Q1-26 closeOperationalReplay on

Controls Intelligence Hub · Continuous Control Assurance

Dashboard · Q1-26 close · SOX 1,005 controls · non-SOX 2,119 · continuous assurance cycle.

Controls Covered3,124SOX 1,005 + non-SOX 2,119 under continuous assurance
Auto Passed90%Clean tests archived to IRM with hash-signed evidence
Controller Review10%Exceptions, sign-offs, waivers, and judgment items
Exceptions Q184 procedural, 4 substantive findings
PBC SLA8 secEvidence pack served versus days of manual collection
Audit Readiness96%Packs complete, signed, replayable, and owner-ready
SOX Confidence97.4%Control effectiveness, evidence completeness, and controller sign-off posture
Audit Cost Saved38%PBC response automation, evidence reuse, and reduced manual sampling effort
New mission · Continuous Control Assurance

Controls → Signals → Agents → Evidence → Decisions → Controller Sign-Off → Audit Pack → Replay

This is a platform capability, not a dashboard. It continuously tests controls, monitors risks, generates evidence, creates audit-ready packs, routes only judgment decisions to humans, and attributes value.

Open controller mission
Control Intelligence Runtime · core object

Control Cycle = control + period + population + sample + test run + evidence + exceptions + verdict + pack + sign-off

2 active cycles · 8 evidence items · 3 exceptions · 2 audit packs · persistence: database · hash chain pass: True

Prototype refactor map

ctrl.html converted into Sphere runtime modules

Prototype areaProduction componentRuntime contract
DashboardControlAssuranceDashboardSummaries are derived from control_cycle, test_result, exception, and audit_pack records.
Controller InboxControlDecisionInboxHuman-required rows are human_decision tasks generated from exceptions and external-release gates.
Auto-handled / Human-requiredAssuranceOutcomeExplorerOutcome split is computed from test_result and evidence completeness, not from menu state.
Control LibraryControlRegistryExplorerControls resolve to owner, risk, framework, policy, population, latest cycle, and evidence requirements.
HF Signal MonitorControlSignalMonitorSignals are control_signal_events that can trigger scoping or investigation cases.
Policy & FrameworkPolicyControlFrameworkPolicies and frameworks version every test and controller decision.
Agent detail pagesAgentWorkProductViewerClicking an agent opens work products, cases, evidence, and decisions before technical traces.
Agent Workflows modalAuditReplayViewerReplay is reconstructed from audit_log_events and agent_run records.
Latest full-cycle test · completed 2 min ago

SOX A&C-PEC-014 · Manual JE review · Effective with exceptions

60 samples · 2 procedural exceptions · pack in Controller Inbox · confidence 0.91

Control pipeline · Control Library · 25 active

Click row for detail

ControlHubTestSampleFindingStatus
SOX A&C-PEC-014
Manual JE review for entries above threshold
A&CManual JE60 samplesEffective with exceptionsAwaiting controller
SOX A&C-BSA-029
Balance Sheet Account ownership and certification
A&C10,187 accountsPopulation scanAll checks passSigned off
SOX P2P-PAY-031
Payment run authorization and approval
ST&S2.75m invoices60 samplesQueuedQueued
SOX P2P-VEN-021
Vendor master bank-account change verification
ST&S412 changes/dayPopulation scanQueuedQueued
SOX P2P-018
Invoice 3-way match prior to payment
ST&S$62bn payables2.75m invoicesAll checks passSigned off
Activity timeline · HF Signal Monitor · last 6 hours

All agents

Audit LiaisonE&Y portal updated; pack IRM-CTL-2026-Q1-PEC-014 indexed.
ValidationVerdict drafted: effective with exceptions; confidence 0.91.
Test Execution360 test points complete; 358 pass; 2 procedural exceptions.
Evidence AgentHash chain signed for 47 artifacts; controller inbox updated.
External Auditor Portal

PBC Request Center

Auditor requests evidence, Audit Liaison Agent assembles pack, hash-signs artifacts, prepares narrative, and routes controller approval before external release.

RequestControlSLAStatusPack
E&Y walkthroughSOX A&C-PEC-0146.4 secController approval pendingIRM-CTL-2026-Q1-PEC-014
Sample re-pullSOX P2P-0188.1 secDeliveredIRM-CTL-2026-Q1-P2P-018
BSA certification supportSOX A&C-BSA-0297.2 secDeliveredIRM-CTL-2026-Q1-BSA-029
Vendor bank change evidenceSOX P2P-VEN-021Awaiting evidenceBlocked by missing checker logIRM-CTL-2026-Q1-VEN-021
CFO Control Command Center

Control health, SOX readiness, audit readiness, exceptions, coverage, risk exposure, and cost savings

Executive rollup shows control confidence, evidence completeness, open exceptions, audit cost saved, and risk exposure from the same evidence and replay ledger.

