Optro Acquires Y-Combinator backed Midship to Embed Agentic SOX Automation Into Its GRC Platform
Optro, the governance, risk and compliance platform formerly known as AuditBoard, has acquired Midship, a Y Combinator-backed startup that uses agentic AI to automate SOX controls testing. The deal brings autonomous audit execution directly into Optro’s Controls Management solution and marks the company’s second acquisition in rapid succession as it rebuilds its identity around an agentic system of action.
Financial terms were not disclosed. Sheppard, Mullin, Richter & Hampton LLP advised Optro; Kirkland & Ellis LLP acted for Midship. The three Midship co-founders — Kieran Taylor, Aahel Iyer, and Max Maio — join the Optro product team.
The timing of the deal is not incidental. According to The Institute of Internal Auditors’ 2026 North American Pulse of Internal Audit Survey, only 23% of audit teams are seeing budget increases, while 19% face active cuts. The pressure on internal audit functions to absorb more scope with fewer resources has been building over several reporting cycles, creating a structural case for automation that goes beyond productivity messaging.
The controls testing workload sits at the centre of that pressure. SOX compliance requires organisations to document, test, and evidence controls across financial reporting systems on a recurring basis — a process that is labour-intensive, highly repetitive, and largely indifferent to how skilled the auditor running it is. It is precisely the category of work that agentic AI is designed to absorb: high volume, rules-defined, evidence-dependent, and structured enough that autonomous execution is credible.
That is the problem Midship was built to solve.
A product built from firsthand experience at an IPO
Midship was founded in 2024 by Taylor, Iyer, and Maio, with Taylor bringing a particular origin story to the company’s design. As an internal audit technologist at Deloitte and later at Instacart, Taylor worked on SOX compliance infrastructure through Instacart’s IPO — an inflexion point at which the demands on audit functions compound sharply and the gaps in existing tooling become impossible to ignore. That experience shaped Midship’s founding premise: the controls testing process had not been rethought from first principles, but only automated incrementally, leaving the underlying manual structure intact.
The Midship platform processes unstructured evidence in the formats auditors actually work with, runs attribute tests, including access reviews and bank reconciliations, directly across uploaded materials, and generates audit-ready Excel workpapers to the specifications external auditors expect. The workflow is designed to handle what a human auditor handles — not a cleaned-up version of it.
That design process, Taylor has said, required the team to spend extensive time with internal auditors “both before and after Midship existed, understanding the pain they face” — a grounding that shaped the platform’s ability to handle unstructured evidence rather than requiring auditors to pre-clean their inputs before the tool can process them.
Optro integrates Midship into a platform already in motion
For Optro, the acquisition is additive to capabilities already in active development rather than a standalone bet. The company recently launched AI Narratives and Flowcharts, Fieldwork Automations, and Continuous Control Monitoring—a cluster of product releases that lay the foundation for Midship’s agentic layer to connect.
Midship will integrate directly into Optro’s Controls Management solution, with localisation and support for global enterprise deployments. The company also signals that the integration opens a pathway for alliance partners’ agents to communicate with Optro’s agents — a capability that has implications beyond the immediate SOX workflow and into the broader question of how GRC platforms connect to the surrounding enterprise technology stack.
Raul Villar Jr., CEO of Optro, drew a direct line between the company’s historical trajectory and the acquisition’s purpose. The company, he said, “moved internal audit from spreadsheets to the cloud”; the Midship deal extends that logic into autonomous execution, with the intent of shifting the function “from tactical and manual to strategic and automated.” The positioning places Optro not as a software vendor adding an AI feature but as infrastructure for the audit function itself.
A second acquisition in months defines the strategic direction
The Midship deal follows Optro’s acquisition of FairNow, a purpose-built AI Governance solution, and comes in the wake of the company’s rebranding from AuditBoard to Optro — a name change that signals a broader mandate than audit software. More than 50% of the Fortune 500 currently use the platform, and the company holds a Leader position in the 2025 Gartner Magic Quadrant for Governance, Risk and Compliance Tools.
The acquisitions, taken together, point to a platform architecture built around three converging compliance functions: traditional internal audit and SOX, AI governance, and broader risk and cybersecurity compliance. Each acquisition has brought a founding team with deep operational experience in its domain. That pattern — acqui-hire of practitioner-built tools — is consistent with a company trying to compress the distance between product capability and professional-grade execution quality.
The open question is the pace of integration. Combining autonomous testing agents with an existing workflow platform requires careful alignment on data handling, audit trail integrity, and the evidentiary standards external auditors will accept from AI-generated workpapers. The company cites localisation and global enterprise support as part of the integration roadmap, suggesting those questions are already shaping how the build-out is being sequenced.
For the internal audit profession, the broader signal is that the market is moving past AI as a productivity layer and toward AI as a structural replacement for specific types of work. Controls testing is a defined, repeatable process with clear success criteria, which makes it an early candidate. The more consequential question is whether agentic execution can meet the documentation and accountability standards required for external audit sign-off, and at what point that evidence base becomes sufficient for adoption to accelerate.
