GrytLabs Research Institute
Research Report · WMI Thesis Series
Audit, Compliance & RegTech
35 Years of Convergent Diagnosis — The Infrastructure Gap Beneath Audit Documentation Failure
Cameisha Smith, CIA
ORCID 0009-0002-8178-8380
RR-006  v1.0  ·  Research 2026-01-21  ·  Published 2026-07-06
CC-BY 4.0  ·  DOI 10.5281/zenodo.20185550
Abstract
AU-C Section 230 noncompliance remains the most common material deficiency in AICPA peer reviews despite five decades of increasingly comprehensive documentation standards, professional emphasis, and training programs. This report traces three independent evidence streams — professional standards evolution, the Vasarhelyi continuous auditing research program (1991–2022), and RegTech/GRC platform maturation — to a shared root cause: the absence of governance data infrastructure at the point of decision. The continuous auditing tradition has identified this same gap from successive angles across 35 years, while three generations of GRC platforms have built governance data consumption layers without solving the data production problem. The convergent diagnosis is architectural, not behavioral: current systems structurally separate documentation from decision-making, guaranteeing incomplete documentation under competing demands. The Deming quality principle — design quality in rather than inspect quality in — provides the theoretical frame for why quality management mandates remain insufficient without infrastructure that embeds documentation into the decision process itself.

"A series of auditors' reports issued virtually simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter."

— CICA/AICPA (1999), *Research Report on Continuous Auditing*

Contents
§1Query Objective
§2Executive Summary
§3Literature Review
§4Scope + Limitations
§5Research Synthesis
§6Open Questions
§7Citations & Provenance
Cite As & Publication Notice

§1Query Objective

The Inquiry: What infrastructure gap explains the persistent failure of audit documentation requirements despite comprehensive professional standards, and what does the 30-year continuous auditing research tradition reveal about the conditions necessary for real-time governance assurance to become operational?

The audit profession has produced increasingly comprehensive documentation standards across five decades — from AU-C Section 230's "experienced auditor" test through the Yellow Book 2024's quality management paradigm and the EU AI Act's conformity assessment requirements. Yet AU-C 230 noncompliance remains the most common material deficiency in AICPA peer reviews, continuous auditing remains largely aspirational 35 years after Vasarhelyi & Halper's (1991) pioneering CPAS implementation at AT&T Bell Laboratories, and the shift from periodic to continuous assurance stalls at the boundary between conceptual frameworks and operational reality.

This sprint investigates whether these persistent failures share a common root cause — an infrastructure gap rather than a knowledge, training, or standards gap — and traces the continuous auditing tradition's identification of this gap across three decades of research.

Falsifiable formulation: If documentation failures are caused by training deficits rather than infrastructure absence, then training interventions should reduce AU-C 230 noncompliance rates. The persistent failure despite decades of professional emphasis, training programs, and peer review pressure refutes this alternative explanation.

§2Executive Summary

The substrate gap as convergent diagnosis. Three independent evidence streams converge on the same root cause. Stream 1 — professional standards: AU-C 230 noncompliance persists as the most common material deficiency (F1) despite the profession producing increasingly comprehensive documentation standards (F2, F3, F4, F5). The Yellow Book 2024's explicit shift from quality control to quality management (F3) acknowledges that reactive quality checking is insufficient — but the shift requires infrastructure the profession does not have. Stream 2 — continuous auditing research: Vasarhelyi's 35-year research program consistently identifies the same barrier: not technology, not theory, not demand, but the absence of infrastructure connecting audit systems to governance-relevant operational data (F11, F12, F13, F14). Brown et al.'s classification (F16) confirms "enabling technologies" as the weakest research stream despite mature development in all others. Stream 3 — RegTech/GRC evolution: Three generations of GRC platforms (F22) and three phases of RegTech evolution (F19) have developed the governance data consumption layer (monitoring, analytics, reporting) without solving the governance data production layer (capturing structured governance data from organizational processes).

The convergence is diagnostic: the problem is not what to monitor (standards specify this), not how to analyze (technology can do this), not why it matters (demand is established). The problem is generating the governance data in the first place — at the point of decision, with sufficient structure, in real time. This is the substrate gap.

Figure 1Three independent evidence streams converge on the same infrastructure diagnosis
Figure 1. Three independent evidence streams converge on the same infrastructure diagnosis.