Control Knowledge Graph

Control ontology

ControlPolicyRiskEvidenceExceptionTestControl OwnerAuditorSignoffMaterialityFrameworkControl ObjectiveOutcome

Value & FinOps

Assurance economics

Manual effort avoided4.1 FTE-days today
Audit cost avoided38% estimate
Risk reduced8 exceptions isolated
Control failures prevented3 emerging issues

Runtime cost is attributable by control, agent, evidence pack, auditor request, and business outcome.

Auto-handled

Clean controls archived by agents

Auto-passed tests are indexed, hash-signed, and archived without controller intervention. Exceptions remain in the human-required queue.

Open PRD mission view
Evidence integrity

Hash-signed audit packs

Evidence packs include artifacts, lineage, source systems, hash chain, controller sign-off, IRM staging status, and replay ID.

Controller Inbox

Human-required judgment queue

Only exceptions, sign-offs, waivers, materiality decisions, and external-release approvals reach controllers. Clean controls remain auto-archived with evidence and replay.

Open mission inbox
Control Agent Fabric

Seven specialized assurance agents

CapabilityInputsOutputsHuman Boundary
Scoping AgentWhat to test, risk level, population, sample sizeTest scope, sample selection, risk ratingHuman approval for scope override
Substantiation AgentSAP, S/4, BlackLine, Ariba, Concur, Workiva, ServiceNow, identity evidenceEvidence bundles, hash signatures, evidence lineageMissing evidence blocks sign-off
Test Execution AgentControl definition, population, sample, rulesPass, fail, exception, effectiveness resultMaterial exceptions route to controller
Validation AgentTest result, materiality, exception history, risk contextAudit narrative, risk level, control conclusionController confirms material findings
Audit Liaison AgentValidated result, evidence pack, audit requestPBC response, supporting documents, auditor-ready packAuditor release requires controller sign-off
Continuous Monitoring AgentJournals, vendor master, SoD, inventory, treasury, access eventsRisk signals, drift, anomalies, monitoring feedNo autonomous remediation without approval
Orchestrator AgentAgent state, SLA, capacity, queue, escalation rulesScheduled lifecycle, prioritization, replay, controller routingCannot bypass policy or human gates

Agent work products

Audit

PBC response pack staged

Audit Liaison Agent prepares the evidence pack, response narrative, source references, and controller sign-off route.

Decision Replay

Signal to outcome trace

Replay reconstructs signal, context, agent, policy, evidence, decision, controller action, outcome, and learning.

Policy & Framework

Controls, policies, thresholds, and sign-off rules

Maps control objective, risk, policy version, materiality threshold, evidence requirement, controller role, and audit pack obligation.

About Tech

Read-only first, governed action only

Controls Intelligence uses SAP, BlackLine, ServiceNow, Workiva, and IRM context as evidence sources. Agents remain read-only unless policy, evidence, and sign-off allow an action.

Data domainSourceRefreshUsed by
Journal-entry detail (BKPF/BSEG)SAP S/4HANAReal-timeTest Execution, HF Monitor, Substantiation
Change documents (CDPOS)SAP S/4HANAReal-timeVendor bank changes, Test Execution
User-role matrixSAP GRC + identityHourlySoD checks, Validation Agent
BSA reconciliation statusBlackLineReal-timeTest Execution, drift forecast
Approval workflow logsSAP + ConcurReal-timeSubstantiation, Test Execution
Production data model

Minimum runtime records behind every control cycle

Runtime entityPurpose
controlSOX / non-SOX control master, owner, hub, category, risk, framework.
control_cyclePeriod run such as Q1-26 close, daily monitoring, or ad-hoc auditor request.
control_populationFull tested population: journals, vendors, BSAs, invoices, SoD pairs.
sample_selectionScoping Agent sample basis, outliers, seed, and risk uplift.
evidence_itemSource evidence metadata, source system, capture time, hash, and lineage.
test_resultPer-sample/per-check pass, fail, exception, and deterministic rule output.
exceptionProcedural, substantive, or advisory finding with risk and owner.
audit_packPack manifest, sections, hash chain, status, and external-release gate.
human_decisionSign off, pushback, escalation, waiver, substantiation request, or remediation.
agent_runAgent identity, inputs, outputs, cost, duration, confidence, and evidence refs.
audit_log_eventImmutable event stream used for decision replay and audit inspection.
Read/write boundaries

Read-heavy assurance, governed writes only

LayerReadWrite
UDP / DatabricksYes, preferred for populations and evidence contextDerived assurance outputs only.
SAP ECC / S/4 / CFINVia replicated data where possibleOnly governed remediation or SoR update after approval.
BlackLine / Workiva / IRMEvidence, control status, reconciliation statusAudit pack status, comments, evidence links.
Sphere DBRuntime records and replay ledgerCycles, evidence metadata, decisions, audit events.
Human workflowInbox, approvals, escalationsSign-off, pushback, waiver, override rationale.
Agent memoryPrior decisions and outcomesLessons, false positives, sampling adjustments.
Controller decision actions

