Auditor Interrogation Q&A

Who has authority to make compliance decisions?

Authority is governed by the Governance Constitution. Five decision classes exist (INFORMATIONAL through BINDING_GOVERNANCE_DECISION). Each class defines which roles can initiate and approve decisions. Authority is enforced through the authority matrix and role-based middleware.

Can a single person both prepare and approve a governance decision?

No. Separation of duties is enforced at the database level. The system rejects approval attempts where the approver matches the preparer. This is not a UI restriction — it is enforced in the service layer.

Who can modify workspace bindings?

Only users with the admin role. Binding modifications are logged with full provenance (actor identity, timestamp, IP address, user agent). Locked bindings cannot be modified without explicit unlock.

How do you track who did what?

Every governance action is logged to an immutable audit stream with blockchain-style hash chaining. Each entry includes: actor identity, timestamp, action type, affected resource, and a SHA-256 hash linking to the previous entry.

Can audit log entries be modified or deleted?

No. The audit stream is append-only. Hash chaining means any modification to historical entries would break the chain and be detectable.

How is identity managed?

The platform supports enterprise SSO (SAML 2.0, OpenID Connect) and local authentication with MFA. All identity events are logged. Session tokens are JWT-based with configurable expiry.

What happens when a compliance decision is updated?

A new version is created. Previous versions are preserved and remain accessible. The new version references the previous version via a supersedes chain. Reports generated before the change remain locked to their original decision versions.

Can reports be retroactively modified?

No. Reports are locked to the decision versions that existed at generation time. Each report includes a SHA-256 content hash for integrity verification. Cryptographic signing provides tamper evidence.

How are configuration changes tracked?

All workspace status transitions, binding changes, and entitlement modifications are logged with before/after state, actor identity, and timestamp.

How does the platform handle evidence quality?

Each evidence item is assigned an Evidence Quality Index (EQI) based on completeness, freshness, and relevance. Evidence freshness is tracked automatically with configurable thresholds. Stale evidence triggers alerts.

What happens when evidence is missing?

The absence of evidence is itself a signal. Controls without evidence are flagged. The platform does not infer compliance from missing evidence — it reports the gap explicitly.

How is evidence versioning handled?

Evidence is append-only. New versions do not overwrite previous versions. Each version is timestamped and attributed to a specific actor. Evidence lineage is included in auditor reports.

What prevents incomplete or misconfigured compliance artefacts from being generated?

Govula enforces governance correctness through deterministic pre-flight validation. Before a workspace can be activated or an authoritative report generated, the platform verifies that minimum governance conditions are satisfied — including framework applicability, control mapping, and ownership assignment. These checks exist to prevent the creation or publication of incomplete, misleading, or non-defensible compliance artefacts. They do not introduce interpretation, scoring, or automated judgement. If a pre-flight validation fails, no existing artefacts are altered. The system provides explicit remediation guidance, and governance authority remains unchanged until requirements are met. No automated judgement occurs at any stage of this process.

Does the platform override human judgement or automate compliance decisions?

No. The platform enforces structural prerequisites (e.g., framework must be bound, controls must be mapped, ownership must be assigned) before governance operations can proceed. These are deterministic correctness checks, not interpretive judgements. All compliance decisions — including applicability determinations, risk assessments, and governance approvals — require explicit human authority. The platform does not score, rank, or infer compliance status. AI capabilities operate in an advisory capacity only and cannot approve, sign, or publish any artefact.

Can you reconstruct the compliance state at any point in time?

Yes. The platform maintains point-in-time snapshots, decision version chains, and an immutable audit stream. Historical reports remain locked to their original data.

How do you prevent data tampering?

Multiple mechanisms: SHA-256 content hashing on all generated documents, blockchain-style hash chaining on the audit stream, cryptographic report signing, and immutability locks on approved decisions.

Are generated documents legally defensible?

Generated documents include full provenance metadata: who generated them, when, from which data version, under which governance context. Legal export bundles include cryptographic signatures and complete audit trails.