Skip to content

Commit d3b5984

Browse files
Add Devin for Group Audit demo kit (RACM ontology, playbooks, reporting templates)
Co-Authored-By: Alex Hammett <alex.hammett@windsurf.com>
1 parent 305826d commit d3b5984

13 files changed

Lines changed: 1055 additions & 0 deletions

audit/README.md

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
# Devin for Group Audit — Demo Kit
2+
3+
A self-contained demonstration of how Devin supports an **internal audit (third line of
4+
defence)** function: an **audit ontology** (Risk & Control Matrix), **control testing**
5+
(ITGC + application controls + code review as a continuous control), and **audit
6+
reporting** — all grounded in this banking application as the auditee.
7+
8+
> **Thesis.** Devin is the *execution & evidence layer* of internal audit. Under the
9+
> auditor's direction and sign-off, it plans testing from a machine-readable control
10+
> catalogue, executes the tests, re-performs key calculations, reviews code changes as a
11+
> continuous control, and drafts workpapers & findings with full traceability. It does
12+
> **not** replace the auditor's judgement, independence, or sign-off.
13+
14+
## What's in this kit
15+
16+
| Path | What it is |
17+
|---|---|
18+
| `racm.yaml` | **The audit ontology** — Risk & Control Matrix: entities, risks, 11 controls, regulations, test procedures, expected findings |
19+
| `ontology.md` | The ontology model explained (entity → risk → control → test → evidence → finding → action) |
20+
| `playbooks/01-audit-planning-coverage.md` | Coverage mapping + fieldwork test plan (read-only scoping) |
21+
| `playbooks/02-itgc-testing.md` | ITGC testing over the full population (change mgmt, access, SDLC, secrets, data, logging) |
22+
| `playbooks/03-application-control-reperformance.md` | Re-perform transaction/transfer/authorisation controls |
23+
| `playbooks/04-findings-and-reporting.md` | 5-Cs findings, roll-up reporting, remediation validation |
24+
| `templates/workpaper-template.md` | Per-control workpaper |
25+
| `templates/finding-5cs-template.md` | Finding (Condition / Criteria / Cause / Consequence / Recommendation) |
26+
| `templates/audit-committee-onepager.md` | Audit-committee roll-up |
27+
| `samples/example-workpaper-APP-TXN-01.md` | Worked example workpaper (what Devin produces) |
28+
| `samples/example-finding-FND-01.md` | Worked example finding |
29+
| `ccm/continuous-controls-monitoring.md` | Scheduled continuous-controls-monitoring spec |
30+
31+
## The demo flow (Ask Devin → Ask Devin → Devin session)
32+
33+
Follows the progressive narrative: two lightweight **Ask Devin** discovery/scoping prompts,
34+
then one **Devin session** that executes and reports.
35+
36+
**1. Ask Devin (discover):**
37+
> Here is our Cards platform repo and our Risk & Control Matrix at `audit/racm.yaml`. Map
38+
> each control to where it's implemented (or should be) in this codebase and tell me what's auditable.
39+
40+
**2. Ask Devin (scope the fieldwork):**
41+
> Using `@playbook:01-audit-planning-coverage`, produce the fieldwork test plan: for each
42+
> control, the test procedure, the population, and the sample. Prioritise the key controls.
43+
44+
**3. Devin session (execute + report):**
45+
> Run the audit fieldwork. Execute `@playbook:02-itgc-testing` and
46+
> `@playbook:03-application-control-reperformance`, then `@playbook:04-findings-and-reporting`.
47+
> Produce a workpaper per control, 5-Cs findings, and the audit-committee one-pager — every
48+
> result cited to `file:line`, commit/PR, or command output.
49+
50+
*(Replace the `@playbook:` names with the `@playbook:playbook-<id>` references once the
51+
Devin Playbooks are created in the workspace.)*
52+
53+
## Expected findings (so the demo is repeatable)
54+
55+
These exist naturally in the auditee code — Devin discovers real gaps, nothing is faked:
56+
57+
| Control | Result | The gap |
58+
|---|---|---|
59+
| APP-TXN-01 | **FAIL** | No positive-amount validation → negative transfer steals from recipient (`AccountService.java:51-135`) |
60+
| APP-TXN-02 | **FAIL** | `transferAmount` not `@Transactional` → partial failure destroys money (`AccountService.java:103-135`) |
61+
| APP-TXN-03 | **FAIL** | No limits, no maker-checker on transfers |
62+
| APP-ACC-04 | **FAIL** | Single hardcoded `"USER"` role, no SoD (`AccountService.java:99-101`) |
63+
| APP-SEC-05 | **FAIL** | CSRF disabled on state-changing endpoints (`SecurityConfig.java:30`) |
