Controls Intelligence Hub · Continuous Control Assurance
Dashboard · Q1-26 close · SOX 1,005 controls · non-SOX 2,119 · continuous assurance cycle.
Controls → Signals → Agents → Evidence → Decisions → Controller Sign-Off → Audit Pack → Replay
This is a platform capability, not a dashboard. It continuously tests controls, monitors risks, generates evidence, creates audit-ready packs, routes only judgment decisions to humans, and attributes value.
Control Cycle = control + period + population + sample + test run + evidence + exceptions + verdict + pack + sign-off
2 active cycles · 8 evidence items · 3 exceptions · 2 audit packs · persistence: database · hash chain pass: True
ctrl.html converted into Sphere runtime modules
| Prototype area | Production component | Runtime contract |
|---|---|---|
| Dashboard | ControlAssuranceDashboard | Summaries are derived from control_cycle, test_result, exception, and audit_pack records. |
| Controller Inbox | ControlDecisionInbox | Human-required rows are human_decision tasks generated from exceptions and external-release gates. |
| Auto-handled / Human-required | AssuranceOutcomeExplorer | Outcome split is computed from test_result and evidence completeness, not from menu state. |
| Control Library | ControlRegistryExplorer | Controls resolve to owner, risk, framework, policy, population, latest cycle, and evidence requirements. |
| HF Signal Monitor | ControlSignalMonitor | Signals are control_signal_events that can trigger scoping or investigation cases. |
| Policy & Framework | PolicyControlFramework | Policies and frameworks version every test and controller decision. |
| Agent detail pages | AgentWorkProductViewer | Clicking an agent opens work products, cases, evidence, and decisions before technical traces. |
| Agent Workflows modal | AuditReplayViewer | Replay is reconstructed from audit_log_events and agent_run records. |
SOX A&C-PEC-014 · Manual JE review · Effective with exceptions
60 samples · 2 procedural exceptions · pack in Controller Inbox · confidence 0.91
Click row for detail
| Control | Hub | Test | Sample | Finding | Status |
|---|---|---|---|---|---|
| SOX A&C-PEC-014 Manual JE review for entries above threshold |
A&C | Manual JE | 60 samples | Effective with exceptions | Awaiting controller |
| SOX A&C-BSA-029 Balance Sheet Account ownership and certification |
A&C | 10,187 accounts | Population scan | All checks pass | Signed off |
| SOX P2P-PAY-031 Payment run authorization and approval |
ST&S | 2.75m invoices | 60 samples | Queued | Queued |
| SOX P2P-VEN-021 Vendor master bank-account change verification |
ST&S | 412 changes/day | Population scan | Queued | Queued |
| SOX P2P-018 Invoice 3-way match prior to payment |
ST&S | $62bn payables | 2.75m invoices | All checks pass | Signed off |
All agents
PBC Request Center
Auditor requests evidence, Audit Liaison Agent assembles pack, hash-signs artifacts, prepares narrative, and routes controller approval before external release.
| Request | Control | SLA | Status | Pack |
|---|---|---|---|---|
| E&Y walkthrough | SOX A&C-PEC-014 | 6.4 sec | Controller approval pending | IRM-CTL-2026-Q1-PEC-014 |
| Sample re-pull | SOX P2P-018 | 8.1 sec | Delivered | IRM-CTL-2026-Q1-P2P-018 |
| BSA certification support | SOX A&C-BSA-029 | 7.2 sec | Delivered | IRM-CTL-2026-Q1-BSA-029 |
| Vendor bank change evidence | SOX P2P-VEN-021 | Awaiting evidence | Blocked by missing checker log | IRM-CTL-2026-Q1-VEN-021 |
Control health, SOX readiness, audit readiness, exceptions, coverage, risk exposure, and cost savings
Executive rollup shows control confidence, evidence completeness, open exceptions, audit cost saved, and risk exposure from the same evidence and replay ledger.
Control ontology
ControlPolicyRiskEvidenceExceptionTestControl OwnerAuditorSignoffMaterialityFrameworkControl ObjectiveOutcome
Assurance economics
Runtime cost is attributable by control, agent, evidence pack, auditor request, and business outcome.
Clean controls archived by agents
Auto-passed tests are indexed, hash-signed, and archived without controller intervention. Exceptions remain in the human-required queue.
Hash-signed audit packs
Evidence packs include artifacts, lineage, source systems, hash chain, controller sign-off, IRM staging status, and replay ID.
Human-required judgment queue
Only exceptions, sign-offs, waivers, materiality decisions, and external-release approvals reach controllers. Clean controls remain auto-archived with evidence and replay.
