# Memeroot · Compliance Audit Trail **Start here:** open `GUIDE.html` in a browser. A working demonstration of regulated-audit-trail documentation as cryptographic content rather than GRC-platform records. Walk through producing a SOX-style internal-control audit packet with multi-party sign-offs, bundled as one HTML file an external auditor opens in any browser. ## The commercial claim being staked Existing GRC platforms (Workiva, AuditBoard, ServiceNow GRC, MetricStream, Diligent, LogicGate) centralize the audit trail in their own databases. The external auditor needs a platform account; exports lose attribution; lineage breaks at vendor boundaries; the audit trail itself becomes a vendor lock-in artifact. Memeroot inverts this. Each control declaration, each test record, each sign-off carries its author's cryptographic signature (ECDSA-P256). The sequence is hash-chained. The whole assembly bundles into one self-contained HTML file. The external auditor opens the file in any browser; WebCrypto verifies every signature locally; no platform account required on either side. Where the platform model retains value (workflow routing, notifications, ERP integration) is unchanged. What gets replaced is specifically the audit-trail layer — the part where the platform records "who attested to what and when." That becomes cryptographic content rather than platform records. ## What this stream demonstrates Six chunks teaching one regulated-decision workflow end-to-end: 1. **Orientation** — the cryptographic-audit-packet vs platform-bound GRC case 2. **Declare the control** — drop a structured control declaration, render it as a formatted audit document 3. **Test of design + control owner signature** — document the test of design, sign as control owner 4. **Test of operating effectiveness + tester signature** — document sample testing, sign as a separate identity (separation of duties) 5. **Reviewer counter-sign + findings** — multi-party attestation on the same control; document any exceptions 6. **Bundle as one HTML file** — ship to external auditor; they verify in any browser The pattern generalizes to FDA 21 CFR Part 11 records, IRB protocols, defense procurement chains, drug-development documentation, KYC/AML decisions, mortgage underwriting files — anywhere a regulated decision must be auditable and the auditor's tools are out of your control. ## What's in this zip ``` memeroot-compliance-audit-trail/ ├── GUIDE.html ← open this first ├── README.md ← you are here ├── canvas/MR-CANVAS-v0.8.html ├── features/ ← ten feature XMLs ├── identity/identity-tour-author.json ├── stylesheets/ │ ├── xsl-tone-{terse,public,annotated}.xml │ └── xsl-audit-packet.xml ← renders as formatted audit doc ├── examples/ │ └── control-example.xml ← revenue-recognition cutoff control template └── stream/ ├── stream-compliance-audit-trail.xml └── chunk-audit-1.xml … chunk-audit-6.xml ``` ## Practical engagement path For a real customer engagement: pick one regulated decision flow that an organization already documents (SOX 404 control, FDA submission, IRB protocol, defense contract clause, drug GMP record). Build streams parallel to this one — control declaration, evidence capture, multi-party attestation, packet bundling. Demonstrate that the resulting bundle is auditable by the regulator's auditor with no platform access required. Revenue models: per-engagement setup fee; per-bundle micro-fee for ongoing audit packets; per-seat for the authoring environment.