Three simultaneous transformations. The audit landscape is undergoing convergent transformation. The temporal transformation moves from periodic to continuous assurance — driven by SAS 142's evidence modernization (F4), the Yellow Book 2024's quality management shift (F3), and IIA 2024's technology-as-obligation standard (F7). The scope transformation moves from financial auditing to enterprise governance assurance — driven by COBIT 2019's integrated governance model (F8), the EU AI Act's conformity assessment requirements (F10), and CAAI emergence (F15). The technology transformation moves from manual procedures to AI-enabled compliance — driven by RegTech evolution (F19), the hybrid intelligence model (F27), and SAS 142's recognition of automated evidence (F4).

All three transformations stall at the same boundary: the absence of governance data infrastructure. This is the unifying insight of Sprint 6.

Figure 2Comprehensive standards create demand for governance data infrastructure that does not exist
Figure 2. Comprehensive standards create demand for governance data infrastructure that does not exist.

The Vasarhelyi lineage. The continuous auditing research tradition traces a coherent arc: CPAS demonstrated feasibility (F11, 1991) → CICA/AICPA provided the definition (F12, 1999) → Brown et al. classified the field and identified the technology gap (F16, 2007) → Alles et al. documented practical barriers in pilot implementations (F14, 2008) → Chan & Vasarhelyi formalized the paradigm, revealing what this report terms the response gap (F13, 2011) → Bumgarner & Vasarhelyi updated for big data (F17, 2018) → Minkkinen et al. extended to AI systems and found no established CAAI literature (F15, 2022). At each stage, the same infrastructure gap is identified from a different angle. The research tradition has been pointing at the same missing piece for 35 years.

Figure 3The continuous auditing research tradition has identified the same infrastructure gap from successive angles across 35 years
Figure 3. The continuous auditing research tradition has identified the same infrastructure gap from successive angles across 35 years.

The AI audit frontier. The EU AI Act (F10) creates regulatory demand for AI audit infrastructure that Minkkinen et al. (F15) demonstrate does not exist even in conceptual form. Article 9's requirement for continuous risk management "throughout the entire lifecycle" cannot be satisfied by periodic assessment. Article 14's human oversight requirements — including authority to stop system operation — need infrastructure that captures human-AI decision interactions: who delegated authority, when AI recommendations were accepted or overridden, how oversight operated. Butler & O'Brien's (F21) finding that autonomous AI compliance decision-making remains aspirational reinforces the need: human judgment remains essential, but infrastructure to capture that judgment in the context of AI-assisted decisions does not exist.

The Deming parallel. The manufacturing quality revolution's central insight (F26) — "design quality in" rather than "inspect quality in" — maps precisely to the governance documentation problem. The audit profession has been trying to inspect documentation quality through periodic reviews (peer review, engagement quality review, quality control procedures). The Yellow Book 2024 (F3) acknowledges this is insufficient by shifting to quality management. But quality management without infrastructure that embeds documentation into the decision-making process is a mandate without a mechanism. Deming's insight applied to governance: documentation quality must be a structural property of the process, not a verification step after the process.

§3Literature Review

F1
AU-C 230 noncompliance is the most common material deficiency in AICPA peer reviews, with approximately one in four engagements under enhanced oversight materially nonconforming.
Type  empirical
Strength  institutional reporting (profession-wide data, enhanced oversight program since 2014)

Three persistent failure patterns identified: (a) oral reliance — auditors rely on verbal explanations rather than written documentation; (b) sign-off without evidence — program checkmarks treated as sufficient documentation without underlying workpapers demonstrating specific procedures; (c) missing procedure documentation — required procedures lack any documented evidence, with auditors asserting compliance from memory.

AU-C Section 230, paragraph .A7 permits oral explanations to clarify existing documentation but explicitly states they cannot substitute for documentation that should have been prepared.

Figure 4Three persistent audit documentation failure patterns share a single structural root cause — documentation separated from decision-making
Figure 4. Three persistent audit documentation failure patterns share a single structural root cause — documentation separated from decision-making.
F2
The "experienced auditor" test establishes a self-sufficiency standard for audit documentation that current organizational systems systematically fail to meet.
Type  empirical (professional standard)
Strength  institutional authority (AICPA)

The standard requires documentation sufficient for "an experienced auditor, having no previous connection with the audit, to understand" the nature, timing, extent, results, and evidence of procedures performed. Assembly deadline: 60 days after report release. Retention: minimum 5 years. Post-assembly modifications require specific documentation of reasons, timing, and authorship.