Seven specialized assurance agents
| Capability | Inputs | Outputs | Human Boundary |
|---|---|---|---|
| Scoping Agent | What to test, risk level, population, sample size | Test scope, sample selection, risk rating | Human approval for scope override |
| Substantiation Agent | SAP, S/4, BlackLine, Ariba, Concur, Workiva, ServiceNow, identity evidence | Evidence bundles, hash signatures, evidence lineage | Missing evidence blocks sign-off |
| Test Execution Agent | Control definition, population, sample, rules | Pass, fail, exception, effectiveness result | Material exceptions route to controller |
| Validation Agent | Test result, materiality, exception history, risk context | Audit narrative, risk level, control conclusion | Controller confirms material findings |
| Audit Liaison Agent | Validated result, evidence pack, audit request | PBC response, supporting documents, auditor-ready pack | Auditor release requires controller sign-off |
| Continuous Monitoring Agent | Journals, vendor master, SoD, inventory, treasury, access events | Risk signals, drift, anomalies, monitoring feed | No autonomous remediation without approval |
| Orchestrator Agent | Agent state, SLA, capacity, queue, escalation rules | Scheduled lifecycle, prioritization, replay, controller routing | Cannot bypass policy or human gates |
Agent work products
PBC response pack staged
Audit Liaison Agent prepares the evidence pack, response narrative, source references, and controller sign-off route.
Signal to outcome trace
Replay reconstructs signal, context, agent, policy, evidence, decision, controller action, outcome, and learning.
Controls, policies, thresholds, and sign-off rules
Maps control objective, risk, policy version, materiality threshold, evidence requirement, controller role, and audit pack obligation.
Read-only first, governed action only
Controls Intelligence uses SAP, BlackLine, ServiceNow, Workiva, and IRM context as evidence sources. Agents remain read-only unless policy, evidence, and sign-off allow an action.
| Data domain | Source | Refresh | Used by |
|---|---|---|---|
| Journal-entry detail (BKPF/BSEG) | SAP S/4HANA | Real-time | Test Execution, HF Monitor, Substantiation |
| Change documents (CDPOS) | SAP S/4HANA | Real-time | Vendor bank changes, Test Execution |
| User-role matrix | SAP GRC + identity | Hourly | SoD checks, Validation Agent |
| BSA reconciliation status | BlackLine | Real-time | Test Execution, drift forecast |
| Approval workflow logs | SAP + Concur | Real-time | Substantiation, Test Execution |
Minimum runtime records behind every control cycle
| Runtime entity | Purpose |
|---|---|
| control | SOX / non-SOX control master, owner, hub, category, risk, framework. |
| control_cycle | Period run such as Q1-26 close, daily monitoring, or ad-hoc auditor request. |
| control_population | Full tested population: journals, vendors, BSAs, invoices, SoD pairs. |
| sample_selection | Scoping Agent sample basis, outliers, seed, and risk uplift. |
| evidence_item | Source evidence metadata, source system, capture time, hash, and lineage. |
| test_result | Per-sample/per-check pass, fail, exception, and deterministic rule output. |
| exception | Procedural, substantive, or advisory finding with risk and owner. |
| audit_pack | Pack manifest, sections, hash chain, status, and external-release gate. |
| human_decision | Sign off, pushback, escalation, waiver, substantiation request, or remediation. |
| agent_run | Agent identity, inputs, outputs, cost, duration, confidence, and evidence refs. |
| audit_log_event | Immutable event stream used for decision replay and audit inspection. |
Read-heavy assurance, governed writes only
| Layer | Read | Write |
|---|---|---|
| UDP / Databricks | Yes, preferred for populations and evidence context | Derived assurance outputs only. |
| SAP ECC / S/4 / CFIN | Via replicated data where possible | Only governed remediation or SoR update after approval. |
| BlackLine / Workiva / IRM | Evidence, control status, reconciliation status | Audit pack status, comments, evidence links. |
| Sphere DB | Runtime records and replay ledger | Cycles, evidence metadata, decisions, audit events. |
| Human workflow | Inbox, approvals, escalations | Sign-off, pushback, waiver, override rationale. |
| Agent memory | Prior decisions and outcomes | Lessons, false positives, sampling adjustments. |
Sign off, push back, request substantiation, remediate, waive, or escalate
| Action | Governance | Outcome |
|---|---|---|
| Sign off | Permitted when evidence complete, exceptions classified, and materiality accepted | Control marked effective or effective with exceptions |
| Push back | Returns pack to agent fabric with additional sample, evidence, or validation instruction | Cycle re-opens with expanded scope |
| Request substantiation | Blocks external release until missing artifact or lineage is attached | Evidence Agent retrieves and hash-signs artifacts |
