Governance

Controls & Evidence

Prove it. Audit it. Defend it.

The control layer—policies, approvals, exceptions, and audit trails that prove you're doing it right.

When to Pull This Lever

  • Audit prep, SOX controls, or exception volume spikes
  • New policies needed (clawback, windfall, termination)

The Consequences

What It Moves

Policy definition • approval workflow • evidence capture • audit trail • SOX controls

Blast Radius

Audit findings • SOX deficiencies • fraud exposure • liability • exception chaos

Scoreboard

Exception volume • approval compliance % • audit findings • control test results

Default Artifacts

Exception policy • approval matrix • audit trail • SOX control documentation

Common Failures

  • Policies exist but aren't followed (or can't be proven)
  • Exceptions approved without documentation
  • No audit trail from request to payout
  • Controls designed for audit, not operations

Fast Wins

  • Document the top 5 exception types and approval requirements
  • Add "evidence required" field to exception requests
  • Build audit trail report from exception request to payout
  • Review SOX controls for comp and close gaps

Score This Lever

If you can't answer "yes" with proof, you don't score above 2.

  • 1
    Exception approval policy exists and is followed
  • 2
    Evidence is captured for every exception
  • 3
    Audit trail exists from request to payout
  • 4
    SOX controls documented and tested
  • 5
    Policy exceptions tracked with rationale

Score: 0 (Missing) → 1 (Documented) → 2 (Repeatable) → 3 (Controlled) → 4 (Optimized)

Maturity Ladder

1

Tribal

policies are verbal or ignored

2

Written

policies exist but aren't enforced

3

Followed

policies enforced with exceptions

4

Evidenced

audit trail proves compliance

5

Controlled

SOX-grade controls with testing

The Kit

Starter Artifacts

Exception policy • approval matrix • audit trail report • SOX control doc

Previous LeverNext Lever