F3
The Yellow Book 2024 (GAO-24-106786) represents a philosophical shift from quality control to quality management — from detecting deficiencies after occurrence to proactively managing quality risks.
Type  empirical (major standards revision)
Strength  institutional authority (U.S. Government Accountability Office)

Chapter 5 retitled from "Quality Control and Peer Review" to "Quality Management, Engagement Quality Reviews, and Peer Review." The shift is substantive: quality management requires organizations to design, implement, and operate systems that proactively identify quality risks, not merely react to deficiencies found through periodic reviews. Implementation deadlines: quality management system designed and implemented by December 15, 2025; system evaluation completed by December 15, 2026. The revision also introduces optional engagement quality reviews and explicit scalability provisions for organizations of different sizes. New competence requirements include targeted CPE in cybersecurity, data analytics, and fraud detection.

F4
SAS 142 (effective December 2022) formally recognizes audit data analytics and automated tools and techniques as legitimate evidence-gathering methods, creating demand for evidence infrastructure without specifying the infrastructure.
Type  empirical (standards revision)
Strength  institutional authority (AICPA)

Key innovations: (a) audit data analytics ("ADA") established as formal procedure category; (b) evidence sources broadened to include internet data, social media content, and automated tool output; (c) dual-purpose procedures — ADA can simultaneously serve risk assessment and substantive testing; (d) principles-based evidence assessment framework applicable to any source. SAS 142 validates technology-enabled evidence without specifying the technology — creating infrastructure demand.

F5
SAS 145 (effective December 2023) enhances risk assessment with explicit IT controls assessment, inherent risk factors at assertion level, and a "stand-back" requirement to reassess risks after fieldwork.
Type  empirical (standards revision)
Strength  institutional authority (AICPA)

SAS 145 supersedes AU-C Section 315 and restructures risk assessment around three innovations: (a) a required separate assessment of inherent risk and control risk — previously often combined — with inherent risk factors evaluated at the assertion level; (b) an expanded, explicit evaluation of the entity's IT environment and general IT controls as a driver of risk; (c) a new "stand-back" requirement obligating the auditor to reassess identified risks after performing risk-assessment procedures, so material transaction classes are not overlooked. Like SAS 142 (F4), SAS 145 raises the evidentiary bar for understanding controls and IT systems without specifying infrastructure to capture that understanding — deepening the same infrastructure demand.

F6
The 2024 revision of 2 CFR Part 200 raises the single audit threshold to $1,000,000, adds cybersecurity requirements to internal controls, and restructures terminology from "non-federal entity" to "recipient/subrecipient."
Type  empirical (federal regulatory revision)
Strength  regulatory authority (OMB)

Section 200.303(e) adds requirement for "reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information." The 12 standard compliance requirement types structure federal program auditing. Federal Audit Clearinghouse (FAC) at fac.gov requires SF-SAC forms, 5 XLSX workbooks, PDF audit packages, and Login.gov authentication.

F7
The IIA 2024 Global Internal Audit Standards restructure internal auditing around five domains, shift technology from "consideration" to "obligation," and fully incorporate the Three Lines Model.
Type  empirical (comprehensive standards revision)
Strength  institutional authority (The Institute of Internal Auditors)

The 2017 Standards stated internal auditors "must consider" technology-based audit techniques. The 2024 Standards require the Chief Audit Executive to "strive to ensure that the internal audit function has the technology to support the internal audit process." This is a shift from technology as optional enhancement to technology as professional obligation. The Three Lines Model (replacing "Three Lines of Defense") reconceptualizes governance from defensive/protective to value-creation + protection. Domain V (Performing Internal Audit Services) explicitly addresses continuous auditing, data analytics, AI, and remote auditing.

F8
COBIT 2019 organizes IT governance into 40 objectives across five domains, with the MEA (Monitor, Evaluate, Assess) domain specifically addressing continuous compliance monitoring.
Type  theoretical (governance framework)
Strength  institutional authority (ISACA) + widespread industry adoption

MEA domain: MEA01 (conformance monitoring via KPIs and SLAs), MEA02 (internal control system audit), MEA03 (external compliance with regulations), MEA04 (managed assurance). Eleven design factors enable governance system customization — when organizational context changes, governance responses must be reassessed.

F9
SOX Section 302 creates personal executive certification liability; Section 404 requires ICFR assessment; Section 802 imposes up to 20 years imprisonment for document destruction — even for contemplated investigations.
Type  empirical (federal statute + regulatory standard)
Strength  legal authority

SOX §302: CEO/CFO must personally certify financial statement accuracy, ICFR effectiveness, and disclosure of control weaknesses — with criminal penalties for false certification. SOX §404: management must assess ICFR annually using a suitable framework; COSO 2013 (five components, 17 principles) is the predominant framework used in practice. PCAOB AS 2201 establishes graduated deficiency severity: control deficiency → significant deficiency → material weakness, with material weakness requiring adverse ICFR opinion. SOX §802: criminal penalties extend to contemplated investigations, not requiring actual notice — a response to Arthur Andersen document shredding during Enron.

