1. Overview 2. Finding Records 3. Closed-Loop Circuit 4. Status Lifecycle 5. Ownership 6. Analytics 7. Promotion Proof 8. Receipts

TOURWB-MOD-005 · Architecture ratified 2026-04-15 · Tour shipped 2026-04-16

Findings & Observations

A finding without a control is just a complaint. A control without a finding is just a theory.

Findings & Observations started as an internal module inside AuditForge, tracking what auditors found during engagements. When the concept proved universal — SOX deficiencies, SOC 2 exceptions, HIPAA violations, security vulnerabilities — it was extracted to the WorkBench platform. The finding itself promoted. The audit engagement workflow stayed in the bundle.

Total Findings

8 extracted · 5 extended

Controls Cited

Cross-promoted FK

Closure Rate

33%

Excl. accepted risk

Avg Days Open

104

Closed findings

Second Promoted

Sibling

First cross-promoted

Cross-Promoted Sibling

Every finding cites a control. If you haven't seen the Controls tour, start there.

Finding = a control failure or deficiency. Observation = a note that something could be improved but is not broken.

ExtractedFrom AuditForgeTour ExtensionDemo scenario

All modules The closed-loop circuit ↓

Section 2

The Finding Record

13 findings — 8 extracted from AuditForge, 5 tour extensions for scenario coverage.

Try this: click a cited control to see it in the Controls tour.

FND-001ExtractedHas Recurrence

MEDIUMCLOSED

Stale user accounts in financial reporting system

Review of Oracle Fusion user access revealed 14 terminated employees retained active accounts up to 47 days post-departure. Deprovisioning SLA breached on all 14 accounts.

Recommendation: Automate deprovisioning trigger from HR status change event. Target: same-day deprovisioning on departure date.

Control: CTRL-003Owner: Priya Shankar EMP-003Due: 4/30/2026Occurred: 12/15/2025

FND-002Extracted

MEDIUMCLOSED

Journal entry segregation bypassed for month-end accruals

Two general ledger staff recorded self-approval of journal entries exceeding $50K materiality threshold during Q2 close. Segregation of duties control was bypassed.

Recommendation: Enforce dual-approval workflow in ERP for all entries above materiality threshold. Add automated alert for self-approved entries.

Control: CTRL-007Owner: CFODue: 3/31/2026Occurred: 9/30/2025

FND-003Extracted

LOWCLOSED

Control narrative documentation incomplete for revenue recognition

Seven of the 23 revenue controls did not have updated narratives reflecting the ASC 606 transition completed in FY2024. Documentation gap, not a control failure.

Recommendation: Update all revenue control narratives to reference ASC 606. Add annual narrative review to close checklist.

Control: CTRL-006Owner: Clara Nilsson EMP-005Due: 3/31/2026

FND-004Extracted

LOWIN PROGRESS

Vendor master file data quality — duplicate entries

Identified 38 potential duplicate vendor records in Oracle Fusion (matched by tax ID, bank account, or address). No fraud indicators, but data quality risk.

Recommendation: Run deduplication utility. Establish ongoing duplicate detection rule in vendor onboarding workflow.

Control: CTRL-018Owner: Maya Okafor EMP-001Due: 6/30/2026Occurred: 1/20/2026

FND-005Extracted

HIGHREMEDIATED

Privileged access review not evidenced for Q1

Quarterly privileged user access review was performed for Q1 2025 but evidence of review (signed attestation, user list markup) was not retained in the control evidence vault.

Recommendation: Establish evidence upload requirement in quarterly review workflow. No review is complete without uploaded attestation.

Control: CTRL-001Owner: Priya Shankar EMP-003Due: 3/31/2026Occurred: 6/30/2025

FND-006Extracted

HIGHIN PROGRESS

Insufficient ITGC over database change management

Testing of 40 database schema changes to the financial reporting environment found 7 deployments (17.5%) lacked documented approval before execution.

Recommendation: Enforce PR approval gate on all migration files. Add CI check blocking deploy without approved PR.