Sign off, push back, request substantiation, remediate, waive, or escalate

ActionGovernanceOutcome
Sign offPermitted when evidence complete, exceptions classified, and materiality acceptedControl marked effective or effective with exceptions
Push backReturns pack to agent fabric with additional sample, evidence, or validation instructionCycle re-opens with expanded scope
Request substantiationBlocks external release until missing artifact or lineage is attachedEvidence Agent retrieves and hash-signs artifacts
Create remediationCreates owner action plan for substantive or repeat issueRemediation tracked with due date and evidence
Waive with reasonRequires controller note, policy citation, and audit-visible rationaleOverride captured in replay and learning queue
EscalateRoutes material issue to Head of Finance, GRC, or audit ownerEscalation and SLA are monitored
Replay flow library

Reusable assurance patterns across SOX and non-SOX controls

FlowControlTriggerAssurance pattern
BSA ReconciliationSOX A&C-BSA-029Calendar, HF Monitor drift, or E&Y PBCPopulation scan across 10,187 accounts with advisory findings
Manual JE ReviewSOX A&C-PEC-014Quarter close control cycleRisk-weighted sample of 60 JEs with outlier-priority selection
T&E Fraud Pattern DetectionCTL-FRA-T&E-007Hourly continuous monitoringNon-SOX pattern detection routed to investigators
Evidence hash verification

IRM-CTL-2026-Q1-PEC-014 · pass

5 artifacts · SHA-256 · bundle hash 16774cf0288e5bdb876244be

Artifact IDArtifactSourceHashVerification
ART-JE-44188JE record (BKPF/BSEG)SAP S/4HANA00e93c99af9e61990b971dc4verified
ART-APP-44188Approval workflow logSAP + Concur835b780d75aaf74d97c00c78verified
ART-SOD-44188SoD trailSAP GRC + identity558a1506581b33bb250b495everified
ART-BL-44291BlackLine support calcBlackLine6fded848b74edf1e00fe819averified
ART-IRM-PEC014IRM pack manifestServiceNow IRMc09ad1786ec739973f94e73fverified
Source freshness

operational · 4 reference sources · 0 live sources

SourceStatusCadenceLast refreshLatency
SAP S/4HANAreferenceReference cadence2026-03-31T14:08:44Zscenario
BlackLinereferenceReference cadence2026-03-31T14:08:45Zscenario
ServiceNow IRMreferenceReference cadence2026-03-31T14:08:49Zscenario
SAP GRC + identitycachedHourly2026-03-31T14:00:00Zcache
WorkivareferenceDaily2026-03-31T13:55:02Zscenario
Control quality and learning

False positives, overrides, auditor disagreements, and model health are measured

MetricValueLearning action
False positives12 / quarterLearning Agent suppresses repeat low-risk drift patterns
False negativesestimated 2 / quarterAuditor findings and overrides feed recall tuning
Controller overrides3.1%Override reason required and visible in replay
Auditor disagreements1.2%Audit Liaison routes disputed packs to validation review
Precision / Recall0.83 / 0.89Published in model health for second-line oversight
FinOps per control cycle

$10.66 total compute · 82 SAP reads avoided · 2760599 cache hits

ControlCostTokensSAP reads avoidedEffort avoidedROI
SOX A&C-PEC-014$3.4212,840234.1 FTE-days193,000x
SOX A&C-BSA-029$5.1818,12041380 hours1,145,000x
SOX P2P-018$2.067,420186 FTE-days640,000x
Clickable assurance paths

Every critical proof opens a drawer or API-backed runtime contract

Agents · 7 specialists

Agent Workflows

Agent workflows: Signal -> Scoping -> Substantiation -> Test Execution -> Validation -> Audit Liaison -> Orchestrator.

Agents · 7 specialists

Scoping

Risk-weighted population and sample selection. Shows control population, sample basis, cycle, and coverage.

Agents · 7 specialists

Substantiation

Evidence retrieval and artifact completeness. Shows JE record, approval log, SOD trail, user-session log, and source timestamps.

Agents · 7 specialists

Test Execution

Deterministic control testing. Shows test points, pass/fail result, exception type, materiality, and source evidence.

Agents · 7 specialists

Validation

Finding classification and controller verdict. Shows procedural versus substantive, policy result, and sign-off requirement.

Agents · 7 specialists

Audit Liaison

PBC response preparation. Shows indexed pack, auditor narrative, IRM status, and controller sign-off queue.

Agents · 7 specialists

Continuous HF Signal Monitoring

Always-on control signal detection across drift, SOD, late postings, threshold breaches, and missing evidence.

Agents · 7 specialists

Orchestrator

Coordinates lifecycle, agent sequence, queue routing, human gates, replay, and audit pack handoff.