1. Overview 2. Control Universe 3. Framework Coverage 4. Status & Lifecycle 5. Ownership 6. Dashboard 7. Promotion Proof 8. Receipts

TOURWB-MOD-004 · Architecture ratified 2026-04-15 · Tour shipped 2026-04-16

Controls & Compliance

We built this for the auditors. Now we're giving it to the operators.

Controls & Compliance started as an internal module inside AuditForge, an audit firm operating system. When the control model proved useful beyond audit — SOX compliance, SOC 2 readiness, HIPAA — it was extracted to the WorkBench platform. The data migrated. The invariants held. The first module climbed from bundle to platform.

Tour Dataset

of 106 source universe

Process Areas

Access Management, Financial Reporting, Change Management, Data Governance, Vendor Management, Governance & Oversight

Frameworks

SOX · SOC 2 · HIPAA

First Promoted

Module

Extracted from AuditForge

Promoted from AuditForge

AuditForge is the audit firm operating system where this module originated. Promotion means the control schema, data, and invariants were extracted to the shared WorkBench platform — where any module can read them.

All modules Explore controls ↓

Section 2

The Control Universe

23 controls curated from a 106-control source universe. Each card shows the control as the platform sees it — type, owner, framework, severity.

Try this: scan the owner column to see Maya's controls.

CTRL-001

HIGHActive

Privileged Access Quarterly Review

Access to GitHub repositories is restricted to the operator and approved council seats via GitHub Team roles. Quarterly recertification performed against the active employee roster.

DetectiveManualQuarterly

SOXSOC 2

Access Management · Confidentiality · Effective

Owner: CSO

CTRL-002

CRITICALActive

API Key and Secret Rotation

API keys and secrets are stored in Vercel Environment Variables or GitHub Secrets and never committed to source. Rotation schedule enforced quarterly with evidence of rotation logged.

PreventiveAutomatedQuarterly

SOC 2

Access Management · Confidentiality · Effective

Owner: Priya Shankar EMP-003

CTRL-003

HIGHRemediation

User Access Provisioning/Deprovisioning

Provisioning occurs within two business days after onboarding verification. Offboarding triggers automatic deprovisioning of all system access within 24 hours of departure date.

PreventiveIT-Dependent ManualAd Hoc

SOXSOC 2HIPAA

Access Management · Availability · Ineffective

Owner: Priya Shankar EMP-003

CTRL-004

CRITICALActive

Database Access Segregation

Production database access is restricted to service accounts with least-privilege roles. Human access requires break-glass procedure with mandatory logging and post-access review within 48 hours.

PreventiveAutomatedReal-Time

SOC 2HIPAA

Access Management · Integrity · Effective

Owner: CTO

CTRL-005

MEDIUMActive

Multi-Factor Authentication Enforcement

All access to production systems, code repositories, and administrative consoles requires multi-factor authentication. MFA compliance is verified monthly via automated scan of authentication logs.

PreventiveAutomatedMonthly

SOC 2HIPAA

Access Management · Confidentiality · Effective

Owner: Jordan Webb EMP-004

CTRL-006

HIGHActive

Revenue Recognition Monthly Review

All SaaS subscriptions are reviewed monthly against contract terms. Revenue is recognized ratably over the subscription period with cut-off testing at month-end.

DetectiveManualMonthly

SOX

Financial Reporting · Accuracy · Partially Effective

Owner: CFO

CTRL-007

MEDIUMActive

Bank Reconciliation

Monthly bank statements are downloaded and reconciled to the Neon ledger within 5 business days of month-end. Outstanding items over 30 days are escalated.

DetectiveManualMonthly

SOX

Financial Reporting · Completeness · Effective

Owner: Clara Nilsson EMP-005

CTRL-008

MEDIUMUnder Review

Month-End Close Checklist

A standardized month-end close checklist is maintained covering reconciliations, revenue recognition, deferred calculations, and management review sign-offs.

PreventiveManualMonthly

SOX

Financial Reporting · Completeness · Partially Effective

Owner: Clara Nilsson EMP-005

CTRL-009

LOWActive

Deferred Revenue Reconciliation

Deferred revenue is calculated daily via a scheduled Prisma query that prorates active subscriptions. A monthly roll-forward reconciliation is reviewed and approved.