F10
The EU AI Act (Regulation (EU) 2024/1689) creates the world's first comprehensive AI regulatory framework with risk-based classification, conformity assessment, continuous risk management, and human oversight requirements.
Type  empirical (EU regulation)
Strength  legal authority (EU regulation with enforcement mechanisms)

Article 9: Risk management must be an "ongoing iterative process planned and run throughout the entire lifecycle" with four steps: identify risks, estimate under intended use and foreseeable misuse, evaluate from post-market data, adopt targeted measures. Article 14: Human oversight must enable overseers to understand AI capabilities and limitations, detect issues, stop operation if necessary. For specified remote biometric identification uses under Annex III high-risk AI, no action may be taken on identification results unless verified by at least two natural persons. Article 72: Post-market monitoring with active systematic data collection. Full application for high-risk AI: August 2, 2026. The regulatory timeline creates acute infrastructure demand.

F11
Vasarhelyi & Halper's (1991) Continuous Process Auditing System (CPAS) at AT&T Bell Laboratories demonstrated operational continuous auditing 35 years ago — yet the paradigm has not propagated.
Type  empirical (documented implementation)
Strength  demonstrated implementation + 35-year evidence of non-adoption

CPAS implemented audit-by-exception: automatic monitoring against structured rule sets, with graduated alarm system for anomaly detection. The system was deployed for billing data monitoring at AT&T, detecting anomalies in billing and potentially fraudulent long-distance calling. The critical contribution: the shift from examining samples of past events to monitoring all current events. This was not a conceptual paper — it reported on an actual operational system. Yet the paradigm did not propagate to the broader audit profession.

F12
The CICA/AICPA (1999) Research Report provided the authoritative definition of continuous auditing as event-level, near-real-time assurance — defining three elements that remain unrealized.
Type  theoretical (authoritative institutional definition)
Strength  joint CICA/AICPA institutional authority

Three definitional elements: (a) "virtually simultaneously with, or a short period of time after" — temporal proximity; (b) "a series of auditors' reports" — ongoing assurance, not point-in-time opinion; (c) "events underlying the subject matter" — focus shifts from financial statements (outputs) to the events that generate them (inputs). This event-level focus implies decision-level governance — assurance attached to individual decisions rather than aggregate outcomes.

F13
Chan & Vasarhelyi (2011) formalized continuous auditing as a four-stage paradigm. What this report terms the "response gap" — building on Chan and Vasarhelyi's continuous-auditing paradigm — describes the structural absence of post-detection mechanisms.
Type  theoretical (paradigm formalization)
Strength  peer-reviewed journal, accepted framework in subsequent literature

Four stages: (1) automation of existing audit procedures; (2) data modeling and benchmark development; (3) data analytics for anomaly detection; (4) continuous reporting. Seven dimensions of innovation identified. The response gap: even well-implemented systems often lack structured mechanisms for what happens after anomaly detection — investigation, remediation, and escalation are not systematically captured.

F14
Alles, Kogan & Vasarhelyi (2008) identified data access — not technology or methodology — as the primary barrier preventing continuous auditing implementation.
Type  empirical (two pilot implementations)
Strength  detailed case study analysis of operational implementations

Key findings: (a) Continuous Control Monitoring (CCM) — monitoring whether controls are operating effectively — is more tractable than full continuous auditing; (b) enterprise systems were not designed to provide audit-relevant data in real time, creating integration challenges that dominated implementation effort; (c) data granularity is a double-edged sword — "unprecedented granularity" overwhelms without sophisticated analytics; (d) organizational resistance — business process owners perceived continuous monitoring as surveillance rather than quality assurance. A 2006 PricewaterhouseCoopers survey indicated half of responding firms used some CA techniques, with most of the rest planning adoption — yet the infrastructure barrier persisted.

F15
Minkkinen, Laine & Mäntymäki (2022) established that Continuous Auditing of Artificial Intelligence (CAAI) has no established literature stream despite regulatory demand.
Type  theoretical (field mapping + gap identification)
Strength  peer-reviewed journal (Digital Society, Springer)

CAAI defined as "a (nearly) real-time electronic support system for auditors that continuously and automatically audits an AI system to assess its consistency with relevant norms and standards." The paper connects continuous auditing research (Vasarhelyi lineage) with AI auditing research, identifying that no literature stream bridges them. Framework assessment evaluated existing AI auditing tools for CAAI suitability — finding significant gaps between what exists and what continuous AI auditing requires.

