Back to course overview
Module 5Controls & compliance 16 min

Lab: The control matrix

Produce the module's artifact: a risk → control → evidence matrix for the AP pipeline and anomaly sweep, plus the one-page finance AI policy addendum.

This lab converts three modules of built workflows into the two documents an auditor, a controller, or a future you will actually ask for: the control matrix (what can go wrong → what stops or catches it → what proves the control ran) and the policy addendum. You're documenting things you already built — which is the point: notice how little new machinery good compliance requires when the workflows were designed right.

control matrix — format + 3 worked rows (AP pipeline)text
RISK                    CONTROL (P=preventive,       EVIDENCE
                        D=detective)
wrong amount extracted  D: independent line-sum vs    pipeline log: computed-
from invoice            stated-total check, every     vs-stated column + route
                        invoice; mismatches routed    taken, per invoice
                        to exception lane
duplicate invoice paid  D: vendor+amount+date-window  dup-check result logged
                        fuzzy-number screen, every    per invoice; disposition
                        invoice, pre-payment          log for holds
AI output posts         P: no posting path exists     approval log: named
unreviewed              from pipeline; payment        releaser + timestamp on
                        release requires named        every payment above
                        human above $[threshold]      auto-release tier;
                                                      threshold history doc
  1. 1Complete the AP matrix (target ~10 rows). Risks to cover beyond the worked three: overbilling vs. contract (your rate-audit control), payment diversion (the out-of-band bank-change verification), unauthorized accessorials, extraction guessing (the UNREADABLE contract as a preventive control — interesting classification, defend it), config tampering (change control), and the pipeline being down during close (the degradation plan). For each: P or D, frequency (every-item / sampled / on-event), and the evidence location — a log that exists, not a log you intend.
  2. 2Add the anomaly-sweep rows (~6): splitting undetected (band-scan control), ghost vendor (creation dual-approval + employee-match screen + the sweep itself), duplicate vendor records fragmenting baselines (vendor-master hygiene — cite the problem-set experience), alert fatigue hollowing review (the disposition-time and noisiest-rule metrics as a control on the control), and the escalation handoff (the no-tipping-off procedure).
  3. 3Run the seeded-item design: for two detective controls of your choice, write the quarterly seed test — what known-bad item gets injected, who plants it (not the reviewer being tested), what 'caught' looks like, what a miss triggers. One paragraph each.
  4. 4Write the policy addendum (one page, four sections from the lesson): finance data classes with the five-second test, the approved-tool table as of today, the config change-control paragraph, the vendor/model management paragraph. Add owner and review date. Read it as the tired month-end analyst; cut anything they'd skim.
  5. 5Close with the walkthrough rehearsal: pick one number from the Module 3 forecast readout and trace it backward through your five-part evidence chain, timing yourself. Write down where you slowed — that's the thin part of your evidence design, and fixing it now is the lab's real deliverable.
Problem set 5

You get a control matrix written by an enthusiastic consultant for the same AP pipeline: 23 rows, four controls that don't map to any real mechanism ('AI monitors for anomalies' — which? where's the evidence?), two evidence columns citing logs that can't exist, one control that violates SoD (the pipeline owner reviews their own config changes), and zero seeded tests. Red-pen it to the ~10 rows that are real. Compliance theater detection is a skill, and it's cheapest to learn on someone else's matrix.