US Market Compliance Research Prompts
Purpose: Deep decomposition prompts for US regulatory compliance requirements Target Audience: Compliance architects, GRC engineers, security teams CODITECT Application: Compliance Automation Layer product development
CMP-US-001: SOX 404 Financial Controls Automation
Objective: Design automated SOX 404 internal control framework for FP&A platform
Research Scope:
1. Control Framework Architecture
- Map COSO 2013 framework components to FP&A workflows
- Design control matrix covering all 5 COSO components:
- Control Environment (tone at the top, ethics)
- Risk Assessment (fraud risk, material misstatement)
- Control Activities (policies, procedures, IT controls)
- Information & Communication (financial reporting systems)
- Monitoring Activities (ongoing and separate evaluations)
2. IT General Controls (ITGCs)
- Access control automation requirements
- Segregation of duties matrix for financial transactions
- Privileged access management for system administrators
- User access review automation (quarterly)
- Change management controls
- Code deployment approval workflows
- Emergency change procedures with post-hoc review
- Version control integration requirements
- Operations controls
- Job scheduling monitoring
- Backup verification automation
- Incident management logging
3. Application Controls
- Input controls
- Journal entry validation rules (balanced, authorized, dated)
- Three-way matching automation for AP
- Bank reconciliation exception handling
- Processing controls
- Calculation verification (depreciation, amortization, allocations)
- Automated posting controls
- Cut-off procedures enforcement
- Output controls
- Financial statement generation controls
- Report distribution authorization
- Data export logging
4. Evidence Collection Automation
- Control testing evidence requirements
- Continuous monitoring dashboard design
- Exception management workflow
- Remediation tracking system
Deliverables:
□ COSO-to-FP&A control mapping matrix (Excel)
□ ITGC automation specification document
□ Application control test scripts (Python)
□ Evidence collection API specification
□ SOX compliance dashboard wireframes
□ OpenFGA policy for segregation of duties
□ Audit workpaper templates (JSON schema)
Technical Integration:
- immudb for tamper-proof audit trails
- OpenFGA for access control policies
- Dagster for control testing automation
- PostgreSQL for evidence storage
Estimated Effort: 40 hours Priority: P0 (Required for US enterprise market)
CMP-US-002: SEC Financial Reporting Requirements
Objective: Automate SEC reporting compliance for public company clients
Research Scope:
1. XBRL/iXBRL Implementation
- US GAAP Taxonomy integration
- Required elements mapping
- Extension taxonomy creation rules
- Calculation linkbase validation
- iXBRL tagging automation
- Inline XBRL document generation
- Block tagging for footnotes
- Dimensional tagging for segments
- Filing validation
- EDGAR filing requirements
- Pre-submission validation rules
- Error correction procedures
2. Disclosure Management
- MD&A generation assistance
- Variance explanation templates
- Forward-looking statement identification
- Non-GAAP reconciliation automation
- Footnote management
- Significant accounting policies tracking
- Related party transaction logging
- Subsequent events monitoring
- Cross-reference validation
- Financial statement tie-outs
- Footnote-to-schedule reconciliation
- Supporting documentation links
3. Filing Calendar Automation
- 10-K/10-Q deadline tracking
- 8-K triggering event monitoring
- Beneficial ownership filing (Forms 3, 4, 5)
- Proxy statement coordination
4. Internal Certification Support
- CEO/CFO certification evidence
- Disclosure Committee workflow
- Sub-certification cascade
- Representation letter management
Deliverables:
□ US GAAP taxonomy mapping document
□ iXBRL generation service specification
□ Filing validation rules engine (JSON)
□ Disclosure management workflow diagrams
□ SEC filing calendar automation (iCal integration)
□ Certification evidence collection API
Technical Integration:
- Arelle for XBRL processing
- LangGraph for disclosure drafting assistance
- PostgreSQL for filing metadata
- Event-driven 8-K trigger monitoring
Estimated Effort: 32 hours Priority: P1 (Public company expansion)
CMP-US-003: US GAAP Compliance Engine
Objective: Build automated US GAAP compliance checking and guidance
Research Scope:
1. ASC Codification Integration
- Topic mapping to chart of accounts
- Recognition and measurement rules
- Presentation requirements by topic
- Disclosure checklist automation
2. Revenue Recognition (ASC 606)
- Five-step model automation
- Contract identification
- Performance obligation separation
- Transaction price determination
- Allocation methodology
- Revenue timing recognition
- Variable consideration estimation
- Contract modification handling
- Disclosure requirements tracking
3. Lease Accounting (ASC 842)
- Lease vs. non-lease component separation
- Right-of-use asset calculation
- Lease liability amortization
- Short-term lease election tracking
- Modification and reassessment triggers
- Disclosure package generation
4. Credit Loss (ASC 326 CECL)
- Expected credit loss modeling
- Reasonable and supportable forecast period
- Historical loss rate analysis
- Qualitative factor adjustments
- Vintage analysis reporting
5. Other Critical Standards
- Fair value measurement (ASC 820)
- Business combinations (ASC 805)
- Consolidation (ASC 810)
- Stock compensation (ASC 718)
- Income taxes (ASC 740)
Deliverables:
□ ASC topic-to-COA mapping matrix
□ ASC 606 revenue recognition workflow engine
□ ASC 842 lease calculator module
□ CECL modeling framework
□ GAAP compliance validation rules (JSON)
□ AI-assisted journal entry suggestions
□ Disclosure checklist generator
Technical Integration:
- NeuralProphet for CECL forecasting
- LangGraph for accounting guidance Q&A
- PostgreSQL JSONB for ASC codification storage
- Rule engine for compliance validation
Estimated Effort: 48 hours Priority: P0 (Core platform requirement)
CMP-US-004: SOC 2 Type II Certification
Objective: Build SOC 2 Type II compliant platform architecture and evidence collection
Research Scope:
1. Trust Services Criteria Mapping
- Security (CC Series)
- CC1: Control Environment
- CC2: Communication and Information
- CC3: Risk Assessment
- CC4: Monitoring Activities
- CC5: Control Activities
- CC6: Logical and Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
- Availability
- A1.1: System availability objectives
- A1.2: Disaster recovery
- A1.3: Backup and restoration
- Processing Integrity
- PI1.1: Processing authorization
- PI1.2: Processing accuracy
- PI1.3: Processing completeness
- Confidentiality
- C1.1: Confidential information protection
- C1.2: Confidential information disposal
- Privacy (optional but recommended)
- P1-P8: Privacy criteria
2. Control Implementation
- Access management
- SSO integration (SAML/OIDC)
- MFA enforcement
- Role-based access control
- Privileged access management
- Network security
- VPC configuration
- WAF implementation
- DDoS protection
- Encryption in transit
- Data protection
- Encryption at rest
- Key management
- Data classification
- Secure deletion
- Operations
- Vulnerability management
- Penetration testing
- Incident response
- Business continuity
3. Evidence Automation
- Continuous control monitoring
- Automated evidence collection
- Population and sample extraction
- Exception tracking and remediation
- Auditor portal design
4. Audit Preparation
- Readiness assessment checklist
- Gap remediation tracking
- Type I to Type II transition
- Auditor communication workflow
Deliverables:
□ Trust Services Criteria control matrix
□ Security architecture document
□ Evidence collection automation framework
□ Continuous monitoring dashboard specification
□ Auditor portal API design
□ Incident response playbooks
□ Business continuity plan template
□ Penetration testing scope document
Technical Integration:
- OpenFGA for access control
- immudb for tamper-proof evidence
- Prometheus/Grafana for monitoring
- PagerDuty integration for incidents
- Terraform for infrastructure documentation
Estimated Effort: 56 hours Priority: P0 (Required for enterprise sales)
CMP-US-005: HIPAA Technical Safeguards
Objective: Implement HIPAA-compliant architecture for healthcare FP&A clients
Research Scope:
1. Technical Safeguards (164.312)
- Access Control (164.312(a)(1))
- Unique user identification
- Emergency access procedure
- Automatic logoff
- Encryption and decryption
- Audit Controls (164.312(b))
- Activity logging requirements
- Log retention (6 years)
- Log review procedures
- Tamper-evident storage
- Integrity Controls (164.312(c)(1))
- Data integrity mechanisms
- Electronic signature requirements
- Transmission integrity
- Authentication (164.312(d))
- Entity authentication
- Multi-factor requirements
