Audit Rule Engine Concepts

Applies audit controls to procurement exports and produces exception tables (ghost vendors, PO variance breaches, high-value flags) as timestamped CSV evidence.

Thresholds and toggles live in YAML. Policy updates change controls without code changes, reducing review surface and regression risk.

Audit thresholds change (variance %, high-value cutoffs, enable/disable checks). Keeping them in YAML makes approvals and change history straightforward.

Treat the YAML file like a control document: version it, review it, and align it to department tolerance (finance vs procurement vs compliance).

A ghost vendor is an invoice referencing a VendorID that does not exist in the vendor master. This is a strong data-integrity and control-failure signal.

Invoices LEFT JOIN vendor master; retain rows where the master lookup is missing. This produces a clean evidence table: InvoiceID, VendorID, VendorName.

VendorName can change over time or differ by source. A robust extension flags name mismatch separately (invoice name vs master name) instead of treating it as ghost.

Sometimes invoices are valid but the master list is outdated. That becomes a master data governance issue (version the master list and treat as control gap).

Variance breaches detect invoice inflation, missing change control, or data errors. This is a classic finance/procurement control.

Variance = abs(InvoiceAmount - PO_Amount) / PO_Amount and flag when Variance > max_po_variance.

Not a division error—an anomaly. Indicates PO was mis-entered, bypassed, or not properly linked. Treat as a separate evidence table (e.g., po_amount_zero.csv).

One PO may be paid across multiple invoices. A scalable enhancement groups by PO_ID and compares cumulative invoice totals to PO totals.

High-value invoices aren’t “bad” by default—they’re high-exposure. This control creates a review queue aligned to materiality.

Flags rows at/above the configured threshold and exports an evidence list (InvoiceID, VendorID, VendorName, InvoiceAmount).

Every run produces timestamped CSVs (ghost vendors, PO variance, high value). These behave like immutable evidence snapshots that can be attached to tickets or audits.

For many audit workflows, consistent timestamped evidence exports provide enough traceability without needing a full data warehouse or ticketing integration.

Joins, column math, and filtering are vectorized, making runs fast for typical ERP export sizes (thousands to millions of rows depending on hardware).

If exports exceed memory, swap the compute layer (DuckDB/Polars) while keeping YAML rules + evidence outputs unchanged.

Same input produces the same output every time. This is the baseline for audit defensibility.

Used only for unstructured Notes fields to surface risks. Treated as an exception list for review, not a verdict.

Command: python src/rule_engine.py (show printed findings + evidence exports)

Show the summary cards and the Export Evidence section producing CSVs in-browser.