Control: CTRL-011Owner: CTODue: 5/31/2026Occurred: 11/1/2025

FND-007Extracted

MEDIUMOPEN

Bank reconciliation review lag on foreign subsidiary accounts

Four non-US subsidiary bank accounts showed reconciliations completed 31-47 days after month-end, versus the 15-day policy.

Recommendation: Assign dedicated international close resource. Add automated aging alert at day 10.

Control: CTRL-008Owner: Clara Nilsson EMP-005Due: 6/30/2026Occurred: 1/31/2026

FND-008Extracted

MEDIUMOPEN

Policy exception log not centralized

Policy exceptions were granted and tracked in six different locations (email, Teams, SharePoint, local spreadsheets). No single source of truth for exception governance.

Recommendation: Consolidate exception tracking into AuditForge. All exceptions require documented approval and expiration date.

Control: CTRL-023Owner: Theo Grant EMP-009Due: 5/31/2026Occurred: 2/1/2026

FND-009Tour Extension

MEDIUMACCEPTED RISK

Emergency change log missing post-hoc review

Two emergency changes in Q4 2025 lacked the required 48-hour post-hoc review. CTO accepted the risk with a 90-day review commitment.

Recommendation: Add automated 48-hour reminder for post-hoc review. Acceptance requires approver sign-off.

Control: CTRL-013Owner: Jordan Webb EMP-004Occurred: 12/15/2025

FND-010Tour Extension

HIGHOPEN

MFA bypass for service accounts

Three service accounts used for automated deployments were configured without MFA. Initially remediated by adding MFA, but issue recurred when new service accounts were provisioned without it.

Recommendation: Enforce MFA policy at the identity provider level for all account types. Add automated compliance check to provisioning workflow.

Control: CTRL-005Owner: Jordan Webb EMP-004Due: 5/15/2026Occurred: 9/1/2025

FND-011Tour ExtensionRecurrence

MEDIUMIN PROGRESS

Stale user accounts — recurrence Q1 2026

Despite FND-001 closure, Q1 2026 access review found 3 terminated employees with active accounts (6-12 days stale). Reduced from 14 in original finding, but pattern persists.

Recommendation: Escalate: automated deprovisioning trigger not fully implemented. Target zero stale accounts for Q2 review.

Control: CTRL-003Owner: Priya Shankar EMP-003Due: 6/30/2026Occurred: 3/31/2026

FND-012Tour Extension

MEDIUMCLOSED

Data classification labels missing on 12 ingestion sources

12 of 47 data ingestion sources did not have classification labels applied at ingest time. Sources included internal wikis and shared drives.

Recommendation: Apply retroactive classification. Add classification gate to ingestion pipeline.

Control: CTRL-014Owner: CPODue: 3/31/2026Occurred: 12/1/2025

FND-013Tour Extension

LOWOPEN

Council review response times could improve timeliness

Average council review response time was 4.2 business days against a 5-day target. While within SLA, three reviews took 7+ days. This is an observation, not a control failure — the control is operating effectively.

Recommendation: Consider adding automated reminders at day 3. No remediation required — improvement opportunity only.

Control: CTRL-021Owner: Maya Okafor EMP-001Occurred: 3/15/2026

Section 3 — Featured

The Closed-Loop Circuit

A finding identifies a gap. The status lifecycle tracks remediation. The control's effectiveness reflects the outcome. The circuit closes.

Try this: follow this finding from identification to closure — then check the control's current status.

Guided Exemplar · FND-001 → CTRL-003

1

Control

CTRL-003 — User Access Provisioning/Deprovisioning

Status: Remediation · Effectiveness: Ineffective

2

Finding Raised

FND-001 — Stale user accounts in financial reporting system

Severity: Medium · Owner: Priya Shankar

3

Status Timeline

3 status transitions

— → OPEN · OPEN → IN_PROGRESS · IN_PROGRESS → CLOSED

4

Closure

Finding closed with documented remediation

Closed: 3/28/2026 · Automated deprovisioning implemented

5

Check Control

Control's current effectiveness reflects the remediation

CTRL-003 effectiveness: Ineffective

The circuit closes. Governance isn't linear — it's a loop. The finding drove remediation. The remediation improved the control. The control is stronger because the finding existed.