| Create remediation | Creates owner action plan for substantive or repeat issue | Remediation tracked with due date and evidence |
| Waive with reason | Requires controller note, policy citation, and audit-visible rationale | Override captured in replay and learning queue |
| Escalate | Routes material issue to Head of Finance, GRC, or audit owner | Escalation and SLA are monitored |
Reusable assurance patterns across SOX and non-SOX controls
| Flow | Control | Trigger | Assurance pattern |
|---|---|---|---|
| BSA Reconciliation | SOX A&C-BSA-029 | Calendar, HF Monitor drift, or E&Y PBC | Population scan across 10,187 accounts with advisory findings |
| Manual JE Review | SOX A&C-PEC-014 | Quarter close control cycle | Risk-weighted sample of 60 JEs with outlier-priority selection |
| T&E Fraud Pattern Detection | CTL-FRA-T&E-007 | Hourly continuous monitoring | Non-SOX pattern detection routed to investigators |
IRM-CTL-2026-Q1-PEC-014 · pass
5 artifacts · SHA-256 · bundle hash 16774cf0288e5bdb876244be
| Artifact ID | Artifact | Source | Hash | Verification |
|---|---|---|---|---|
| ART-JE-44188 | JE record (BKPF/BSEG) | SAP S/4HANA | 00e93c99af9e61990b971dc4 | verified |
| ART-APP-44188 | Approval workflow log | SAP + Concur | 835b780d75aaf74d97c00c78 | verified |
| ART-SOD-44188 | SoD trail | SAP GRC + identity | 558a1506581b33bb250b495e | verified |
| ART-BL-44291 | BlackLine support calc | BlackLine | 6fded848b74edf1e00fe819a | verified |
| ART-IRM-PEC014 | IRM pack manifest | ServiceNow IRM | c09ad1786ec739973f94e73f | verified |
operational · 4 reference sources · 0 live sources
| Source | Status | Cadence | Last refresh | Latency |
|---|---|---|---|---|
| SAP S/4HANA | reference | Reference cadence | 2026-03-31T14:08:44Z | scenario |
| BlackLine | reference | Reference cadence | 2026-03-31T14:08:45Z | scenario |
| ServiceNow IRM | reference | Reference cadence | 2026-03-31T14:08:49Z | scenario |
| SAP GRC + identity | cached | Hourly | 2026-03-31T14:00:00Z | cache |
| Workiva | reference | Daily | 2026-03-31T13:55:02Z | scenario |
False positives, overrides, auditor disagreements, and model health are measured
| Metric | Value | Learning action |
|---|---|---|
| False positives | 12 / quarter | Learning Agent suppresses repeat low-risk drift patterns |
| False negatives | estimated 2 / quarter | Auditor findings and overrides feed recall tuning |
| Controller overrides | 3.1% | Override reason required and visible in replay |
| Auditor disagreements | 1.2% | Audit Liaison routes disputed packs to validation review |
| Precision / Recall | 0.83 / 0.89 | Published in model health for second-line oversight |
Control exceptions link to the underlying finance mission
| Control | Mission | Context | Surface |
|---|---|---|---|
| SOX P2P-018 | P2P | Invoice 3-way match prior to payment | /ui/mission/p2p?role=administrator |
| SOX P2P-VEN-021 | P2P | Vendor bank change and payment hold | /ui/mission/p2p?role=administrator&case_id=INV-778950 |
| SOX A&C-PEC-014 | R2R | Manual JE review and close confidence | /ui/continuous-close-intelligence?role=administrator |
| STS-TR-LIQ-009 | Treasury | Daily liquidity and cash forecast monitoring | /ui/treasury-command-center?role=administrator |
| C-O2C-CA-001 | O2C | Cash application and suspense clearing | /ui/mission/o2c?focus=collections&role=administrator |
$10.66 total compute · 82 SAP reads avoided · 2760599 cache hits
| Control | Cost | Tokens | SAP reads avoided | Effort avoided | ROI |
|---|---|---|---|---|---|
| SOX A&C-PEC-014 | $3.42 | 12,840 | 23 | 4.1 FTE-days | 193,000x |
| SOX A&C-BSA-029 | $5.18 | 18,120 | 41 | 380 hours | 1,145,000x |
| SOX P2P-018 | $2.06 | 7,420 | 18 | 6 FTE-days | 640,000x |
Every critical proof opens a drawer or API-backed runtime contract
Agent Workflows
Agent workflows: Signal -> Scoping -> Substantiation -> Test Execution -> Validation -> Audit Liaison -> Orchestrator.
Scoping
Risk-weighted population and sample selection. Shows control population, sample basis, cycle, and coverage.
Substantiation
Evidence retrieval and artifact completeness. Shows JE record, approval log, SOD trail, user-session log, and source timestamps.
Test Execution
Deterministic control testing. Shows test points, pass/fail result, exception type, materiality, and source evidence.
Validation
Finding classification and controller verdict. Shows procedural versus substantive, policy result, and sign-off requirement.
Audit Liaison
PBC response preparation. Shows indexed pack, auditor narrative, IRM status, and controller sign-off queue.
Continuous HF Signal Monitoring
Always-on control signal detection across drift, SOD, late postings, threshold breaches, and missing evidence.
Orchestrator
Coordinates lifecycle, agent sequence, queue routing, human gates, replay, and audit pack handoff.