Continuous Control Assurance
Controls Intelligence Mission · Controller-first mission surface: controls, exceptions, monitoring, evidence, audit, insights, and replay.
Continuous assurance operating model
Signal → Control → Population → Evidence → Agent Test → Policy / Framework → Result → Human Signoff → Audit Pack → Replay → Value Impact.
Only judgment decisions reach humans
Sign off, push back to agents, request substantiation, create remediation, waive with reason, or escalate. Clean controls are archived automatically.
One object backs dashboard, inbox, evidence, agent work products, and replay
2 active cycles · 1 controller-required · 8 evidence items · 2 audit packs · persistence=database · demo_mode=False
Prototype concept converted into reusable modules
| Prototype area | Production component | Runtime contract |
|---|---|---|
| Dashboard | ControlAssuranceDashboard | Summaries are derived from control_cycle, test_result, exception, and audit_pack records. |
| Controller Inbox | ControlDecisionInbox | Human-required rows are human_decision tasks generated from exceptions and external-release gates. |
| Auto-handled / Human-required | AssuranceOutcomeExplorer | Outcome split is computed from test_result and evidence completeness, not from menu state. |
| Control Library | ControlRegistryExplorer | Controls resolve to owner, risk, framework, policy, population, latest cycle, and evidence requirements. |
| HF Signal Monitor | ControlSignalMonitor | Signals are control_signal_events that can trigger scoping or investigation cases. |
| Policy & Framework | PolicyControlFramework | Policies and frameworks version every test and controller decision. |
| Agent detail pages | AgentWorkProductViewer | Clicking an agent opens work products, cases, evidence, and decisions before technical traces. |
| Agent Workflows modal | AuditReplayViewer | Replay is reconstructed from audit_log_events and agent_run records. |
Control workspace entry point
Each control opens definition, risk, latest test, evidence, agent findings, historical trend, audit history, and replay.
Agent-resolved controls
Clean tests with complete evidence are auto-archived. Any missing evidence, exception, or material risk moves to Human-required.
What requires controller action?
Continuous monitoring signals
Evidence pack, lineage, hash chain, and audit readiness
Shared platform capability: artifacts, source systems, lineage, hash chain, source timestamps, controller approval, and replay ID.
PBC requests and Audit Liaison Agent
Auditor asks, agent assembles pack, hashes artifacts, prepares response narrative, stages portal update, and routes controller sign-off.
Control → Policy → Risk → Evidence → Decision → Outcome
ControlPolicyRiskEvidenceExceptionTestControl OwnerAuditorSignoffMaterialityFrameworkControl ObjectiveOutcome
This ontology is reusable across P2P, O2C, R2R, audit, compliance, and close.
Audit-ready pack structure
PBC Request Center
Request, response time, pack generated, evidence delivered, and controller approval are visible. PBC response moves from days to seconds when evidence is complete.
| Request | Control | SLA | Status | Pack |
|---|---|---|---|---|
| E&Y walkthrough | SOX A&C-PEC-014 | 6.4 sec | Controller approval pending | IRM-CTL-2026-Q1-PEC-014 |
| Sample re-pull | SOX P2P-018 | 8.1 sec | Delivered | IRM-CTL-2026-Q1-P2P-018 |
| BSA certification support | SOX A&C-BSA-029 | 7.2 sec | Delivered | IRM-CTL-2026-Q1-BSA-029 |
| Vendor bank change evidence | SOX P2P-VEN-021 | Awaiting evidence | Blocked by missing checker log | IRM-CTL-2026-Q1-VEN-021 |
SOX readiness, audit readiness, control risk, evidence completeness, and audit cost savings
CFO view aggregates control health, open exceptions, risk exposure, audit cost saved, and continuous close confidence.