64+
| ITGC-SEC-06 | **FAIL** | DB credentials committed in `application.properties:4-5` |
65+
| ITGC-CM-07 | **FAIL** | No CODEOWNERS/branch protection; direct commits to `DevOps` |
66+
| ITGC-CM-08 | **FAIL** | Pipeline builds from a different upstream repo (`Jenkinsfile:26`) |
67+
| ITGC-SDLC-09 | **PARTIAL** | Trivy/OWASP/SonarQube present, but only test is `contextLoads()` |
68+
| ITGC-DATA-10 | **FAIL** | `ddl-auto=update` auto-mutates schema (`application.properties:9`) |
69+
| ITGC-LOG-11 | **FAIL** | No audit logging of financial events |
70+
71+
## Optional closing beats
72+
73+
- **Code review as a continuous control:** open a PR that subtly weakens a control (e.g.
74+
remove the insufficient-funds check in `withdraw`) and let Devin Review flag the control
75+
breach *before* merge. See "the weakening PR" in the demo notes below.
76+
- **Continuous Controls Monitoring:** schedule the CCM session (`ccm/`) to re-test nightly
77+
and escalate only on change.
78+
- **Remediation validation:** fix APP-TXN-01, then have Devin re-test that one control and
79+
close FND-01 with fresh evidence.
80+
81+
### The "weakening PR" (seed for the code-review beat)
82+
In `AccountService.withdraw`, delete the guard:
83+
```java
84+
if (account.getBalance().compareTo(amount) < 0) {
85+
throw new RuntimeException("Insufficient funds");
86+
}
87+
```
88+
Open it as a PR. Devin's review should flag that it removes a key transaction-integrity
89+
control (APP-TXN-01 family) and would allow overdrawn balances — caught pre-merge.
90+
91+
## Guardrails (why this is audit-appropriate)
92+
- **Independence / human-in-the-loop:** Devin proposes & drafts; the auditor concludes and signs off.
93+
- **Read-only assurance:** in audit mode Devin never changes the audited system.
94+
- **The auditor is auditable:** every session is logged, reproducible, and exportable.
95+
- **Least privilege & synthetic data:** scoped, read-only access; no real customer data.
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
# Continuous Controls Monitoring (CCM)
2+
3+
Point-in-time, sample-based testing is the traditional audit model. CCM uses a **scheduled
4+
Devin session** to re-run the automated control tests on a cadence, diff against the last
5+
run, and escalate **only on change** — moving toward continuous, full-population assurance.
6+
7+
## Scope (automatable controls only)
8+
The controls suitable for unattended re-testing each cycle:
9+
10+
| Control | What is re-checked each run |
11+
|---|---|
12+
| APP-TXN-01 | positive-amount validation still present on all monetary methods |
13+
| APP-TXN-02 | transfer still executes within a transaction boundary |
14+
| APP-ACC-04 | role/privilege model unchanged or improved |
15+
| APP-SEC-05 | CSRF protection state on state-changing endpoints |
16+
| ITGC-SEC-06 | no new secrets committed (secret scan over diff) |
17+
| ITGC-CM-07 | every new change to protected branch had an independent approval |
18+
| ITGC-SDLC-09 | scans + tests still gate; test coverage not regressed |
19+
| ITGC-DATA-10 | no uncontrolled runtime schema mutation reintroduced |
20+
| ITGC-LOG-11 | financial-event logging present |
21+
22+
## Schedule spec
23+
- **Cadence:** nightly (or per-merge trigger on the protected branch).
24+
- **Trigger:** scheduled Devin session (see the `managing-schedules` capability) or a CI/webhook trigger.
25+
- **Prompt (pinned):**
26+
> Using `audit/racm.yaml`, re-run the automated control tests for the controls flagged
27+
> CCM-eligible. Compare results to the previous run. Escalate ONLY controls whose status
28+
> changed (improved or regressed). Produce a short delta report and update open findings.
29+
- **Escalation:** post a delta report to the audit channel; open/refresh a finding for any
30+
regression; auto-close (pending auditor sign-off) any finding whose control now passes.
31+
32+
## Output each cycle
33+
- A **delta report**: controls changed since last run (regressions first), with citations.
34+
- Updated finding statuses (open / remediated / validated), each with fresh evidence.
35+
- The session transcript, retained as the audit trail for that monitoring cycle.
36+
37+
## Guardrails
38+
- Read-only against the auditee.
39+
- No-change runs produce a one-line "no exceptions; no change" entry — no noise.
40+
- Auditor signs off any status transition to "validated".