F16
Brown, Wong & Baldwin (2007) classified continuous auditing research into five streams and identified "enabling technologies" as the weakest link.
Type  theoretical (systematic literature classification)
Strength  comprehensive systematic review

Five research streams: (1) demand factors — why CA is needed; (2) theory and guidance — foundational concepts and standards; (3) enabling technologies — tools and systems supporting CA; (4) applications — practical implementations; (5) impacts — effectiveness measures. The demand, theory, and impact streams are well-developed. The enabling technology stream — the infrastructure connecting demand to impact — remains weakest. This diagnosis has held for nearly two decades.

F17
Bumgarner & Vasarhelyi (2018) updated the CA framework for big data, referencing the AICPA Audit Data Standards initiative as the profession's attempt to create data infrastructure.
Type  theoretical (framework update)
Strength  edited academic volume

The AICPA Audit Data Standards (2013) include Base Standard (common data elements), General Ledger Standard (standardized GL extract format), and Receivables Subledger Standard. These address data format but not data capture — the infrastructure that generates governance-relevant data at the point of decision remains unaddressed.

F18
Dai & Vasarhelyi (2017) proposed blockchain-based accounting through triple-entry accounting but identified scalability, integration costs, and what the broader blockchain literature terms the oracle problem as persistent barriers.
Type  theoretical (architectural proposal)
Strength  peer-reviewed journal (Journal of Information Systems)

Triple-entry accounting: beyond traditional debit/credit entries, a third cryptographically sealed entry on a shared ledger. The oracle problem is the specific technical gap: blockchain verifies that a transaction was recorded but not that it corresponds to a real-world event. This distinction matters for audit — recording integrity is necessary but not sufficient for governance integrity. Decision record integrity can be achieved through cryptographic signing and append-only logs without blockchain's distributed consensus overhead.

F19
Arner, Barberis & Buckley (2017) argue RegTech represents a fundamental reconceptualization of financial regulation, not merely a compliance tool. Building on Arner et al.'s reconceptualization, this report identifies three evolutionary phases.
Type  theoretical (foundational RegTech paper)
Strength  highly cited, published in top law review

Three phases: RegTech 1.0 (automation of existing compliance), RegTech 2.0 (analytics-driven compliance), RegTech 3.0 (AI-native compliance). The critical distinction: FinTech serves consumers and markets (technology applied to financial services delivery), while RegTech serves regulatory and compliance functions (technology applied to regulatory processes). This identifies the regulatory infrastructure layer as an underserved technology domain. Post-2008 regulatory complexity created massive compliance cost escalation, but regulatory infrastructure remained essentially manual.

F20
Zeranski & Sancak (2020) identified an asymmetric technology problem between regulated entities and supervisory agencies, creating regulatory blind spots.
Type  theoretical
Strength  peer-reviewed journal

SupTech defined as the counterpart to RegTech — technology adopted by supervisory agencies. The asymmetric technology problem: regulated entities use increasingly sophisticated technology (FinTech, AI, algorithmic trading), while supervisory infrastructure remains comparatively primitive. The May 6, 2010 flash crash is cited as evidence that even leading technology nations face systemic crises when supervisory technology cannot keep pace.

F21
Butler & O'Brien (2019) critically assessed AI for regulatory compliance, distinguishing achievable applications from aspirational ones.
Type  theoretical (critical assessment)
Strength  peer-reviewed journal

Financial institutions reportedly spend more on data than any other industry sector, yet are caught between regulatory complexity and data volume. Achievable AI applications: NLP for regulatory text interpretation, ML for transaction monitoring, automated regulatory reporting. Aspirational: fully autonomous compliance decision-making. The boundary between AI capability and governance requirement remains sharp — AI can assist but cannot yet reliably decide on governance matters autonomously.

F22
The GRC platform industry has evolved through three generations, all sharing a dependency on governance data they cannot generate.
Type  convergent
Strength  multi-source industry analysis

Generation 1 (2000s): compliance management — SOX-focused control documentation. Generation 2 (2010s): integrated risk management — operational, IT, third-party risk. Generation 3 (2020s): continuous compliance with AI. All three generations are consumption layers — they monitor, analyze, report, and visualize governance data, but depend on that data being captured elsewhere. The data capture gap is the infrastructure problem.

Figure 5Three generations of GRC platforms share the same dependency on governance data they cannot generate
Figure 5. Three generations of GRC platforms share the same dependency on governance data they cannot generate.
F23
Delegation of Authority (DoA) frameworks suffer from three structural problems: static documentation, enforcement gap, and audit archaeology.
Type  convergent
Strength  practice observation supported by framework analysis

Static documentation: DoA matrices in policy manuals may be outdated at decision time. Enforcement gap: no mechanism verifies that decisions conform to DoA requirements. Audit archaeology: auditors must retrospectively reconstruct which authority level applied to which decision.

