Continuous assuranceRead-only defaultHash-signed

Continuous Control Assurance

Controls Intelligence Mission · Controller-first mission surface: controls, exceptions, monitoring, evidence, audit, insights, and replay.

Controls Covered3,124SOX 1,005 + non-SOX 2,119 under continuous assurance
Auto Passed90%Clean tests archived to IRM with hash-signed evidence
Controller Review10%Exceptions, sign-offs, waivers, and judgment items
Exceptions Q184 procedural, 4 substantive findings
PBC SLA8 secEvidence pack served versus days of manual collection
Audit Readiness96%Packs complete, signed, replayable, and owner-ready
SOX Confidence97.4%Control effectiveness, evidence completeness, and controller sign-off posture
Audit Cost Saved38%PBC response automation, evidence reuse, and reduced manual sampling effort
Controls Command Center

Continuous assurance operating model

Signal → Control → Population → Evidence → Agent Test → Policy / Framework → Result → Human Signoff → Audit Pack → Replay → Value Impact.

Controller Inbox

Only judgment decisions reach humans

Sign off, push back to agents, request substantiation, create remediation, waive with reason, or escalate. Clean controls are archived automatically.

Control Cycle Runtime

One object backs dashboard, inbox, evidence, agent work products, and replay

2 active cycles · 1 controller-required · 8 evidence items · 2 audit packs · persistence=database · demo_mode=False

Production component model

Prototype concept converted into reusable modules

Prototype areaProduction componentRuntime contract
DashboardControlAssuranceDashboardSummaries are derived from control_cycle, test_result, exception, and audit_pack records.
Controller InboxControlDecisionInboxHuman-required rows are human_decision tasks generated from exceptions and external-release gates.
Auto-handled / Human-requiredAssuranceOutcomeExplorerOutcome split is computed from test_result and evidence completeness, not from menu state.
Control LibraryControlRegistryExplorerControls resolve to owner, risk, framework, policy, population, latest cycle, and evidence requirements.
HF Signal MonitorControlSignalMonitorSignals are control_signal_events that can trigger scoping or investigation cases.
Policy & FrameworkPolicyControlFrameworkPolicies and frameworks version every test and controller decision.
Agent detail pagesAgentWorkProductViewerClicking an agent opens work products, cases, evidence, and decisions before technical traces.
Agent Workflows modalAuditReplayViewerReplay is reconstructed from audit_log_events and agent_run records.
Control Library

Control workspace entry point

Each control opens definition, risk, latest test, evidence, agent findings, historical trend, audit history, and replay.

Auto-handled

Agent-resolved controls

Clean tests with complete evidence are auto-archived. Any missing evidence, exception, or material risk moves to Human-required.

Exceptions Workbench

What requires controller action?

Signal Intelligence Center

Continuous monitoring signals

Maker-checker driftSOD · 7 anomalous patterns · P2P and R2R
Late postingsClose · 18 journals after cut-off · R2R
Threshold breachPolicy · 4 journals above materiality · A&C
Missing evidenceEvidence · 3 open artifacts · Controls
Unexpected patternRisk · Vendor bank changes clustered · P2P
Evidence Intelligence

Evidence pack, lineage, hash chain, and audit readiness

Shared platform capability: artifacts, source systems, lineage, hash chain, source timestamps, controller approval, and replay ID.

Audit Command Center

PBC requests and Audit Liaison Agent

Auditor asks, agent assembles pack, hashes artifacts, prepares response narrative, stages portal update, and routes controller sign-off.

Control Knowledge Graph

Control → Policy → Risk → Evidence → Decision → Outcome

ControlPolicyRiskEvidenceExceptionTestControl OwnerAuditorSignoffMaterialityFrameworkControl ObjectiveOutcome

This ontology is reusable across P2P, O2C, R2R, audit, compliance, and close.

Audit Pack Runtime

Audit-ready pack structure

Cover PageControl, period, owner, result, confidence
Sample SelectionPopulation, why selected, risk factors, sample basis
EvidenceArtifacts, source systems, timestamps, hash chain
TestingTest procedures, pass/fail, deterministic rules, exceptions
ConclusionAgent recommendation, controller decision, sign-off state
SignaturesAgent, human, system, replay ID
External Auditor Portal

PBC Request Center

Request, response time, pack generated, evidence delivered, and controller approval are visible. PBC response moves from days to seconds when evidence is complete.