audit/ontology.md

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
# Audit Ontology
2+
3+
The ontology is the backbone of "Devin for Group Audit". It is the machine-readable
4+
vocabulary that lets Devin turn *"go audit this system"* into concrete, repeatable,
5+
attributable tests — and lets every result roll up to a risk and a regulation.
6+
7+
## The model
8+
9+
```
10+
Auditable Entity ──has──> Risk ──mitigated by──> Control ──tested by──> Test Procedure
11+
│ │ │ │
12+
(system/process) (what goes wrong) (preventive/detective/ (inquiry / observation /
13+
corrective; manual/auto; inspection / re-performance;
14+
key/non-key; owner) sample; pass/fail criteria)
15+
16+
mapped to Regulation
17+
(ICFR, PRA/FCA, SMCR, Consumer Duty,
18+
Op-Resilience/DORA, GDPR)
19+
20+
Test Procedure ──produces──> Evidence ──substantiates──> Result ──exception──> Finding
21+
22+
tracked to Action
23+
(remediation + re-test)
24+
```
25+
26+
## Entities in the ontology
27+
28+
| Concept | Meaning | Where it lives |
29+
|---|---|---|
30+
| **Auditable Entity** | A system or process in scope (the slice of the audit universe) | `racm.yaml: auditable_entities` |
31+
| **Risk** | What could go wrong if the control fails | `racm.yaml: risks` |
32+
| **Control** | The mechanism that mitigates the risk; typed by nature, automation, and whether it is *key* | `racm.yaml: controls` |
33+
| **Regulation** | The obligation the control supports | `racm.yaml: regulations` |
34+
| **Test Procedure** | How the control is tested (the four classic methods below) | `controls[].test_procedure` |
35+
| **Evidence** | Artifacts that substantiate a test result (must be a citation or re-runnable) | `controls[].evidence_required` |
36+
| **Finding / Issue** | An exception where the control failed, rated by severity | produced by Devin → `templates/finding-5cs-template.md` |
37+
| **Action** | Remediation, validated by a re-test | tracked via issue + re-test |
38+
39+
## Control attributes (the typing that drives testing)
40+
41+
- **Nature:** `preventive` (stops it happening) · `detective` (spots it after) · `corrective` (fixes it)
42+
- **Automation:** `automated` · `manual` · `hybrid`
43+
- **Key:** `true` if failure alone could lead to a material misstatement / significant risk
44+
- **Owner:** the accountable first-line owner (links to SMCR accountability)
45+
46+
## The four test methods (auditing standard)
47+
48+
1. **Inquiry** — ask the owner / read documentation (weakest alone).
49+
2. **Observation** — watch the control operate.
50+
3. **Inspection** — examine evidence (config, code, logs, PR metadata).
51+
4. **Re-performance** — independently execute the control and compare the result (strongest).
52+
53+
Devin's leverage is greatest on **inspection** and **re-performance**, executed over the
54+
**full population** rather than a sample — e.g. inspecting every merge for approval, or
55+
re-performing a transfer calculation against crafted inputs.
56+
57+
## Why this matters
58+
59+
Because every control row carries a `control_id`, a `risk`, a `regulation`, a
60+
`test_procedure`, `pass_criteria`, and `evidence_required`, Devin's output is:
61+
62+
- **Traceable** — each conclusion cites `file:line`, a PR/commit, or command output.
63+
- **Reproducible** — a reviewer or regulator can re-run the test.
64+
- **Roll-up-able** — results aggregate by risk, by regulation, and by key/non-key for the audit-committee view.