Agents visible only when needed
| Agent | Autonomy | Status | Purpose |
|---|---|---|---|
| Orchestrator Agent | AL2 | Healthy | Coordinates control lifecycle, queues, human gates, and replay. |
| Monitoring Agent | AL3 | Healthy | Detects continuous control signals, anomalies, drift, and SOD issues. |
| Scoping Agent | AL2 | Healthy | Selects sample or population scope based on control, risk, and cycle. |
| Evidence Agent | AL2 | Healthy | Retrieves artifacts, hashes evidence, links lineage, and builds packs. |
| Test Agent | AL3 | Healthy | Executes deterministic control checks and records pass/fail results. |
| Validation Agent | AL2 | Review | Classifies findings, materiality, risk, and control effectiveness. |
| Audit Agent | AL2 | Healthy | Prepares PBC packs, response narrative, and auditor portal updates. |
| Remediation Agent | AL1 | Healthy | Drafts owner action plans and tracks closure evidence. |
| Learning Agent | AL1 | Review | Learns from overrides, audit findings, and false positives. |
| Impact Agent | AL2 | Healthy | Attributes effort avoided, audit cost avoided, and risk reduced. |
Business work portfolio
Signal to outcome trace
Seven specialized assurance agents
| Capability | Inputs | Outputs | Human Boundary |
|---|---|---|---|
| Scoping Agent | What to test, risk level, population, sample size | Test scope, sample selection, risk rating | Human approval for scope override |
| Substantiation Agent | SAP, S/4, BlackLine, Ariba, Concur, Workiva, ServiceNow, identity evidence | Evidence bundles, hash signatures, evidence lineage | Missing evidence blocks sign-off |
| Test Execution Agent | Control definition, population, sample, rules | Pass, fail, exception, effectiveness result | Material exceptions route to controller |
| Validation Agent | Test result, materiality, exception history, risk context | Audit narrative, risk level, control conclusion | Controller confirms material findings |
| Audit Liaison Agent | Validated result, evidence pack, audit request | PBC response, supporting documents, auditor-ready pack | Auditor release requires controller sign-off |
| Continuous Monitoring Agent | Journals, vendor master, SoD, inventory, treasury, access events | Risk signals, drift, anomalies, monitoring feed | No autonomous remediation without approval |
| Orchestrator Agent | Agent state, SLA, capacity, queue, escalation rules | Scheduled lifecycle, prioritization, replay, controller routing | Cannot bypass policy or human gates |
Journals, vendor master, SoD, inventory, treasury, and access signals
Round-sum journals, weekend postings, threshold avoidance, duplicate entries, bank changes, maker-checker failures, privilege escalation, inventory count variance, and treasury cash anomalies are scanned continuously.
Non-bypassable human gates
| Action | Governance | Outcome |
|---|---|---|
| Sign off | Permitted when evidence complete, exceptions classified, and materiality accepted | Control marked effective or effective with exceptions |
| Push back | Returns pack to agent fabric with additional sample, evidence, or validation instruction | Cycle re-opens with expanded scope |
| Request substantiation | Blocks external release until missing artifact or lineage is attached | Evidence Agent retrieves and hash-signs artifacts |
| Create remediation | Creates owner action plan for substantive or repeat issue | Remediation tracked with due date and evidence |
| Waive with reason | Requires controller note, policy citation, and audit-visible rationale | Override captured in replay and learning queue |
| Escalate | Routes material issue to Head of Finance, GRC, or audit owner | Escalation and SLA are monitored |
Audit-log replay patterns
| Flow | Control | Trigger | Assurance pattern |
|---|---|---|---|
| BSA Reconciliation | SOX A&C-BSA-029 | Calendar, HF Monitor drift, or E&Y PBC | Population scan across 10,187 accounts with advisory findings |
| Manual JE Review | SOX A&C-PEC-014 | Quarter close control cycle | Risk-weighted sample of 60 JEs with outlier-priority selection |
| T&E Fraud Pattern Detection | CTL-FRA-T&E-007 | Hourly continuous monitoring | Non-SOX pattern detection routed to investigators |