RequestControlSLAStatusPack
E&Y walkthroughSOX A&C-PEC-0146.4 secController approval pendingIRM-CTL-2026-Q1-PEC-014
Sample re-pullSOX P2P-0188.1 secDeliveredIRM-CTL-2026-Q1-P2P-018
BSA certification supportSOX A&C-BSA-0297.2 secDeliveredIRM-CTL-2026-Q1-BSA-029
Vendor bank change evidenceSOX P2P-VEN-021Awaiting evidenceBlocked by missing checker logIRM-CTL-2026-Q1-VEN-021
CFO Control Command Center

SOX readiness, audit readiness, control risk, evidence completeness, and audit cost savings

CFO view aggregates control health, open exceptions, risk exposure, audit cost saved, and continuous close confidence.

Agent Fabric

Agents visible only when needed

AgentAutonomyStatusPurpose
Orchestrator AgentAL2HealthyCoordinates control lifecycle, queues, human gates, and replay.
Monitoring AgentAL3HealthyDetects continuous control signals, anomalies, drift, and SOD issues.
Scoping AgentAL2HealthySelects sample or population scope based on control, risk, and cycle.
Evidence AgentAL2HealthyRetrieves artifacts, hashes evidence, links lineage, and builds packs.
Test AgentAL3HealthyExecutes deterministic control checks and records pass/fail results.
Validation AgentAL2ReviewClassifies findings, materiality, risk, and control effectiveness.
Audit AgentAL2HealthyPrepares PBC packs, response narrative, and auditor portal updates.
Remediation AgentAL1HealthyDrafts owner action plans and tracks closure evidence.
Learning AgentAL1ReviewLearns from overrides, audit findings, and false positives.
Impact AgentAL2HealthyAttributes effort avoided, audit cost avoided, and risk reduced.

Business work portfolio

Decision Replay

Signal to outcome trace

SignalManual JE test completed with two procedural exceptions
ContextControl definition, sample, journal population, maker-checker data, evidence history
AgentScoping, Test, Evidence, Validation, and Audit Liaison agents executed
PolicySOX Manual JE threshold policy v4.2 and controller sign-off rule
EvidenceSample file, journal export, approval matrix, reviewer notes, hash chain
DecisionEffective with exceptions; controller sign-off required
ActionPack staged in Controller Inbox and PBC response prepared
OutcomeAudit pack hash-signed, replayable, and queued for controller
LearningLate reviewer evidence issue added to close control improvement backlog
Control Agent Fabric

Seven specialized assurance agents

CapabilityInputsOutputsHuman Boundary
Scoping AgentWhat to test, risk level, population, sample sizeTest scope, sample selection, risk ratingHuman approval for scope override
Substantiation AgentSAP, S/4, BlackLine, Ariba, Concur, Workiva, ServiceNow, identity evidenceEvidence bundles, hash signatures, evidence lineageMissing evidence blocks sign-off
Test Execution AgentControl definition, population, sample, rulesPass, fail, exception, effectiveness resultMaterial exceptions route to controller
Validation AgentTest result, materiality, exception history, risk contextAudit narrative, risk level, control conclusionController confirms material findings
Audit Liaison AgentValidated result, evidence pack, audit requestPBC response, supporting documents, auditor-ready packAuditor release requires controller sign-off
Continuous Monitoring AgentJournals, vendor master, SoD, inventory, treasury, access eventsRisk signals, drift, anomalies, monitoring feedNo autonomous remediation without approval
Orchestrator AgentAgent state, SLA, capacity, queue, escalation rulesScheduled lifecycle, prioritization, replay, controller routingCannot bypass policy or human gates
Continuous Monitoring Runtime

Journals, vendor master, SoD, inventory, treasury, and access signals

Round-sum journals, weekend postings, threshold avoidance, duplicate entries, bank changes, maker-checker failures, privilege escalation, inventory count variance, and treasury cash anomalies are scanned continuously.