Referential Integrity (F1)

The substrate prevents orphans. You cannot retire a control while a finding relies on it. The controlId FK on every finding is ON DELETE RESTRICT — not SET NULL, not CASCADE.

Section 4

Status Lifecycle

Every status transition carries a reason. Re-opening is permitted. Acceptance requires an approver. Closure requires evidence.

Try this: find the re-opened finding and trace its full status history.

OPEN

IN PROGRESS

REMEDIATED

CLOSED

ACCEPTED RISK

Re-Opened Finding (F9) · FND-010 — MFA bypass for service accounts

Initial: OPEN

Service account MFA bypass discovered during ITGC review

9/15/2025 · Jordan Webb · EMP-004

OPEN → IN_PROGRESS

MFA enforcement work started for 3 service accounts

10/1/2025 · Jordan Webb · EMP-004

IN_PROGRESS → REMEDIATED

MFA added to all 3 identified service accounts. Awaiting verification cycle.

11/15/2025 · Jordan Webb · EMP-004

REMEDIATED → CLOSED

Verification complete: all 3 accounts confirmed MFA-enabled.

12/1/2025 · Priya Shankar · EMP-003

CLOSED → OPENRe-Opened

Re-opened: Q1 2026 review found 2 new service accounts provisioned without MFA. Root cause is provisioning workflow, not individual accounts.

3/15/2026 · Jordan Webb · EMP-004

Accepted Risk (F8) · FND-009

Emergency change log missing post-hoc review

CTO accepted risk: emergency changes are rare (2 in Q4) and post-hoc review process is being formalized. Acceptance expires 2026-07-15.

Approver: Jordan Webb · Expires: 7/15/2026 (89 days)

Closure Receipt · FND-012

Data classification labels missing on 12 ingestion sources

All 12 sources classified. Ingestion pipeline gate added. Classification audit confirms 100% coverage.

Evidence: EVD-DAI-CLASSIFICATION-AUDIT-2026Q1

Closure isn't a checkbox. The substrate records what evidence was reviewed.

Bridge

FND-001

source: extraction · effectiveDate backfilled from legacy

Native

FND-010

source: tour-extension · effectiveDate is native bitemporal

Section 5

Ownership & Independence

The loop that turns an observation into an improvement. Finding ownership is independent from control ownership.

Try this: click Maya's name to see her across five modules.

Priya Shankar

Senior Engineer

EMP-003

Clara Nilsson

Senior Auditor

EMP-005

Maya Okafor

Operator

EMP-001

Jordan Webb

Engineer

EMP-004

Theo Grant

Operations Manager

EMP-009

Ownership Independence · Different people, same substrate

Control Owner

CTRL-013 — Emergency Change Protocol

Owner: CTO (role)

Finding Owner

FND-009 — Emergency change log missing post-hoc review

Owner: Jordan Webb EMP-004 (person)

The CTO role owns the emergency change control. Jordan owns the finding against it. Different owners, same substrate. Finding ownership is assigned independently — the UI may pre-fill from the control owner, but the assignment is a separate decision.

Section 6

Remediation Analytics

Three derived views. Numbers computed from seed data, labeled as tour dataset.

Try this: find the control with the highest finding density — that's where governance pressure concentrates.

1. Finding Status Summary

Total

33%

Closure Rate

104d

Avg Days to Close

2. Finding-to-Control Heat Map (tour dataset)

Control	Findings	Severity
CTRL-003	2	MEDIUMMEDIUM
CTRL-007	1	MEDIUM
CTRL-006	1	LOW
CTRL-018	1	LOW
CTRL-001	1	HIGH
CTRL-011	1	HIGH
CTRL-008	1	MEDIUM
CTRL-023	1	MEDIUM
CTRL-013	1	MEDIUM
CTRL-005	1	HIGH
CTRL-014	1	MEDIUM
CTRL-021	1	LOW

3. Remediation Velocity by Severity

HIGH

No data

MEDIUM

99d avg

LOW

119d avg

Section 7

Bundle vs Platform

Same row. Different lens. The severity doesn't change — only the word for it does.