CorrectiveAutomatedMonthly

SOX

Financial Reporting · Accuracy · Effective

Owner: CFO

CTRL-010

CRITICALActive

Schema Change Authorization

All database schema modifications for Neon PostgreSQL instances are executed strictly via Prisma migrations. Every migration requires PR approval before merge. Raw SQL against production prohibited.

PreventiveIT-Dependent ManualAd Hoc

SOC 2

Change Management · Integrity · Effective

Owner: Jordan Webb EMP-004

CTRL-011

MEDIUMActive

Infrastructure Change Approval

Vercel and Cloudflare configuration files are stored in GitHub with PR approvals required for changes. Infrastructure drift detected by weekly automated comparison.

PreventiveAutomatedAd Hoc

SOC 2

Change Management · Availability · Effective

Owner: CTO

CTRL-012

LOWUnder Review

Rollback Procedure Verification

Every production deployment includes a documented rollback procedure. Rollback is tested in staging before any deployment affecting financial data or user-facing authentication.

CorrectiveManualAd Hoc

SOC 2

Change Management · Availability · Not Tested

Owner: Jordan Webb EMP-004

CTRL-013

HIGHRemediation

Emergency Change Protocol

Emergency changes bypass standard approval but require post-hoc review within 48 hours. Emergency change log is maintained with reason, approver, and time-to-review metric.

CorrectiveManualAd Hoc

SOC 2

Change Management · Integrity · Ineffective

Owner: CTO

CTRL-014

HIGHActive

Data Classification Standard

The Data Governance Standard defines data classification levels: Public, Internal, Confidential, Restricted. All ingestion sources tagged at ingest time. Classification drives access, retention, and encryption policy.

PreventiveManualAd Hoc

SOC 2HIPAA

Data Governance · Confidentiality · Effective

Owner: CPO

CTRL-015

MEDIUMActive

Data Integrity Daemon

A nightly integrity daemon compares a random sample of 100 chunks against their source files. It verifies chunk text still matches the source. Mismatches trigger automated re-ingestion.

DetectiveAutomatedDaily

SOC 2

Data Governance · Integrity · Effective

Owner: Theo Grant EMP-009

CTRL-016

HIGHActive

Privacy Impact Assessment

Before any personal data is ingested, a Privacy Impact Assessment is documented and approved by the operator. The PIA specifies data elements, retention, access controls, and legal basis.

PreventiveManualAd Hoc

HIPAASOC 2

Data Governance · Confidentiality · Partially Effective

Owner: Maya Okafor EMP-001

CTRL-017

LOWUnder Review

Data Retention & Purge

A data governance standard defines retention periods by data classification. A quarterly purge script identifies chunks exceeding retention. Purge log maintained with reason and approver.

CorrectiveAutomatedQuarterly

HIPAA

Data Governance · Integrity · Partially Effective

Owner: Theo Grant EMP-009

CTRL-018

MEDIUMActive

Vendor Due Diligence

DDL maintains a governed vendor inventory listing all third parties providing hosting, databases, CI/CD, and AI services. New vendor onboarding requires security questionnaire and risk assessment.

PreventiveManualAnnually

SOC 2

Vendor Management · Availability · Effective

Owner: Maya Okafor EMP-001

CTRL-019

LOWActive

Vendor SLA Monitoring

Cloudflare Status Page monitors auditforge.dev and blindspot.bet against 99.9% SLA. Vercel Analytics tracks performance. Monthly review of uptime and latency against contractual thresholds.

DetectiveAutomatedMonthly

SOC 2

Vendor Management · Availability · Effective

Owner: Hana Takeda EMP-007

CTRL-020

MEDIUMUnder Review

Third-Party Patch Compliance

The operator subscribes to security bulletins, status feeds, and email alerts for core vendors including Vercel, Neon, GitHub, and Cloudflare. Critical patches applied within 72 hours of disclosure.

CorrectiveManualAd Hoc

SOC 2HIPAA

Vendor Management · Availability · Not Tested

Owner: Hana Takeda EMP-007

CTRL-021

HIGHActive

Council Decision Ratification

All significant architectural decisions require a formal council review with independent responses from a minimum of 5 of 9 seats. Ratification requires operator sign-off. Decisions are immutable once ratified.

PreventiveManualAd Hoc

SOXSOC 2

Governance & Oversight · Completeness · Effective

Owner: Maya Okafor EMP-001

CTRL-022

MEDIUMActive

Silent Fix Prevention (AuditTrail)

AuditForge middleware enforces Silent Fix Prevention: every mutation to Fact_Control and related tables writes a corresponding AuditTrail record with previous values, new values, userId, and rationale.

