For internal audit

The operating system for internal audit work.

Standardize procedures, automate evidence gathering and testing, and free your team for risk-based judgment work. Strong at operating-effectiveness testing of SOX controls.

Book a demoSee Co-audit

Where it lands

Built for the audits you already run.

One operating system across the internal audit plan — operational, financial, IT, and SOX-controls testing.

Operational audits

Repeatable procedures across business units and locations. Standardize the test once, run it everywhere, surface the exceptions.

Financial audits

Substantive testing of revenue, expenses, accruals, fixed assets, and inventory — with citations back to source evidence on every cell.

IT and SOX-controls testing

Operating-effectiveness testing of automated and manual controls — three-way matches, approval workflows, segregation of duties, access reviews.

How it flows

Every step is a punchcard.

From procedure design to evidence to testing to review — one system, one set of evidence, one review surface.

01

Standardize procedures

Build procedure templates once — assertions, evidence types, testing attributes, prompts. Roll them forward year over year and reuse them across business units.

See Test Agent
02

Gather evidence at the source

Send structured requests to control owners and process owners. Per-selection checklists tell them exactly what evidence is needed, with instant feedback when something doesn’t tie out.

See request workflow
03

Test at the population, not just the sample

Co-audit and Test Agent execute the procedure across selections — extracting fields, comparing values, applying tolerances, flagging exceptions. Plain English in, workpaper out.

See Co-audit
04

Review and report

Every conclusion cites its source. Validate, override, comment, sign off. Roll findings into your reporting deck or your GRC platform without re-keying.

See review surface

Reviewable evidence. Every time.

Punchcard is built around evidence and testing — not generic document chat. Every conclusion from Co-audit, Match Agent, and Test Agent cites its source. One click takes a reviewer to the exact page, the exact line, the exact paragraph the agent reasoned from. Your judgment, on the agent’s prepared work.

Procedure templates per assertionSOC 2 certifiedGDPR-aligned

Assurance, one punchcard at a time.

See Punchcard handle a real engagement. We'll walk through requests, testing, and review using your evidence — every judgment call still in human hands.

Book a demo

Trusted by RSM, Richey May, JLK Rosenberger, and more.