Try this: toggle between views and notice — the severity doesn't change. Only the word for it does.

Platform Label	Audit Label	Value
Finding ID	Workpaper Finding Ref	FND-006
Title	Observation Description	Insufficient ITGC over database change management
Control Citation	Audit Procedure Reference	CTRL-011
Severity	Risk Rating	High
Remediation Owner	Assigned Remediator	CTO
Control Objective	Financial Assertion	Integrity

View raw substrate row

{
  "factId": "FF-006",
  "factType": "Fact_Finding",
  "companyId": "CO-DDL",
  "findingId": "FND-006",
  "title": "Insufficient ITGC over database change management",
  "description": "Testing of 40 database schema changes to the financial reporting environment found 7 deployments (17.5%) lacked documented approval before execution.",
  "controlId": "FC-011",
  "controlObjectiveId": "obj_integrity",
  "severityId": "sev_high",
  "status": "IN_PROGRESS",
  "ownerRoleId": "CTO",
  "ownerEmployeeId": null,
  "recommendation": "Enforce PR approval gate on all migration files. Add CI check blocking deploy without approved PR.",
  "dueDate": "2026-05-31T00:00:00Z",
  "closedDate": null,
  "occurrenceDate": "2025-11-01T00:00:00Z",
  "effectiveDate": "2025-12-01T00:00:00Z",
  "recordedDate": "2025-12-01T00:00:00Z",
  "previousFactId": null,
  "priorFindingId": null,
  "source": "extraction",
  "sourceRecordId": "FND-2025-006",
  "provenance": "extracted"
}

Same row. Different lens.

Translation Map

Audit View	→	Platform View
Observation	→	Finding
Risk Rating	→	Severity
Financial Assertion	→	Control Objective
Audit Procedure Reference	→	Control Citation
Assigned Remediator	→	Remediation Owner

Section 8

Build Receipts

Council reviews, extraction history, cross-promoted sibling proof.

CR-WB-FINDINGS-001Ratified 2026-04-15

Findings & Observations — Architecture

Extraction ratification

Schema promotion from AuditForge. Dim_Severity, owner split, bitemporal bridge, FindingStatusChange table, controlId NOT NULL (F1). 5 migrations, 13/13 verify.

CR-WB-FINDINGS-TOUR-001Ratified 2026-04-16

Findings & Observations — Tour

Tour specification

8/8 council convergence. 13 findings (8 extracted + 5 extended). Closed-loop circuit, F8/F9 demos, recurrence tracking, closure receipt.

Invariant Checklist

✓F1Every finding cites a Fact_Control (controlId NOT NULL)

✓F2Owner mutex — at most one of role or employee

✓F4Every finding has non-null severityId

✓F7Every finding has ≥1 status change event

✓F8ACCEPTED_RISK with approverEmployeeId

✓F9Re-opening permitted with documented reason

✓BTAll findings have effectiveDate + recordedDate

✓RCRecurrence chain (priorFindingId) resolves

✓CEClosure evidence reference present

Extraction Receipt

Migration 1Dim_Severity + severity/owner/bitemporal (27affdc)

Migration 2FindingStatusChange table + seed (d0863b1)

Migration 3App code + verification script (7646dc2)

Migration 4Owner FK fix + controlId deferral (d756b3a)

Migration 5controlId backfill + F1 NOT NULL (a9cbfac)

Verification13/13 pass

Cross-Promoted Sibling Receipt

This module cites Controls & Compliance via controlId FK. The FK references the canonical Fact_Control row promoted in CR-WB-CONTROLS-001. Two modules, one substrate.

Factlayer → Module Charter → Module Build → HR & People → Payroll & Comp → Time & Attendance → Controls & ComplianceFindings & Observations (you are here)

Second module promoted. First cross-promoted sibling shipped. The closed-loop circuit is live. The cathedral compounds.

Sibling tour · WB-MOD-004

Controls & Compliance →

The other half of the circuit. Every finding cites a control. See the controls these findings reference.