F24
Federal grant compliance represents a high-value application domain due to explicit authority structures, high documentation requirements, and cross-organizational governance needs.
Type  convergent
Strength  regulatory analysis

Clear authority structure: 12 standard compliance requirement types (Activities Allowed/Unallowed through Reporting), major program determination using risk-based methodology, cross-organizational governance tracking (federal → pass-through → subrecipient), and structured FAC reporting amenable to automation.

F25
The persistence of AU-C 230 failures despite decades of emphasis, training, and peer review pressure indicates an architectural rather than behavioral root cause.
Type  convergent (multiple independent evidence streams)
Strength  pattern analysis across multi-decade professional data

If the cause were knowledge deficit → training would reduce incidence. If the cause were time pressure → workload management would help. If the cause were lack of emphasis → peer review visibility would help. All three interventions have been applied for decades. None has succeeded. The remaining explanation: current systems structurally separate documentation from decision-making, guaranteeing incomplete documentation under competing demands.

F26
The W. Edwards Deming quality principle — "design quality in" rather than "inspect quality in" — provides the theoretical frame for understanding why quality management (F3) is necessary but insufficient without infrastructure that embeds quality into the decision-making process itself.
Type  theoretical (cross-domain analogy from manufacturing quality)
Strength  established quality theory applied to governance domain

The manufacturing quality revolution's central insight — "design quality in" rather than "inspect quality in" — maps directly onto the governance documentation problem. The profession has tried to inspect documentation quality through periodic mechanisms (peer review, engagement quality review, quality control procedures); the Yellow Book 2024 shift to quality management (F3) concedes this is insufficient. But quality management without infrastructure that embeds documentation into the decision process is a mandate without a mechanism. Applied to governance, Deming's principle implies documentation quality must be a structural property of the process, not a verification step after it.

F27
The audit profession's emerging "hybrid intelligence" model — combining AI analytical capability with human professional judgment — creates demand for infrastructure capturing both components and their interactions.
Type  convergent
Strength  multi-source convergence

The hybrid intelligence model pairs AI analytical capability with human professional judgment, reflecting Butler & O'Brien's (F21) boundary — AI can assist but cannot yet reliably decide governance matters autonomously — alongside the IIA 2024 technology-as-obligation standard (F7) and the CAAI gap identified by Minkkinen et al. (F15). The model creates demand for infrastructure that captures both components and their interaction: which analysis the AI performed, what the human concluded, and where judgment accepted, overrode, or extended the machine's recommendation. No existing system captures this human-AI decision record at the infrastructure level.

§4Scope + Limitations

Included:
Excluded:
Known gaps:
Confidence:

§5Research Synthesis

C1
The audit profession's persistent documentation failures are an infrastructure problem, not a behavioral problem.
Confidence  strongly supported
Based on  F1, F2, F25, F26

The persistence of AU-C 230 noncompliance as the most common deficiency — despite decades of emphasis, training, and peer review — eliminates behavioral explanations. The root cause is architectural: current systems separate documentation from decision-making.

Figure 6Delegation of Authority frameworks create static documentation that cannot govern dynamic decisions — the enforcement mechanism is absent
Figure 6. Delegation of Authority frameworks create static documentation that cannot govern dynamic decisions — the enforcement mechanism is absent.
C2
Continuous auditing has remained largely aspirational for 35 years because it requires continuous governance data that organizational systems do not generate.
Confidence  strongly supported
Based on  F11, F12, F13, F14, F16

Every stage of the Vasarhelyi research program identifies the same infrastructure barrier.

C3
Three simultaneous transformations (temporal, scope, technology) converge to create acute demand for governance data infrastructure that no existing technology satisfies.
Confidence  strongly supported
Based on  F3, F4, F7, F8, F10, F15, F19, F22

The temporal transformation (periodic → continuous assurance — SAS 142 (F4), Yellow Book 2024 (F3), IIA 2024 (F7)), the scope transformation (financial audit → enterprise governance assurance — COBIT 2019 (F8), the EU AI Act (F10), CAAI emergence (F15)), and the technology transformation (manual procedures → AI-enabled compliance — RegTech evolution (F19), GRC maturation (F22)) all stall at the same boundary: the absence of governance data infrastructure. Their convergence on a single bottleneck is the unifying insight of the sprint.