IRM-CTL-2026-Q1-PEC-014 · pass
5 artifacts · SHA-256 · bundle hash 16774cf0288e5bdb876244be
| Artifact ID | Artifact | Source | Hash | Verification |
|---|---|---|---|---|
| ART-JE-44188 | JE record (BKPF/BSEG) | SAP S/4HANA | 00e93c99af9e61990b971dc4 | verified |
| ART-APP-44188 | Approval workflow log | SAP + Concur | 835b780d75aaf74d97c00c78 | verified |
| ART-SOD-44188 | SoD trail | SAP GRC + identity | 558a1506581b33bb250b495e | verified |
| ART-BL-44291 | BlackLine support calc | BlackLine | 6fded848b74edf1e00fe819a | verified |
| ART-IRM-PEC014 | IRM pack manifest | ServiceNow IRM | c09ad1786ec739973f94e73f | verified |
operational · 4 reference sources · 0 live sources
| Source | Status | Cadence | Last refresh | Latency |
|---|---|---|---|---|
| SAP S/4HANA | reference | Reference cadence | 2026-03-31T14:08:44Z | scenario |
| BlackLine | reference | Reference cadence | 2026-03-31T14:08:45Z | scenario |
| ServiceNow IRM | reference | Reference cadence | 2026-03-31T14:08:49Z | scenario |
| SAP GRC + identity | cached | Hourly | 2026-03-31T14:00:00Z | cache |
| Workiva | reference | Daily | 2026-03-31T13:55:02Z | scenario |
Learning from false positives, false negatives, overrides, and auditor disagreements
| Metric | Value | Learning action |
|---|---|---|
| False positives | 12 / quarter | Learning Agent suppresses repeat low-risk drift patterns |
| False negatives | estimated 2 / quarter | Auditor findings and overrides feed recall tuning |
| Controller overrides | 3.1% | Override reason required and visible in replay |
| Auditor disagreements | 1.2% | Audit Liaison routes disputed packs to validation review |
| Precision / Recall | 0.83 / 0.89 | Published in model health for second-line oversight |
Control exceptions are not isolated from the finance mission
| Control | Mission | Context | Surface |
|---|---|---|---|
| SOX P2P-018 | P2P | Invoice 3-way match prior to payment | /ui/mission/p2p?role=administrator |
| SOX P2P-VEN-021 | P2P | Vendor bank change and payment hold | /ui/mission/p2p?role=administrator&case_id=INV-778950 |
| SOX A&C-PEC-014 | R2R | Manual JE review and close confidence | /ui/continuous-close-intelligence?role=administrator |
| STS-TR-LIQ-009 | Treasury | Daily liquidity and cash forecast monitoring | /ui/treasury-command-center?role=administrator |
| C-O2C-CA-001 | O2C | Cash application and suspense clearing | /ui/mission/o2c?focus=collections&role=administrator |
Impact and improvement loop
Runtime contract
Read-only by default, deterministic evidence, policy-bound sign-off, hash-signed packs, and replay coverage are the control-plane contract.
| Data domain | Source | Refresh | Used by |
|---|---|---|---|
| Journal-entry detail (BKPF/BSEG) | SAP S/4HANA | Real-time | Test Execution, HF Monitor, Substantiation |
| Change documents (CDPOS) | SAP S/4HANA | Real-time | Vendor bank changes, Test Execution |
| User-role matrix | SAP GRC + identity | Hourly | SoD checks, Validation Agent |
| BSA reconciliation status | BlackLine | Real-time | Test Execution, drift forecast |
| Approval workflow logs | SAP + Concur | Real-time | Substantiation, Test Execution |
| DofA register | SAP GRC | On change | Validation Agent |
| Audit pack repository | ServiceNow IRM | Real-time write | Audit Liaison, auditor portal |
| Master data | SAP MDG | On change | P2P, Customer, O2C controls |
| Payroll postings | Workday to SAP HCM | Monthly | Payroll control |
| Bank account balances | Bank portals + SAP TR | Daily | Treasury liquidity controls |
Control Cycle schema
| Runtime entity | Purpose |
|---|---|
| control | SOX / non-SOX control master, owner, hub, category, risk, framework. |
| control_cycle | Period run such as Q1-26 close, daily monitoring, or ad-hoc auditor request. |
| control_population | Full tested population: journals, vendors, BSAs, invoices, SoD pairs. |
| sample_selection | Scoping Agent sample basis, outliers, seed, and risk uplift. |
| evidence_item | Source evidence metadata, source system, capture time, hash, and lineage. |
| test_result | Per-sample/per-check pass, fail, exception, and deterministic rule output. |
| exception | Procedural, substantive, or advisory finding with risk and owner. |