Controller decision actions

Non-bypassable human gates

ActionGovernanceOutcome
Sign offPermitted when evidence complete, exceptions classified, and materiality acceptedControl marked effective or effective with exceptions
Push backReturns pack to agent fabric with additional sample, evidence, or validation instructionCycle re-opens with expanded scope
Request substantiationBlocks external release until missing artifact or lineage is attachedEvidence Agent retrieves and hash-signs artifacts
Create remediationCreates owner action plan for substantive or repeat issueRemediation tracked with due date and evidence
Waive with reasonRequires controller note, policy citation, and audit-visible rationaleOverride captured in replay and learning queue
EscalateRoutes material issue to Head of Finance, GRC, or audit ownerEscalation and SLA are monitored
Replay flow library

Audit-log replay patterns

FlowControlTriggerAssurance pattern
BSA ReconciliationSOX A&C-BSA-029Calendar, HF Monitor drift, or E&Y PBCPopulation scan across 10,187 accounts with advisory findings
Manual JE ReviewSOX A&C-PEC-014Quarter close control cycleRisk-weighted sample of 60 JEs with outlier-priority selection
T&E Fraud Pattern DetectionCTL-FRA-T&E-007Hourly continuous monitoringNon-SOX pattern detection routed to investigators
Evidence hash verification

IRM-CTL-2026-Q1-PEC-014 · pass

5 artifacts · SHA-256 · bundle hash 16774cf0288e5bdb876244be

Artifact IDArtifactSourceHashVerification
ART-JE-44188JE record (BKPF/BSEG)SAP S/4HANA00e93c99af9e61990b971dc4verified
ART-APP-44188Approval workflow logSAP + Concur835b780d75aaf74d97c00c78verified
ART-SOD-44188SoD trailSAP GRC + identity558a1506581b33bb250b495everified
ART-BL-44291BlackLine support calcBlackLine6fded848b74edf1e00fe819averified
ART-IRM-PEC014IRM pack manifestServiceNow IRMc09ad1786ec739973f94e73fverified
Source freshness

operational · 4 reference sources · 0 live sources

SourceStatusCadenceLast refreshLatency
SAP S/4HANAreferenceReference cadence2026-03-31T14:08:44Zscenario
BlackLinereferenceReference cadence2026-03-31T14:08:45Zscenario
ServiceNow IRMreferenceReference cadence2026-03-31T14:08:49Zscenario
SAP GRC + identitycachedHourly2026-03-31T14:00:00Zcache
WorkivareferenceDaily2026-03-31T13:55:02Zscenario
Control quality and learning

Learning from false positives, false negatives, overrides, and auditor disagreements

MetricValueLearning action
False positives12 / quarterLearning Agent suppresses repeat low-risk drift patterns
False negativesestimated 2 / quarterAuditor findings and overrides feed recall tuning
Controller overrides3.1%Override reason required and visible in replay
Auditor disagreements1.2%Audit Liaison routes disputed packs to validation review
Precision / Recall0.83 / 0.89Published in model health for second-line oversight
Runtime Value + Learning · Value & FinOps

Impact and improvement loop

Manual effort avoided4.1 FTE-days today · Evidence collection, indexing, and PBC response
Audit cost avoided38% estimate · PBC SLA reduced from days to seconds
Risk reduced8 exceptions isolated · Human review focuses on material findings
Control failures prevented3 emerging issues · SOD, drift, and threshold breach intercepted
About Tech

Runtime contract

Read-only by default, deterministic evidence, policy-bound sign-off, hash-signed packs, and replay coverage are the control-plane contract.

Data domainSourceRefreshUsed by
Journal-entry detail (BKPF/BSEG)SAP S/4HANAReal-timeTest Execution, HF Monitor, Substantiation
Change documents (CDPOS)SAP S/4HANAReal-timeVendor bank changes, Test Execution
User-role matrixSAP GRC + identityHourlySoD checks, Validation Agent
BSA reconciliation statusBlackLineReal-timeTest Execution, drift forecast
Approval workflow logsSAP + ConcurReal-timeSubstantiation, Test Execution
DofA registerSAP GRCOn changeValidation Agent
Audit pack repositoryServiceNow IRMReal-time writeAudit Liaison, auditor portal
Master dataSAP MDGOn changeP2P, Customer, O2C controls
Payroll postingsWorkday to SAP HCMMonthlyPayroll control
Bank account balancesBank portals + SAP TRDailyTreasury liquidity controls
Runtime data model

