Memeroot · Compliance Audit Trail

Phase 1

Set up the canvas

Open canvas/MR-CANVAS-v0.8.html in a browser.

Drop everything in features/ onto the canvas.

show detail ▾

New tabs appear: Streams, Identities, Sign, Transforms, Endpoints, Compose, Schemas, Console, Bundle.

Phase 2

Load the tour

Identities → IMPORT → paste identity/identity-tour-author.json.

Drop the three tone stylesheets and xsl-audit-packet.xml from stylesheets/.

Drop stream/stream-compliance-audit-trail.xml and all six chunk-audit-*.xml files.

Open Streams. Confirm "compliance-audit-trail — 6 chunks · all verified ✓".

Phase 3

Declare the control (chunks 1-2)

Read chunk 1. Optional: open in xsl:tone-public for friendly version, xsl:tone-annotated for the commercial case against GRC platforms.

Read chunk 2. Drop examples/control-example.xml onto the canvas.

show detail ▾

Default content: a revenue-recognition cutoff control (REV-001) with owner, frequency, type, and full description. Customize via text editor + re-paste for your real control.

Tree → click the control source → pick reader xsl:audit-packet. Confirm it renders as a styled audit document.

Phase 4

Test of design + sign as control owner (chunk 3)

Read chunk 3. Author tod-rev-001.xml: number TOD-1, title "Test of design — REV-001", paragraphs for procedure / evidence / conclusion.

show detail ▾

source id: tod-rev-001.xml
number:    TOD-1
title:     Test of design — REV-001
register:  lay
paragraphs:
  - procedure: what was tested
  - evidence: documents/walkthroughs inspected
  - conclusion: design adequate? Yes/no with reasoning

Identities → CREATE the control-owner identity (e.g. "Sarah Chen, VP Finance").

Sign → pick tod-rev-001.xml → SIGN. TOD now carries control-owner attribution.

Phase 5

Test of operating effectiveness + sign as tester (chunk 4)

Read chunk 4. Author toe-rev-001.xml: sample-selection, procedures-performed, sample-results, exceptions, conclusion.

Identities → CREATE the tester identity (separate from control owner — this is the separation-of-duties principle).

Sign → pick toe-rev-001.xml → SIGN. Two independently-verifiable attestations now exist.

Phase 6

Reviewer counter-sign + findings (chunk 5)

Read chunk 5. Identities → CREATE a reviewer identity (internal audit / manager / board committee).

Switch to reviewer identity. Sign → pick the control source → SIGN. The control now carries multiple signatures.

Optional: if TOE found exceptions, author finding-rev-001-01.xml with severity / description / remediation plan / target date, signed by control owner.

Phase 7

Bundle and ship (chunk 6)

Read chunk 6. Open Bundle. Click EXPORT BUNDLE HTML.

You now have one HTML file containing: control, TOD, TOE, sign-offs, findings, tour chain, all public keys for verification.

Open the exported bundle.html in a new browser tab to verify the recipient experience. Pick xsl:audit-packet on the control; click signatures; ✓ verified.

show detail ▾

This is what an external auditor would see. They don't need a GRC platform account, an SDK, an integration, or your IT department's help. They open the file. They verify.

Audit packet as cryptographic content, not platform records.

Set up the canvas

Load the tour

Declare the control (chunks 1-2)

Test of design + sign as control owner (chunk 3)

Test of operating effectiveness + sign as tester (chunk 4)

Reviewer counter-sign + findings (chunk 5)

Bundle and ship (chunk 6)

Audit packet shipped.