Controls & Evidence
Prove it. Audit it. Defend it.
The control layer—policies, approvals, exceptions, and audit trails that prove you're doing it right.
When to Pull This Lever
- • Audit prep, SOX controls, or exception volume spikes
- • New policies needed (clawback, windfall, termination)
The Consequences
What It Moves
Policy definition • approval workflow • evidence capture • audit trail • SOX controls
Blast Radius
Audit findings • SOX deficiencies • fraud exposure • liability • exception chaos
Scoreboard
Exception volume • approval compliance % • audit findings • control test results
Default Artifacts
Exception policy • approval matrix • audit trail • SOX control documentation
Common Failures
- • Policies exist but aren't followed (or can't be proven)
- • Exceptions approved without documentation
- • No audit trail from request to payout
- • Controls designed for audit, not operations
Fast Wins
- • Document the top 5 exception types and approval requirements
- • Add "evidence required" field to exception requests
- • Build audit trail report from exception request to payout
- • Review SOX controls for comp and close gaps
Score This Lever
If you can't answer "yes" with proof, you don't score above 2.
- 1Exception approval policy exists and is followed
- 2Evidence is captured for every exception
- 3Audit trail exists from request to payout
- 4SOX controls documented and tested
- 5Policy exceptions tracked with rationale
Score: 0 (Missing) → 1 (Documented) → 2 (Repeatable) → 3 (Controlled) → 4 (Optimized)
Maturity Ladder
Tribal
policies are verbal or ignored
Written
policies exist but aren't enforced
Followed
policies enforced with exceptions
Evidenced
audit trail proves compliance
Controlled
SOX-grade controls with testing
The Kit
Starter Artifacts
Exception policy • approval matrix • audit trail report • SOX control doc