- Session management
- Transmission Security (164.312(e)(1))
- Integrity controls
- Encryption requirements
2. Administrative Safeguards Impact
- Security management process
- Workforce security
- Information access management
- Security awareness training
- Security incident procedures
- Contingency plan
3. PHI Handling in FP&A Context
- Revenue recognition for patient services
- Accounts receivable aging with patient data
- Cost allocation across departments
- Financial reporting aggregation
- Minimum necessary principle application
4. Business Associate Requirements
- BAA template requirements
- Subcontractor management
- Breach notification procedures
- PHI disposal procedures
Deliverables:
□ HIPAA technical safeguards implementation guide
□ PHI data flow diagrams
□ Access control policy for healthcare module
□ Audit log specification (HIPAA-compliant)
□ Encryption implementation guide
□ Business Associate Agreement template
□ Breach response playbook
□ Security risk assessment template
Technical Integration:
- Field-level encryption for PHI
- immudb for 6-year audit retention
- OpenFGA for minimum necessary access
- Dedicated PHI database schema
Estimated Effort: 40 hours Priority: P1 (Healthcare vertical expansion)
CMP-US-006: FDA 21 CFR Part 11 Compliance
Objective: Implement FDA-compliant electronic records and signatures for life sciences clients
Research Scope:
1. Electronic Records Requirements (11.10)
- System validation
- Installation Qualification (IQ)
- Operational Qualification (OQ)
- Performance Qualification (PQ)
- Validation protocols and reports
- Audit trail requirements
- Computer-generated timestamps
- Operator identification
- Previous value retention
- Reason for change capture
- System access controls
- Authority checks
- Device checks
- Sequential documentation
- Data integrity (ALCOA+)
- Attributable
- Legible
- Contemporaneous
- Original
- Accurate
- Complete, Consistent, Enduring, Available
2. Electronic Signatures (11.50-11.200)
- Signature manifestations
- Printed name
- Date and time
- Meaning (reviewed, approved, etc.)
- Signature/record linking
- Cryptographic binding
- Tamper-evident mechanisms
- Signature components
- Identification code (user ID)
- Password requirements
- Biometric alternatives
- Signature controls
- Unique to individual
- Verified before establishment
- Administered and certified
3. Open vs Closed Systems
- Closed system requirements
- System access controls
- Operational controls
- Open system requirements
- Document encryption
- Digital signatures
- Additional security measures
4. Financial Records in Life Sciences
- Cost accounting for clinical trials
- R&D capitalization decisions
- Revenue recognition for milestone payments
- Inventory valuation for drug products
- Lot traceability in financial records
Deliverables:
□ 21 CFR Part 11 compliance matrix
□ Validation protocol templates (IQ/OQ/PQ)
□ Electronic signature service specification
□ Audit trail technical specification
□ ALCOA+ compliance checklist
□ System validation master plan
□ Computer system inventory template
□ Periodic review procedures
Technical Integration:
- immudb for audit trail (Merkle tree verification)
- Digital signature service with timestamp authority
- PostgreSQL with complete audit triggers
- Validation documentation in version control
Estimated Effort: 48 hours Priority: P1 (Life sciences vertical)
Cross-Cutting US Compliance Architecture
Unified Compliance Data Model
-- US Compliance Evidence Schema
CREATE TABLE compliance_frameworks (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
framework_code VARCHAR(20) NOT NULL, -- SOX, SOC2, HIPAA, FDA21CFR11
framework_name VARCHAR(255) NOT NULL,
version VARCHAR(20),
effective_date DATE,
requirements JSONB NOT NULL
);
CREATE TABLE compliance_controls (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
framework_id UUID REFERENCES compliance_frameworks(id),
control_id VARCHAR(50) NOT NULL, -- CC6.1, 164.312(a)(1)
control_name VARCHAR(255) NOT NULL,
control_description TEXT,
control_type VARCHAR(20) CHECK (control_type IN ('preventive', 'detective', 'corrective')),
automation_status VARCHAR(20) CHECK (automation_status IN ('manual', 'semi-automated', 'fully-automated')),
testing_frequency VARCHAR(20), -- daily, weekly, monthly, quarterly, annual
evidence_requirements JSONB
);
CREATE TABLE control_evidence (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