DetectiveAutomatedReal-Time

SOXSOC 2

Governance & Oversight · Integrity · Partially Effective

Owner: CSO

CTRL-023

MEDIUMRemediation

Standards Registry Completeness Review

On a quarterly basis, the operator performs a completeness review of the standards registry verifying every active standard has an owner, review date, and version number.

DetectiveManualQuarterly

SOX

Governance & Oversight · Completeness · Partially Effective

Owner: Clara Nilsson EMP-005

Section 3

Framework Coverage

Coverage computed from the 24-control tour dataset. Source universe may have additional controls.

Try this: compare SOX vs SOC 2 coverage patterns.

SOXv2002

9 controls · 44% effective

Sarbanes-Oxley Act — internal controls over financial reporting

Completeness: 4

Existence: 0 (gap)

Availability: 1

Confidentiality: 1

Accuracy: 2

Integrity: 1

Coverage gaps in this tour dataset. Source universe may have additional controls.

SOC 2v2017

17 controls · 65% effective

Service Organization Controls — Trust Services Criteria

Completeness: 1

Existence: 0 (gap)

Availability: 6

Confidentiality: 5

Accuracy: 0 (gap)

Integrity: 5

Coverage gaps in this tour dataset. Source universe may have additional controls.

HIPAAv2013

7 controls · 43% effective

Health Insurance Portability and Accountability Act — Security Rule

Completeness: 0 (gap)

Existence: 0 (gap)

Availability: 2

Confidentiality: 3

Accuracy: 0 (gap)

Integrity: 2

Coverage gaps in this tour dataset. Source universe may have additional controls.

Section 4

Status & Lifecycle

How controls move through states. Updates create new rows — the original is never mutated.

Try this: click “View history” to see how updates create new rows instead of overwriting.

Active

Under Review

Remediation

Inactive

Status Timeline · CTRL-019 — Vendor SLA Monitoring

Initial: Active

SLA monitoring established for core vendors

6/1/2025 · Hana Takeda · EMP-007

Active → Under Review

Adding Anthropic API to monitored vendor list. Need to define SLA thresholds for AI provider uptime vs. traditional infra.

4/5/2026 · Hana Takeda · EMP-007

Under Review → Active

Anthropic SLA thresholds defined: 99.5% API availability, <2s p95 latency. Monitoring configured.

4/10/2026 · Hana Takeda · EMP-007

Supersede Chain · No Mutation (C4 + C9)

V1 (superseded)

Revenue Recognition Monthly Review (Superseded)

Effective: 1/1/2025 · Ineffective

→

V2 (current)

Revenue Recognition Monthly Review

Effective: 1/1/2026 · Partially Effective

The original row is preserved. The update created a new fact with previousFactId linking back. No data was overwritten.

Bridge

CTRL-001

source: extraction · effectiveDate backfilled from legacy

Native

CTRL-012

source: internal · effectiveDate is native bitemporal

Migrated dates are best-available from legacy data. New controls are fully bitemporal.

Section 5

Ownership & Sibling Proof

Controls reading Dim_Employee for the first time in a governance context. Same identity, different lens.

Try this: click Maya's name to see her across four modules.

Controls per Employee

Jordan Webb

Engineer

EMP-004

Clara Nilsson

Senior Auditor

EMP-005

Maya Okafor

Operator

EMP-001

Priya Shankar

Senior Engineer

EMP-003

Theo Grant

Operations Manager

EMP-009

Hana Takeda

Junior Auditor

EMP-007

Ownership Mutex (C2) · Same Process Area, Different Owner Type

Role-Owned

CTRL-001 — Privileged Access Review

Owner: CSO

When the CSO changes, the control doesn't break. The role still owns it.

Person-Owned

CTRL-002 — API Key Rotation

Owner: Priya Shankar EMP-003

Same employee as HR, Payroll, and T&A. Four modules, one identity, one substrate.

Both controls live in Access Management. One is owned by a role, the other by a person. The mutex ensures exactly one ownership type per control — never both, never neither. When Priya leaves, her person-owned controls need reassignment. The CSO's role-owned controls don't.

Section 6

The Governance Dashboard

Three derived views from the control substrate. Numbers computed from seed data, not hardcoded.