Control Cycle schema

Runtime entityPurpose
controlSOX / non-SOX control master, owner, hub, category, risk, framework.
control_cyclePeriod run such as Q1-26 close, daily monitoring, or ad-hoc auditor request.
control_populationFull tested population: journals, vendors, BSAs, invoices, SoD pairs.
sample_selectionScoping Agent sample basis, outliers, seed, and risk uplift.
evidence_itemSource evidence metadata, source system, capture time, hash, and lineage.
test_resultPer-sample/per-check pass, fail, exception, and deterministic rule output.
exceptionProcedural, substantive, or advisory finding with risk and owner.
audit_packPack manifest, sections, hash chain, status, and external-release gate.
human_decisionSign off, pushback, escalation, waiver, substantiation request, or remediation.
agent_runAgent identity, inputs, outputs, cost, duration, confidence, and evidence refs.
audit_log_eventImmutable event stream used for decision replay and audit inspection.
Runtime architecture

Control assurance services

ServiceResponsibility
control-registry-serviceControl catalogue, SOX mapping, hub ownership, policy mapping.
control-cycle-serviceCreates and manages control test cycles.
population-serviceReads tested populations from UDP / Databricks and source replicas.
scoping-serviceRisk rating, sample sizing, outlier priority selection.
evidence-serviceEvidence capture, hashing, metadata, source-system lineage.
test-execution-serviceDeterministic control checks and result recording.
validation-serviceMateriality, classification, conclusion drafting.
audit-pack-servicePack manifest, sections, hash chain, and PBC readiness.
decision-workflow-serviceController sign-off, pushback, escalation, waiver, remediation.
audit-replay-serviceReconstructs decisions from immutable audit events.
signal-monitor-serviceContinuous anomaly, SoD, flux, BSA drift, and access scanning.
Read/write boundaries

Source-system governance

LayerReadWrite
UDP / DatabricksYes, preferred for populations and evidence contextDerived assurance outputs only.
SAP ECC / S/4 / CFINVia replicated data where possibleOnly governed remediation or SoR update after approval.
BlackLine / Workiva / IRMEvidence, control status, reconciliation statusAudit pack status, comments, evidence links.
Sphere DBRuntime records and replay ledgerCycles, evidence metadata, decisions, audit events.
Human workflowInbox, approvals, escalationsSign-off, pushback, waiver, override rationale.
Agent memoryPrior decisions and outcomesLessons, false positives, sampling adjustments.
Hero control

Manual Journal Entry Review is the first real end-to-end control

Scoping Agent selects sample; Substantiation Agent pulls SAP / BlackLine evidence; Test Execution Agent runs deterministic checks; Validation Agent classifies procedural vs substantive; Audit Liaison Agent builds pack; Controller signs off; replay shows the full evidence chain.

FinOps per control cycle

$10.66 total compute · 82 SAP reads avoided · 2760599 cache hits

ControlCostTokensSAP reads avoidedEffort avoidedROI
SOX A&C-PEC-014$3.4212,840234.1 FTE-days193,000x
SOX A&C-BSA-029$5.1818,12041380 hours1,145,000x
SOX P2P-018$2.067,420186 FTE-days640,000x
Clickable assurance paths

Inspect the proof from the workbench

Policy & Framework

Control policy operating model

Shows control objective, policy version, evidence minimums, materiality threshold, controller sign-off, override reason capture, and audit readiness obligation.

Controller center

Controller action path

Sign off, push back to agents, escalate to controller, view in Audit Liaison, or inspect artifacts without leaving the workbench.

Agents · 7 specialists

Agent Workflows

Agent workflows: Signal -> Scoping -> Substantiation -> Test Execution -> Validation -> Audit Liaison -> Orchestrator.

Agents · 7 specialists

Scoping

Risk-weighted population and sample selection. Shows control population, sample basis, cycle, and coverage.

Agents · 7 specialists

Substantiation

Evidence retrieval and artifact completeness. Shows JE record, approval log, SOD trail, user-session log, and source timestamps.

Agents · 7 specialists

Test Execution

Deterministic control testing. Shows test points, pass/fail result, exception type, materiality, and source evidence.

Agents · 7 specialists

Validation

Finding classification and controller verdict. Shows procedural versus substantive, policy result, and sign-off requirement.

Agents · 7 specialists

Audit Liaison

PBC response preparation. Shows indexed pack, auditor narrative, IRM status, and controller sign-off queue.

Agents · 7 specialists

Continuous HF Signal Monitoring

Always-on control signal detection across drift, SOD, late postings, threshold breaches, and missing evidence.

Agents · 7 specialists

Orchestrator

Coordinates lifecycle, agent sequence, queue routing, human gates, replay, and audit pack handoff.