65+
- **Independent** — Devin tests and evidences; the auditor concludes and signs off.
Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
# Playbook — Audit Planning & Coverage Mapping
2+
3+
## Overview
4+
Ingest the audit ontology (`audit/racm.yaml`) and the auditee codebase, then produce
5+
(a) a **coverage map** of where each control is implemented (or should be) in the code
6+
and (b) a **fieldwork test plan** with a procedure, population and sample per control.
7+
This is a read-only scoping activity — no findings are concluded here.
8+
9+
## What's Needed From User
10+
- Repository access for the auditee (Springboot-BankApp)
11+
- The RACM at `audit/racm.yaml` (loaded as Knowledge or read from the repo)
12+
- The in-scope audit period (for change-management population)
13+
14+
<phase name="Ontology & Scope Intake" id="1">
15+
## Phase 1 — Ontology & Scope Intake
16+
17+
1. Read `audit/racm.yaml`. Enumerate every control with its `control_id`, `auditable_entity`, `risk`, `regulation`, `test_procedure`, `population`, and `pass_criteria`.
18+
2. Read `audit/ontology.md` to confirm the entity/risk/control/test/evidence/finding model.
19+
3. Confirm the in-scope period and the protected branch for change-management population.
20+
21+
<verification>
22+
- Every control in `racm.yaml` is enumerated with its key attributes
23+
- Each control is mapped to its auditable entity and the regulation(s) it supports
24+
- The audit period and protected branch are recorded
25+
</verification>
26+
</phase>
27+
28+
<phase name="Coverage Mapping" id="2">
29+
## Phase 2 — Coverage Mapping
30+
31+
1. For each control, locate where it is (or should be) implemented in the codebase and record exact `file:line` references.
32+
2. Classify each control as: `implemented`, `partially implemented`, `not implemented`, or `not applicable` — with a one-line rationale and citation. Do NOT yet conclude pass/fail.
33+
3. Flag any control whose `auditable_entity.primary_source` does not exist or cannot be located.
34+
35+
<verification>
36+
- Every control has at least one code citation or an explicit "no implementation found" note
37+
- Coverage classification recorded per control with rationale
38+
- Gaps in locating sources are flagged
39+
</verification>
40+
</phase>
41+
42+
<phase name="Test Plan" id="3">
43+
## Phase 3 — Fieldwork Test Plan
44+
45+
1. For each control, restate the test procedure, the population, the sampling approach (full population vs sample size), and the pass criteria.
46+
2. Choose the strongest feasible test method (prefer inspection / re-performance over inquiry).
47+
3. Produce the plan as a table ordered by `key: true` first, then by severity, and save it as a workpaper-style artifact.
48+
49+
<verification>
50+
- Test plan covers 100% of controls in the RACM
51+
- Each control's population and sample are explicit and justified
52+
- Key controls are prioritised first
53+
- Output saved as a planning workpaper
54+
</verification>
55+
</phase>
56+
57+
## Specifications
58+
- Output: a coverage map + a fieldwork test plan, both fully cited.
59+
- Read-only. No code changes. No pass/fail conclusions in this playbook.
60+
61+
## Forbidden Actions
62+
- Do not modify the auditee codebase.
63+
- Do not conclude findings — that happens in the testing playbooks.
64+
- Do not rely on inquiry alone where inspection/re-performance is possible.