Try this: find the control with the most findings to see where governance pressure concentrates.

1. Control Effectiveness

Effective

57%

Partially

26%

Ineffective

9%

Not Tested

9%

2. Status × Severity

Status	Low	Medium	High	Critical
Active	2	6	5	3
Under Review	2	2	—	—
Remediation	—	1	2	—

3. Framework Coverage

SOX9 controls (39%)

SOC 217 controls (74%)

HIPAA7 controls (30%)

Findings · Cross-Promoted Sibling

1 controls have open findings. The Closed-Loop Governance Circuit is live.

HIGHFND-T-001Stale user accounts in financial reporting systemOPEN

MEDIUMFND-T-002Month-end close checklist incomplete for Q1CLOSED

MEDIUMFND-T-003Emergency change log missing post-hoc reviewACCEPTED RISK

Section 7

Bundle vs Platform

Same row. Different lens. The toggle changes labels, not data.

Try this: toggle between views and watch the labels change while the data stays.

Platform View / Audit View

Platform Label	Audit Label	Value
Control ID	Workpaper Ref	CTRL-021
Control Title	Audit Procedure	Council Decision Ratification
Control Owner	Assigned Auditor	Maya Okafor
Control Objective	Financial Assertion	Completeness
Severity	Risk Level	High

View raw substrate row

{
  "factId": "FC-021",
  "factType": "Fact_Control",
  "companyId": "CO-DDL",
  "controlId": "CTRL-021",
  "title": "Council Decision Ratification",
  "description": "All significant architectural decisions require a formal council review with independent responses from a minimum of 5 of 9 seats. Ratification requires operator sign-off. Decisions are immutable once ratified.",
  "controlTypeId": "ct_preventive",
  "frequency": "Ad Hoc",
  "classification": "Key",
  "nature": "Manual",
  "ownerRoleId": null,
  "ownerEmployeeId": "EMP-001",
  "processArea": "Governance & Oversight",
  "frameworkIds": [
    "fw_sox",
    "fw_soc2"
  ],
  "controlObjectiveId": "obj_completeness",
  "status": "Active",
  "statusDate": "2026-01-01",
  "severityId": "sev_high",
  "effectivenessRating": "Effective",
  "effectiveDate": "2025-06-01T00:00:00Z",
  "recordedDate": "2025-06-01T00:00:00Z",
  "previousFactId": null,
  "source": "extraction",
  "sourceRecordId": "CO-GOV-001"
}

Same row. Different lens.

Translation Map · Promotion involved normalization, not copy-paste

Audit View	→	Platform View
Financial Assertion	→	Control Objective
Risk Level	→	Severity
Workpaper Ref	→	Control ID
Assigned Auditor	→	Control Owner
Audit Procedure	→	Control Title

Section 8

Build Receipts

Council reviews, extraction history, and invariant verification.

CR-WB-CONTROLS-001Ratified 2026-04-15

Controls & Compliance — Architecture

Extraction ratification

Schema promotion from AuditForge bundle to WorkBench platform. Owner split, bitemporal bridge, assertion→objective rename, 4 migrations, 12/12 verify.

CR-WB-CONTROLS-TOUR-001Ratified 2026-04-16

Controls & Compliance — Tour

Tour specification

9/9 council convergence. Curated 24-control subset, Grey provenance vocabulary, Langford additions (bitemporal honesty, supersede chain, single-source toggle).

Invariant Checklist

✓C1controlId unique per company

✓C2Owner mutex — exactly one of role or employee

✓C3Every control maps to ≥1 framework

✓C4No mutation — updates create new facts

✓C6ownerEmployeeId resolves to Dim_Employee

✓C9Supersede chain integrity

✓F4All controls have non-null severityId

✓BTAll controls have effectiveDate + recordedDate

Extraction Receipt

Migration 1Assertion → ControlObjective rename + legacy enum cleanup

Migration 2Owner split + bitemporal bridge

Migration 3Framework version + audit trail cleanup

Migration 4Backfill 25 null controlTypeId

Verification12/12 pass

Factlayer → Module Charter → Module Build → HR & People → Payroll & Comp → Time & AttendanceControls & Compliance (you are here)

First module promoted. Extraction verified. Tour shipped. The cathedral compounds.

Next tour · WB-MOD-003

Time & Attendance →

Same employees, read through a different lens. The hours that turn compensation into actual gross.