C4
The Deming quality principle applies to governance documentation: quality documentation must be a structural property of the decision-making process, not a separate verification activity.
Confidence  strongly supported (by established cross-domain analogy)
Based on  F25, F26, F3

Quality cannot be inspected into documentation after the fact; the persistence of AU-C 230 failures under decades of inspection-style controls (F25) demonstrates the limit. The Yellow Book 2024's quality-management turn (F3) is necessary but insufficient without a mechanism that designs documentation into the decision itself. Quality documentation must therefore be a structural property of the decision-making process rather than a separate verification activity.

C5
Federal grant compliance is a high-value first application domain for governance infrastructure.
Confidence  suggested
Based on  F6, F24

Federal grant compliance combines the conditions that make governance infrastructure tractable to apply first: an explicit authority structure (the 12 standard compliance requirement types and federal → pass-through → subrecipient delegation), high and well-specified documentation requirements, cross-organizational governance needs, and structured FAC reporting amenable to automation. The 2024 revision of 2 CFR 200 (F6) further raises the single-audit threshold and adds cybersecurity controls. The domain is a strong first application, though — consistent with the "suggested" confidence — the claim is argued rather than empirically tested.

C6
AI governance auditing (CAAI) requires infrastructure for human-AI decision interactions — a need no existing system addresses at the infrastructure level.
Confidence  strongly supported
Based on  F10, F15, F27

The EU AI Act (F10) creates regulatory demand — Article 9's lifecycle-wide continuous risk management and Article 14's human-oversight requirements — for AI audit infrastructure that Minkkinen et al. (F15) show does not exist even in conceptual form (no established CAAI literature stream). Satisfying these requirements needs infrastructure that captures human-AI decision interactions: who delegated authority, when AI recommendations were accepted or overridden, and how oversight operated. Combined with the hybrid intelligence model (F27), CAAI's requirement is an infrastructure requirement that no existing system addresses at that level.

§6Open Questions

Questions carried forward to the open-question registry
1
Does a dedicated grants compliance domain paper warrant inclusion in the publication program?
2
What is the current state of blockchain-based audit implementations since Dai & Vasarhelyi (2017)?
3
How do ISA (International Standards on Auditing) converge with or diverge from the substrate gap thesis?
4
What specific PCAOB inspection report data quantifies AU-C 230 noncompliance rates beyond the peer review program?
5
How does AuditMAI (2024, arXiv:2406.14243) advance the CAAI infrastructure problem identified by Minkkinen et al.?
6
How does the IIA GTAG series extend the technology-enabled audit infrastructure analyzed in this sprint?

§7Citations & Provenance

Professional Standards:
1. [AUC230] AICPA. AU-C Section 230: Audit Documentation. American Institute of Certified Public Accountants.
2. [SAS142] AICPA. Statement on Auditing Standards No. 142: Audit Evidence. (2020). Effective December 15, 2022.
3. [SAS145] AICPA. Statement on Auditing Standards No. 145: Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. (2021). Effective December 15, 2023.
4. [GAO2024] U.S. Government Accountability Office. Government Auditing Standards: 2024 Revision. GAO-24-106786. February 1, 2024. Effective December 15, 2025.
5. [iia-global-standards] The Institute of Internal Auditors. Global Internal Audit Standards. January 9, 2024. Effective January 9, 2025.
6. [COBIT2019] ISACA. COBIT 2019 Framework.
7. [COSO2013] Committee of Sponsoring Organizations of the Treadway Commission. Internal Control — Integrated Framework. (2013).
Legislation and Regulation:
8. [SOX2002] Sarbanes-Oxley Act of 2002. Public Law 107-204.
9. [PCAOBAS2201] PCAOB. Auditing Standard No. 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements.
10. [2CFR200] OMB. 2 CFR Part 200: Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. 2024 revision. Effective October 1, 2024.
11. [EUAIACT2024] Regulation (EU) 2024/1689. EU AI Act. Entry into force: August 1, 2024. Full application: August 2, 2026.
Academic Literature:
12. [Vasarhelyi1991] Vasarhelyi, M.A. & Halper, F.B. (1991). "The Continuous Audit of Online Systems." Auditing: A Journal of Practice & Theory, 10(1):110–125.
13. [CICA1999] CICA/AICPA (1999). Research Report on Continuous Auditing. Toronto.
14. [Chan2011] Chan, D.Y. & Vasarhelyi, M.A. (2011). "Innovation and Practice of Continuous Auditing." International Journal of Accounting Information Systems, 12(2):152–160. DOI: 10.1016/j.accinf.2011.01.001
15. [Alles2008] Alles, M.G., Kogan, A., & Vasarhelyi, M.A. (2008). "Putting Continuous Auditing Theory into Practice: Lessons from Two Pilot Implementations." Journal of Information Systems, 22:195–214.
16. [Minkkinen2022] Minkkinen, M., Laine, J., & Mäntymäki, M. (2022). "Continuous Auditing of Artificial Intelligence: a Conceptualization and Assessment of Tools and Frameworks." Digital Society (Springer). DOI: 10.1007/s44206-022-00022-2
17. [arner2017regtech] Arner, D.W., Barberis, J.N., & Buckley, R.P. (2017). "FinTech, RegTech, and the Reconceptualization of Financial Regulation." Northwestern Journal of International Law & Business, 37(3):371–413.
18. [Brown2007] Brown, C.E., Wong, J.A., & Baldwin, A.A. (2007). "A Review and Analysis of the Existing Research Streams in Continuous Auditing." Journal of Emerging Technologies in Accounting, 4(1):1–28.
19. [Bumgarner2018] Bumgarner, N. & Vasarhelyi, M.A. (2018). "Continuous Auditing — A New View." In Continuous Auditing: Theory and Application. Emerald Publishing.
20. [Butler2019] Butler, T. & O'Brien, L. (2019). "Artificial Intelligence for Regulatory Compliance: Are We There Yet?" Journal of Financial Compliance, 3(1):44–59.
21. [Dai2017] Dai, J. & Vasarhelyi, M.A. (2017). "Toward Blockchain-Based Accounting and Assurance." Journal of Information Systems, 31(3):5–21.
22. [Zeranski2020] Zeranski, S. & Sancak, I.E. (2020). "Digitalisation of Financial Supervision with Supervisory Technology (SupTech)." Journal of International Banking Law and Regulation.
23. [deming1982crisis] Deming, W. E. (1982). Out of the Crisis. MIT Center for Advanced Engineering Study.
Industry and Institutional Reports:
24. [IIF2016] Institute of International Finance (2016). "RegTech in Financial Services: Technology Solutions for Compliance and Reporting."
25. [PCAOB_AQI2015] PCAOB (2015). Concept Release on Audit Quality Indicators.
26. [IAASB_AQF] IAASB. A Framework for Audit Quality: Key Elements that Create an Environment for Audit Quality.
Cite As