audit/playbooks/02-itgc-testing.md

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
# Playbook — ITGC Testing
2+
3+
## Overview
4+
Test the IT General Controls in the RACM (change management, logical access, secure
5+
SDLC, secrets/config, data/schema control, logging) by **inspection over the full
6+
population** of code, config, pipeline and repo history. Produce one workpaper per
7+
control with cited evidence and a pass/fail/partial result. Read-only.
8+
9+
## What's Needed From User
10+
- Auditee repository access (code + full git history; un-shallow if needed)
11+
- `audit/racm.yaml`
12+
- The in-scope period and protected branch
13+
14+
<phase name="Change Management & Pipeline Integrity" id="1">
15+
## Phase 1 — Change Management & Pipeline (ITGC-CM-07, ITGC-CM-08)
16+
17+
1. Check for `CODEOWNERS` and branch-protection evidence on the protected branch (design test).
18+
2. For the in-scope population of changes to the protected branch, build a per-change evidence table: commit/PR, author, approver (must differ from author), linked change record, CI status. Note any direct-to-branch pushes.
19+
3. Trace the CI/CD checkout source (`Jenkinsfile`) against the audited repository to test build provenance (ITGC-CM-08).
20+
21+
<verification>
22+
- Per-change evidence table produced for the population/sample
23+
- Author≠approver tested for each sampled change
24+
- Branch-protection / CODEOWNERS design state recorded
25+
- Pipeline source provenance traced and concluded
26+
</verification>
27+
</phase>
28+
29+
<phase name="Logical Access & Secrets" id="2">
30+
## Phase 2 — Logical Access & Secrets (APP-ACC-04, APP-SEC-05, ITGC-SEC-06)
31+
32+
1. Inspect the granted-authorities/role model and endpoint authorisation rules; assess least privilege and SoD (APP-ACC-04).
33+
2. Inspect security configuration for CSRF and protections on state-changing endpoints (APP-SEC-05).
34+
3. Scan all committed config and history for embedded secrets/credentials (ITGC-SEC-06). Cite exact `file:line`.
35+
36+
<verification>
37+
- Role/privilege model assessed with citations
38+
- CSRF / state-changing-endpoint protection concluded
39+
- Secret scan run over source + history with results cited
40+
</verification>
41+
</phase>
42+
43+
<phase name="SDLC, Data & Logging" id="3">
44+
## Phase 3 — Secure SDLC, Data & Logging (ITGC-SDLC-09, ITGC-DATA-10, ITGC-LOG-11)
45+
46+
1. Inspect the pipeline for SAST/SCA/filesystem scanning and a test-execution gate; inventory the test suite and assess business-logic coverage (ITGC-SDLC-09).
47+
2. Inspect persistence config for uncontrolled runtime schema mutation (ITGC-DATA-10).
48+
3. Inspect transaction code paths for audit logging of financial/security events (ITGC-LOG-11).
49+
50+
<verification>
51+
- Pipeline scanning + test gating concluded; test coverage inventoried
52+
- Schema/data change control concluded with citation
53+
- Financial-event logging concluded with citation
54+
</verification>
55+
</phase>
56+
57+
<phase name="Workpapers" id="4">
58+
## Phase 4 — Workpapers
59+
60+
1. For each ITGC tested, produce a workpaper using `audit/templates/workpaper-template.md`.
61+
2. Record result (pass/partial/fail), every piece of evidence as a citation, and any exceptions.
62+
3. Hand exceptions to the Findings & Reporting playbook.
63+
64+
<verification>
65+
- One workpaper per ITGC control tested
66+
- Every result backed by a citation (file:line / commit / command output)
67+
- Exceptions listed and ready for findings
68+
</verification>
69+
</phase>
70+
71+
## Specifications
72+
- Test the full population wherever feasible (e.g. all merges, all config).
73+
- Every conclusion must be reproducible from the cited evidence.
74+
75+
## Forbidden Actions
76+
- Do not modify the auditee codebase or its history.
77+
- Do not conclude a pass without inspecting actual evidence (no inquiry-only passes).
78+
- Do not print secret values — cite the location only.

0 commit comments

Comments
 (0)