| audit_pack | Pack manifest, sections, hash chain, status, and external-release gate. |
| human_decision | Sign off, pushback, escalation, waiver, substantiation request, or remediation. |
| agent_run | Agent identity, inputs, outputs, cost, duration, confidence, and evidence refs. |
| audit_log_event | Immutable event stream used for decision replay and audit inspection. |
Control assurance services
| Service | Responsibility |
|---|---|
| control-registry-service | Control catalogue, SOX mapping, hub ownership, policy mapping. |
| control-cycle-service | Creates and manages control test cycles. |
| population-service | Reads tested populations from UDP / Databricks and source replicas. |
| scoping-service | Risk rating, sample sizing, outlier priority selection. |
| evidence-service | Evidence capture, hashing, metadata, source-system lineage. |
| test-execution-service | Deterministic control checks and result recording. |
| validation-service | Materiality, classification, conclusion drafting. |
| audit-pack-service | Pack manifest, sections, hash chain, and PBC readiness. |
| decision-workflow-service | Controller sign-off, pushback, escalation, waiver, remediation. |
| audit-replay-service | Reconstructs decisions from immutable audit events. |
| signal-monitor-service | Continuous anomaly, SoD, flux, BSA drift, and access scanning. |
Source-system governance
| Layer | Read | Write |
|---|---|---|
| UDP / Databricks | Yes, preferred for populations and evidence context | Derived assurance outputs only. |
| SAP ECC / S/4 / CFIN | Via replicated data where possible | Only governed remediation or SoR update after approval. |
| BlackLine / Workiva / IRM | Evidence, control status, reconciliation status | Audit pack status, comments, evidence links. |
| Sphere DB | Runtime records and replay ledger | Cycles, evidence metadata, decisions, audit events. |
| Human workflow | Inbox, approvals, escalations | Sign-off, pushback, waiver, override rationale. |
| Agent memory | Prior decisions and outcomes | Lessons, false positives, sampling adjustments. |
Manual Journal Entry Review is the first real end-to-end control
Scoping Agent selects sample; Substantiation Agent pulls SAP / BlackLine evidence; Test Execution Agent runs deterministic checks; Validation Agent classifies procedural vs substantive; Audit Liaison Agent builds pack; Controller signs off; replay shows the full evidence chain.
$10.66 total compute · 82 SAP reads avoided · 2760599 cache hits
| Control | Cost | Tokens | SAP reads avoided | Effort avoided | ROI |
|---|---|---|---|---|---|
| SOX A&C-PEC-014 | $3.42 | 12,840 | 23 | 4.1 FTE-days | 193,000x |
| SOX A&C-BSA-029 | $5.18 | 18,120 | 41 | 380 hours | 1,145,000x |
| SOX P2P-018 | $2.06 | 7,420 | 18 | 6 FTE-days | 640,000x |
Inspect the proof from the workbench
Control policy operating model
Shows control objective, policy version, evidence minimums, materiality threshold, controller sign-off, override reason capture, and audit readiness obligation.
Controller action path
Sign off, push back to agents, escalate to controller, view in Audit Liaison, or inspect artifacts without leaving the workbench.
Agent Workflows
Agent workflows: Signal -> Scoping -> Substantiation -> Test Execution -> Validation -> Audit Liaison -> Orchestrator.
Scoping
Risk-weighted population and sample selection. Shows control population, sample basis, cycle, and coverage.
Substantiation
Evidence retrieval and artifact completeness. Shows JE record, approval log, SOD trail, user-session log, and source timestamps.
Test Execution
Deterministic control testing. Shows test points, pass/fail result, exception type, materiality, and source evidence.
Validation
Finding classification and controller verdict. Shows procedural versus substantive, policy result, and sign-off requirement.
Audit Liaison
PBC response preparation. Shows indexed pack, auditor narrative, IRM status, and controller sign-off queue.
Continuous HF Signal Monitoring
Always-on control signal detection across drift, SOD, late postings, threshold breaches, and missing evidence.
Orchestrator
Coordinates lifecycle, agent sequence, queue routing, human gates, replay, and audit pack handoff.