Smith, C. (2026). Audit, Compliance & RegTech (Research Report RR-006, WMI Thesis). GrytLabs Research Institute. https://doi.org/10.5281/zenodo.20185550

© 2026 GrytLabs Dynamics Inc. Licensed under CC-BY 4.0.

Research Ethics Statement

This research is conducted under the GrytLabs Research Code of Ethics, derived from the IIA Code of Ethics and the GAO Yellow Book ethical framework, adapted for a research-institute context.

Four principles govern all research activity:

Integrity — findings are reported as found, not as convenient. Unfavorable results are published with the same rigor as favorable ones.

Objectivity — research questions are framed to be falsifiable. Conflicts of interest (including the founder's dual role as researcher and patent holder) are disclosed, not resolved by assertion.

Confidentiality — disclosure levels (L0–L3) govern what appears in public research. Embargoed findings, IP-critical details, and pre-publication material are withheld per the Disclosure Discipline (GOV-PS-006), not suppressed.

Competency — claims are bounded by the evidence that supports them. Architectural claims cite spec sections. Empirical claims cite research artifacts. Claims that exceed available evidence are flagged as open questions, not presented as conclusions.

The Executive Director is a Certified Internal Auditor (CIA), Institute of Internal Auditors, personally bound by the IIA Code of Ethics as a condition of that credential. This is a personal attestation, not an institutional conformance claim — GrytLabs has not undergone an IIA Quality Assessment Review and does not claim IPPF conformance.

The governing traditions (IIA, GAO, AICPA, COSO) are formally mapped to the operating model in GOV-PS-001. This research applies the principles those traditions codify; it does not claim endorsement, review, or certification by any standards body.

Publication Notice

Disclaimer

This publication is provided for research and informational purposes. GrytLabs makes reasonable efforts to ensure accuracy but does not warrant that this publication is free of errors or omissions.

If you believe this publication contains errors, omissions, or misattributions, please contact the lab at research@grytlabs.ai. Corrections will be acknowledged in subsequent versions.

AI-Assisted Research Statement

This work was produced through AI-assistive collaboration under GrytLabs' AI-assistive collaboration disclosure protocol. Claude (Anthropic) participated in literature synthesis, cross-domain pattern identification, and argumentation structuring. OpenAI Codex participated in citation and accuracy verification. AI actors participate with delegated authority, never inherent authority. Responsibility for all findings, claims, and conclusions rests with the named author.

Provenance

Full workpaper with attestation and provenance chain available at research.grytlabs.ai/docs. DOI: 10.5281/zenodo.20185550