control_id UUID REFERENCES compliance_controls(id),
tenant_id UUID REFERENCES tenants(id),
evidence_date DATE NOT NULL,
evidence_type VARCHAR(50), -- screenshot, log_extract, report, attestation
evidence_data JSONB,
collected_at TIMESTAMPTZ DEFAULT NOW(),
collected_by UUID REFERENCES users(id),
immudb_reference VARCHAR(255), -- Reference to tamper-proof storage
status VARCHAR(20) CHECK (status IN ('pending', 'reviewed', 'approved', 'rejected'))
);
CREATE TABLE compliance_exceptions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
control_id UUID REFERENCES compliance_controls(id),
tenant_id UUID REFERENCES tenants(id),
exception_date DATE NOT NULL,
description TEXT NOT NULL,
root_cause TEXT,
remediation_plan TEXT,
remediation_due_date DATE,
status VARCHAR(20) CHECK (status IN ('open', 'remediated', 'accepted', 'escalated'))
);
-- Audit Log for Compliance
CREATE TABLE compliance_audit_log (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID REFERENCES tenants(id),
user_id UUID REFERENCES users(id),
action_type VARCHAR(50) NOT NULL,
resource_type VARCHAR(50) NOT NULL,
resource_id UUID,
old_value JSONB,
new_value JSONB,
reason_for_change TEXT, -- FDA 21 CFR Part 11 requirement
ip_address INET,
user_agent TEXT,
created_at TIMESTAMPTZ DEFAULT NOW(),
immudb_hash VARCHAR(64) -- SHA-256 hash for verification
);
-- Electronic Signature Table (FDA 21 CFR Part 11)
CREATE TABLE electronic_signatures (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID REFERENCES tenants(id),
signer_id UUID REFERENCES users(id),
document_type VARCHAR(50) NOT NULL,
document_id UUID NOT NULL,
signature_meaning VARCHAR(50) NOT NULL, -- 'approved', 'reviewed', 'authored'
printed_name VARCHAR(255) NOT NULL,
signature_timestamp TIMESTAMPTZ DEFAULT NOW(),
signature_hash VARCHAR(64) NOT NULL, -- Cryptographic binding
verification_method VARCHAR(20) CHECK (verification_method IN ('password', 'mfa', 'biometric'))
);
CREATE INDEX idx_evidence_date ON control_evidence(evidence_date);
CREATE INDEX idx_audit_created ON compliance_audit_log(created_at);
CREATE INDEX idx_signature_doc ON electronic_signatures(document_type, document_id);
Compliance API Endpoints
openapi: 3.1.0
info:
title: FP&A Platform US Compliance API
version: 1.0.0
paths:
/compliance/frameworks:
get:
summary: List enabled compliance frameworks
responses:
200:
description: Framework list
/compliance/controls:
get:
summary: Get control matrix for tenant
parameters:
- name: framework
in: query
schema:
type: string
enum: [SOX, SOC2, HIPAA, FDA21CFR11, GAAP]
/compliance/evidence:
post:
summary: Submit control evidence
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/EvidenceSubmission'
get:
summary: Retrieve evidence for audit period
/compliance/exceptions:
get:
summary: List open exceptions
post:
summary: Log new exception
/compliance/signatures:
post:
summary: Apply electronic signature
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/SignatureRequest'
get:
summary: Get signature history for document
/compliance/reports/soc2:
get:
summary: Generate SOC 2 evidence package
/compliance/reports/sox:
get:
summary: Generate SOX testing workpapers
Research Execution Priority
| Prompt ID | Title | Effort | Dependencies | Quarter |
|---|---|---|---|---|
| CMP-US-004 | SOC 2 Type II | 56h | None | Q2 2026 |
| CMP-US-001 | SOX 404 | 40h | CMP-US-004 | Q2 2026 |
| CMP-US-003 | US GAAP | 48h | None | Q2 2026 |
| CMP-US-002 | SEC Reporting | 32h | CMP-US-003 | Q3 2026 |
| CMP-US-005 | HIPAA | 40h | CMP-US-004 | Q3 2026 |
| CMP-US-006 | FDA 21 CFR 11 | 48h | CMP-US-004, CMP-US-005 | Q4 2026 |
Total Estimated Effort: 264 hours
CODITECT Product Integration
Compliance Automation Pack Features
- Pre-built Control Library: 200+ controls mapped to SOX, SOC2, HIPAA, FDA
- Continuous Monitoring Dashboard: Real-time control effectiveness
- Evidence Collection Automation: API-driven evidence gathering
- Exception Management Workflow: From identification to remediation
- Auditor Portal: Self-service evidence access for external auditors
- Electronic Signature Module: FDA 21 CFR Part 11 compliant e-signatures
Pricing Tier Recommendations
- Standard: SOC 2 controls, basic evidence collection - $500/month
- Professional: + SOX 404, US GAAP compliance - $1,500/month
- Enterprise: + HIPAA, FDA 21 CFR Part 11 - $3,500/month
- Regulated Industries: Custom SLA, dedicated compliance analyst - $7,500+/month
Generated for CODITECT FP&A Platform Development Version: 1.0 | Date: 2026-02-03