Lab: The control matrix
Produce the module's artifact: a risk → control → evidence matrix for the AP pipeline and anomaly sweep, plus the one-page finance AI policy addendum.
This lab converts three modules of built workflows into the two documents an auditor, a controller, or a future you will actually ask for: the control matrix (what can go wrong → what stops or catches it → what proves the control ran) and the policy addendum. You're documenting things you already built — which is the point: notice how little new machinery good compliance requires when the workflows were designed right.
RISK CONTROL (P=preventive, EVIDENCE
D=detective)
wrong amount extracted D: independent line-sum vs pipeline log: computed-
from invoice stated-total check, every vs-stated column + route
invoice; mismatches routed taken, per invoice
to exception lane
duplicate invoice paid D: vendor+amount+date-window dup-check result logged
fuzzy-number screen, every per invoice; disposition
invoice, pre-payment log for holds
AI output posts P: no posting path exists approval log: named
unreviewed from pipeline; payment releaser + timestamp on
release requires named every payment above
human above $[threshold] auto-release tier;
threshold history doc- 1Complete the AP matrix (target ~10 rows). Risks to cover beyond the worked three: overbilling vs. contract (your rate-audit control), payment diversion (the out-of-band bank-change verification), unauthorized accessorials, extraction guessing (the UNREADABLE contract as a preventive control — interesting classification, defend it), config tampering (change control), and the pipeline being down during close (the degradation plan). For each: P or D, frequency (every-item / sampled / on-event), and the evidence location — a log that exists, not a log you intend.
- 2Add the anomaly-sweep rows (~6): splitting undetected (band-scan control), ghost vendor (creation dual-approval + employee-match screen + the sweep itself), duplicate vendor records fragmenting baselines (vendor-master hygiene — cite the problem-set experience), alert fatigue hollowing review (the disposition-time and noisiest-rule metrics as a control on the control), and the escalation handoff (the no-tipping-off procedure).
- 3Run the seeded-item design: for two detective controls of your choice, write the quarterly seed test — what known-bad item gets injected, who plants it (not the reviewer being tested), what 'caught' looks like, what a miss triggers. One paragraph each.
- 4Write the policy addendum (one page, four sections from the lesson): finance data classes with the five-second test, the approved-tool table as of today, the config change-control paragraph, the vendor/model management paragraph. Add owner and review date. Read it as the tired month-end analyst; cut anything they'd skim.
- 5Close with the walkthrough rehearsal: pick one number from the Module 3 forecast readout and trace it backward through your five-part evidence chain, timing yourself. Write down where you slowed — that's the thin part of your evidence design, and fixing it now is the lab's real deliverable.
You get a control matrix written by an enthusiastic consultant for the same AP pipeline: 23 rows, four controls that don't map to any real mechanism ('AI monitors for anomalies' — which? where's the evidence?), two evidence columns citing logs that can't exist, one control that violates SoD (the pipeline owner reviews their own config changes), and zero seeded tests. Red-pen it to the ~10 rows that are real. Compliance theater detection is a skill, and it's cheapest to learn on someone else's matrix.