|
| 1 | +# Devin for Group Audit — Demo Kit |
| 2 | + |
| 3 | +A self-contained demonstration of how Devin supports an **internal audit (third line of |
| 4 | +defence)** function: an **audit ontology** (Risk & Control Matrix), **control testing** |
| 5 | +(ITGC + application controls + code review as a continuous control), and **audit |
| 6 | +reporting** — all grounded in this banking application as the auditee. |
| 7 | + |
| 8 | +> **Thesis.** Devin is the *execution & evidence layer* of internal audit. Under the |
| 9 | +> auditor's direction and sign-off, it plans testing from a machine-readable control |
| 10 | +> catalogue, executes the tests, re-performs key calculations, reviews code changes as a |
| 11 | +> continuous control, and drafts workpapers & findings with full traceability. It does |
| 12 | +> **not** replace the auditor's judgement, independence, or sign-off. |
| 13 | +
|
| 14 | +## What's in this kit |
| 15 | + |
| 16 | +| Path | What it is | |
| 17 | +|---|---| |
| 18 | +| `racm.yaml` | **The audit ontology** — Risk & Control Matrix: entities, risks, 11 controls, regulations, test procedures, expected findings | |
| 19 | +| `ontology.md` | The ontology model explained (entity → risk → control → test → evidence → finding → action) | |
| 20 | +| `playbooks/01-audit-planning-coverage.md` | Coverage mapping + fieldwork test plan (read-only scoping) | |
| 21 | +| `playbooks/02-itgc-testing.md` | ITGC testing over the full population (change mgmt, access, SDLC, secrets, data, logging) | |
| 22 | +| `playbooks/03-application-control-reperformance.md` | Re-perform transaction/transfer/authorisation controls | |
| 23 | +| `playbooks/04-findings-and-reporting.md` | 5-Cs findings, roll-up reporting, remediation validation | |
| 24 | +| `templates/workpaper-template.md` | Per-control workpaper | |
| 25 | +| `templates/finding-5cs-template.md` | Finding (Condition / Criteria / Cause / Consequence / Recommendation) | |
| 26 | +| `templates/audit-committee-onepager.md` | Audit-committee roll-up | |
| 27 | +| `samples/example-workpaper-APP-TXN-01.md` | Worked example workpaper (what Devin produces) | |
| 28 | +| `samples/example-finding-FND-01.md` | Worked example finding | |
| 29 | +| `ccm/continuous-controls-monitoring.md` | Scheduled continuous-controls-monitoring spec | |
| 30 | + |
| 31 | +## The demo flow (Ask Devin → Ask Devin → Devin session) |
| 32 | + |
| 33 | +Follows the progressive narrative: two lightweight **Ask Devin** discovery/scoping prompts, |
| 34 | +then one **Devin session** that executes and reports. |
| 35 | + |
| 36 | +**1. Ask Devin (discover):** |
| 37 | +> Here is our Cards platform repo and our Risk & Control Matrix at `audit/racm.yaml`. Map |
| 38 | +> each control to where it's implemented (or should be) in this codebase and tell me what's auditable. |
| 39 | +
|
| 40 | +**2. Ask Devin (scope the fieldwork):** |
| 41 | +> Using `@playbook:01-audit-planning-coverage`, produce the fieldwork test plan: for each |
| 42 | +> control, the test procedure, the population, and the sample. Prioritise the key controls. |
| 43 | +
|
| 44 | +**3. Devin session (execute + report):** |
| 45 | +> Run the audit fieldwork. Execute `@playbook:02-itgc-testing` and |
| 46 | +> `@playbook:03-application-control-reperformance`, then `@playbook:04-findings-and-reporting`. |
| 47 | +> Produce a workpaper per control, 5-Cs findings, and the audit-committee one-pager — every |
| 48 | +> result cited to `file:line`, commit/PR, or command output. |
| 49 | +
|
| 50 | +*(Replace the `@playbook:` names with the `@playbook:playbook-<id>` references once the |
| 51 | +Devin Playbooks are created in the workspace.)* |
| 52 | + |
| 53 | +## Expected findings (so the demo is repeatable) |
| 54 | + |
| 55 | +These exist naturally in the auditee code — Devin discovers real gaps, nothing is faked: |
| 56 | + |
| 57 | +| Control | Result | The gap | |
| 58 | +|---|---|---| |
| 59 | +| APP-TXN-01 | **FAIL** | No positive-amount validation → negative transfer steals from recipient (`AccountService.java:51-135`) | |
| 60 | +| APP-TXN-02 | **FAIL** | `transferAmount` not `@Transactional` → partial failure destroys money (`AccountService.java:103-135`) | |
| 61 | +| APP-TXN-03 | **FAIL** | No limits, no maker-checker on transfers | |
| 62 | +| APP-ACC-04 | **FAIL** | Single hardcoded `"USER"` role, no SoD (`AccountService.java:99-101`) | |
| 63 | +| APP-SEC-05 | **FAIL** | CSRF disabled on state-changing endpoints (`SecurityConfig.java:30`) | |
| 64 | +| ITGC-SEC-06 | **FAIL** | DB credentials committed in `application.properties:4-5` | |
| 65 | +| ITGC-CM-07 | **FAIL** | No CODEOWNERS/branch protection; direct commits to `DevOps` | |
| 66 | +| ITGC-CM-08 | **FAIL** | Pipeline builds from a different upstream repo (`Jenkinsfile:26`) | |
| 67 | +| ITGC-SDLC-09 | **PARTIAL** | Trivy/OWASP/SonarQube present, but only test is `contextLoads()` | |
| 68 | +| ITGC-DATA-10 | **FAIL** | `ddl-auto=update` auto-mutates schema (`application.properties:9`) | |
| 69 | +| ITGC-LOG-11 | **FAIL** | No audit logging of financial events | |
| 70 | + |
| 71 | +## Optional closing beats |
| 72 | + |
| 73 | +- **Code review as a continuous control:** open a PR that subtly weakens a control (e.g. |
| 74 | + remove the insufficient-funds check in `withdraw`) and let Devin Review flag the control |
| 75 | + breach *before* merge. See "the weakening PR" in the demo notes below. |
| 76 | +- **Continuous Controls Monitoring:** schedule the CCM session (`ccm/`) to re-test nightly |
| 77 | + and escalate only on change. |
| 78 | +- **Remediation validation:** fix APP-TXN-01, then have Devin re-test that one control and |
| 79 | + close FND-01 with fresh evidence. |
| 80 | + |
| 81 | +### The "weakening PR" (seed for the code-review beat) |
| 82 | +In `AccountService.withdraw`, delete the guard: |
| 83 | +```java |
| 84 | +if (account.getBalance().compareTo(amount) < 0) { |
| 85 | + throw new RuntimeException("Insufficient funds"); |
| 86 | +} |
| 87 | +``` |
| 88 | +Open it as a PR. Devin's review should flag that it removes a key transaction-integrity |
| 89 | +control (APP-TXN-01 family) and would allow overdrawn balances — caught pre-merge. |
| 90 | + |
| 91 | +## Guardrails (why this is audit-appropriate) |
| 92 | +- **Independence / human-in-the-loop:** Devin proposes & drafts; the auditor concludes and signs off. |
| 93 | +- **Read-only assurance:** in audit mode Devin never changes the audited system. |
| 94 | +- **The auditor is auditable:** every session is logged, reproducible, and exportable. |
| 95 | +- **Least privilege & synthetic data:** scoped, read-only access; no real customer data. |
0 commit comments