equity grant / cap table investigation — methodology

preserve before you analyze

finance will want to close the quarter. the equity admin will offer to "fix the export." those clocks conflict. default rule: no grant reversals, no valuation re-runs, no admin account password resets until read-only exports complete from every platform that touched the grant. document who accessed Carta and Shareworks after the anomaly was reported. a well-meaning comp analyst re-running 409A models destroys the before-state you need for equity 409a manipulation detector.

what evidence exists and how fast it dies

the first 10 minutes

1. identify the grant ID, grantee employee ID, and all platforms that hold the grant — Carta, Shareworks, Pulley, or E*TRADE.
2. export Carta cap-table CSV read-only — do not trigger recalculation or valuation refresh.
3. export Shareworks equity admin audit log for the grant date range plus 30 days back.
4. pull 409A valuation history for the grant's strike price window — include prior FMV versions.
5. export vesting schedule as-of today and request prior version from platform support if available.
6. request payroll exercise withholding records for the grantee from HRIS — before payroll period lock.
7. preserve equity admin SSO login logs for svc-equity-admin or named admin accounts in the change window.
8. disable further admin edits on the affected grant until counsel signs off — use platform read-only roles if available.
9. notify finance and legal that exports are frozen — no in-platform corrections until collection completes.
10. begin the path below on copies, not live platform sessions others may still be editing.

the path

1. 1. carta equity cap table export forensic analyzer

   Carta cap-table CSV export. parses grant rows, vesting schedules, stakeholder IDs, and admin change timestamps — the Quinn fixture surfaces an unauthorized share increase on GQ-2026-118 for E-77203.why first: Carta is often the system of record for option grants. start here to establish baseline grant state before cross-checking Shareworks admin logs.

2. 2. shareworks equity admin audit log forensic analyzer

   Shareworks equity admin audit CSV. extracts award modifications, exercise events, override flags, and acting user — Quinn bundle includes svc-equity-admin override from 198.51.100.77.why second: unauthorized changes sometimes land in Shareworks first or only. admin audit logs carry override reason codes that cap-table snapshots omit.

3. 3. equity unauthorized grant change detector

   equity platform change export. flags grant modifications without dual approval, admin override events, and security alerts on grant rows — GQ-2026-118 modified without dual approval in the Quinn scenario.why third: cap-table diffs show what changed; this step shows whether the change violated approval policy.

4. 4. equity 409a manipulation detector

   409A valuation history export. detects retroactive FMV revisions, backdated board approval dates, and strike-price adjustments inconsistent with valuation windows.why fourth: grant share increases are suspicious; retroactive 409A cuts make them lucrative. catch valuation manipulation before attributing the grant change to clerical error.

5. 5. equity vesting backdate detector

   vesting schedule export from Carta or Shareworks. surfaces vesting start dates moved earlier than hire or grant dates, cliff resets, and schedule edits after board approval.why fifth: unauthorized share bumps often pair with vesting backdates so the beneficiary captures months of already-elapsed vesting.

6. 6. cross equity payroll exercise correlator

   equity exercise export plus payroll withholding CSV. correlates exercise events to payroll tax withholding rows — Quinn fixture flags exercise vs payroll mismatch tied to 198.51.100.77.why sixth: grant manipulation sometimes precedes or follows exercise with incorrect withholding. payroll is an independent ledger equity admins rarely scrub.

7. 7. multi equity platform timeline correlator

   two or more equity platform exports (Carta + Shareworks + generic change logs). builds a unified timeline of grant changes, admin actions, and valuation events across systems.why seventh: actors split work across platforms hoping reviewers only check one. the timeline correlator shows the same grant change cluster in both systems within minutes.

8. 8. case report generator

   case report form JSON plus evidence file hashes. assembles examiner, dates, findings summary, and manifest inputs into a structured forensic report PDF — Quinn case QEQ-2026-0510.why last: counsel and the board need one document tying Carta diffs, Shareworks overrides, 409A revisions, and payroll mismatches to a single case number.

common false leads

• "it was a board-approved refresh." board refreshes have consent records and dual-approval trails. missing approval rows plus admin override flags point to unauthorized change, not planned refresh.
• "409A was updated for a funding round." legitimate round-driven 409A updates align with financing close dates. retroactive FMV cuts weeks after grant modification are a different pattern.
• "vesting start matches hire date." compare hire date in HRIS to vesting start in the export — backdates often slip hire date by 30–90 days to capture extra cliff vesting.
• "payroll mismatch is a timing issue." exercise and withholding should reconcile within the payroll period. persistent mismatch across periods suggests exercise recorded without proper tax withholding.
• "only one platform matters." orgs run Carta for cap table and Shareworks for international grants. actors split edits hoping reviewers check only one system.
• "the admin had legitimate access." authorized access does not authorize grant manipulation. policy violation plus missing dual approval builds the HR/legal story even when the account was not compromised.

what we can tell you, what we can't

we can tell you:

• grant modification timestamps and admin override flags from Carta and Shareworks exports
• unauthorized grant change patterns — modifications without dual approval
• 409A FMV retro revision and backdated valuation indicators
• vesting start backdate patterns inconsistent with hire or grant dates
• exercise vs payroll withholding mismatches from cross-export correlation
• unified multi-platform timeline of grant changes across equity systems
• structured case report PDF with evidence file hashes from your exports

we can't tell you:

• live platform state — we analyze exports you provide, not API access to Carta or Shareworks
• board intent or whether directors actually approved the change. artifacts show records; counsel interprets consent.
• tax or securities law conclusions. we surface patterns; your counsel and auditors determine compliance impact.
• recover deleted audit log rows from vendor platforms. request retention holds from Carta/Shareworks support early.
• replace SOX or internal audit sign-off. browser tooling supplements, not replaces, formal audit procedures.

handing it off

• legal and board: case report PDF, grant change timeline, 409A revision summary, missing dual approval evidence, and preserved export hashes. they need scope before clawback or termination decisions.
• finance and comp committee: quantified share impact, vesting backdate delta, and exercise/payroll mismatch amounts for restatement assessment.
• internal audit / SOX: admin override log, SSO access records, and cross-platform timeline for control deficiency documentation.
• HR: grantee and admin account timelines. authorized access does not equal authorized change — HR owns the employment and access-review narrative.
• outside counsel (securities): 409A manipulation indicators and grant modification dates for disclosure obligation assessment — not legal advice from browser tooling.

further reading

• SEC — Sarbanes-Oxley Act overview
• IRS — stock options and equity compensation
• FINRA — employee benefits and equity plans
• ACFE — fraud resources

reference investigation