xlsx when evidence is xlsx with embedded screenshots, and /sox-from-video when evidence is a recorded auditor walkthrough. Dispatches the sox-workpaper-grader agent at the end for an independent verdict.

For any procedure expressible as code — random sample draw, three-way match, reconciliation tie-out, threshold check, exception roll-up. Generates a Python script, runs it, captures stdout/stderr, and appends a per-sample-per-test detail tab with the full source code, output, runtime, exit code, and a SHA-256 of the script.

Takes an xlsx whose sheets contain embedded evidence screenshots, identifies pixel bounding boxes for each requested attribute via Opus 4.7 vision, and writes back red-outline rectangle Excel shapes anchored over the original images. Pixels are never burned in; reviewers can move or delete the shapes.

Takes an mp4 walkthrough plus a transcript. Parses the transcript for moments where the auditor reviews each in-scope attribute, extracts the corresponding video frames, identifies bounding boxes via vision, and writes per-sample-per-test detail tabs with annotated frames. Self-contained — vendors its own opencv-based frame extractor.

Pre-processor that takes a firm-supplied xlsx template (typically with one sample completed as a guide), auto-detects its shape (per-sample tabs, master matrix, per-test tabs, or single tab), profiles every placeholder cell to a semantic field, and scaffolds copies of the exemplar for the rest of the population. Emits a template-profile.json that the evidence helpers consume via --template-profile — bypassing the canonical layout when the firm template is the right fit.

Reads a completed workpaper and builds a portable .skill ZIP that replays the same test next period. Copies the deterministic scripts verbatim (SHA-verified for tamper-evidence), captures the locked attribute lists for evidence tests, and bakes methodology and the test plan into a generated SKILL.md. The builder writes no new Python — the deterministic core is preserved exactly as it ran the first time.

Auto-loaded reference skill (user-invocable: false). Holds sample-size buckets by risk level, the four sample-selection methods, evidence sufficiency standards, deficiency classification with indicators, deficiency aggregation rules, and the full control-type taxonomy — ITGC, manual, automated, IT-dependent manual, and entity-level. Other skills consult this one rather than duplicating methodology.

Dispatched by /sox-annotate-xlsx and /sox-from-video once per image. Views a single screenshot or video frame, identifies pixel bounding boxes for each requested attribute, writes a boxes JSON, and returns a small summary. The orchestrator never sees the image bytes — it only collects per-agent JSON. Run in parallel: a single message with multiple Agent calls.

Dispatched by /sox-from-video once per recording. Reads a transcript (.vtt, .srt, .txt, .docx), identifies the moments where the auditor reviewed each in-scope attribute, and emits a timestamps.json. Transcript text never returns to the orchestrator — only a small summary with timestamp count, samples covered, tests covered, and any gaps.

Dispatched by /sox-testing after the workpaper is fully assembled. Reads the workpaper rubric, introspects the xlsx via openpyxl, scores each criterion (Required + Recommended), and writes a verdict JSON with overall: pass | fail plus any blocking failures. Runs in a fresh context window with no exposure to the orchestrator's reasoning — that isolation is what makes the verdict meaningful.

Download the plugin below and install it in Claude Code — the .claude-plugin/plugin.json manifest sits at the root of the zip. The plugin registers six user-facing slash-command skills, an auto-loaded methodology reference, and three subagents the orchestrator dispatches automatically.

Open any directory you want to use as a SOX testing workspace and run /sox-testing procure-to-pay 2024-Q4 (or your own control area and period). The skill walks through control identification, sample sizing, and sample selection — delegating to /sox-python so the random seed and selection logic are captured in a tamper-evident detail tab.

If your firm has a bespoke xlsx layout, run /sox-from-template <template.xlsx> first. The skill profiles the template, scaffolds copies of the exemplar tab for the remaining samples, and emits a profile JSON the evidence helpers consume to write into your layout instead of the canonical one.

For screenshot evidence, run /sox-annotate-xlsx <evidence.xlsx> "Approver, Amount Threshold, Self-Approval Checkbox". For walkthrough recordings, run /sox-from-video <walkthrough.mp4> <transcript>. Both fan out to the boxer agent in parallel and write annotated detail tabs back to the workpaper.

Once the workpaper is signed off, run /sox-replay-build <workpaper.xlsx> to package the deterministic scripts, locked attribute lists, methodology, and test plan into a portable .skill. Drop the .skill into next period's workspace and replay the same test without rewriting code.