[
  {
    "finding_id": "F-1",
    "finding_name": "Wrong Approver \u2014 Incorrect Reviewer Assignment by Portal",
    "description": "One or more vendor engagement approvals were provided by an employee who is NOT the requestor's direct supervisor per the Organizational Chart. Root cause traces to untimely intra-year updates to the Portal's Table of Employee Supervisors.",
    "affected_sample_ids": [
      2
    ],
    "affected_control_ids": [
      "C3",
      "C7"
    ],
    "severity": "High",
    "root_cause": "Intra-year personnel reassignments are not reflected in the Portal in a timely manner. The HR-to-IT update process for non-annual changes is not formally documented and there is no compensating reconciliation between the live Org Chart and the Portal table.",
    "recommended_remediation": "(1) Document the intra-year update process with named owners and a service-level commitment. (2) Implement a quarterly reconciliation control between HR's authoritative Org Chart and the Portal's Table of Employee Supervisors. (3) Add a system-level flag when the assigned reviewer was newly assigned within the last 30 days for higher-risk approvals."
  },
  {
    "finding_id": "F-2",
    "finding_name": "Retroactive Approval \u2014 Vendor Engaged Before Required Approval",
    "description": "One or more vendor engagements were submitted to the vendor BEFORE the required Portal approval was obtained. Policy prohibits retroactive approvals.",
    "affected_sample_ids": [
      5
    ],
    "affected_control_ids": [
      "C6"
    ],
    "severity": "High",
    "root_cause": "The pre-engagement approval timing control is detective/policy-based \u2014 operated solely through training, attestation, and individual employee compliance. No system-level (preventive) or downstream (AP/PO matching) control exists to detect or prevent vendor engagement before Portal approval. Policy also lacks an emergency/expedited approval workflow.",
    "recommended_remediation": "(1) Implement AP-side matching that flags any invoice without a corresponding pre-dated Portal approval. (2) Add an expedited approval workflow to the Policy with defined trigger criteria. (3) Annual compliance reporting on timing exceptions to the Audit Committee."
  },
  {
    "finding_id": "F-3",
    "finding_name": "Absent Control \u2014 No Approved Vendor Listing / Independent Vendor Vetting",
    "description": "No formal Approved Vendor Listing exists. Vendor appropriateness is assessed solely as part of the supervisor's review of each individual engagement request. Reliance on a single individual's point-in-time judgment introduces inconsistency and increases the risk of inappropriate vendors being engaged.",
    "affected_sample_ids": [],
    "affected_control_ids": [
      "(design gap \u2014 absent control)"
    ],
    "severity": "Medium",
    "root_cause": "A preventive vendor-vetting control was not designed into the workflow. The workflow relies on a single individual's point-in-time judgment at the moment of approval. No independent vendor onboarding, vetting, or related-party review is performed prior to a vendor's first transaction.",
    "recommended_remediation": "(1) Stand up an Approved Vendor Listing with periodic review by Procurement. (2) Introduce a vendor onboarding due-diligence questionnaire (TPRM intake) covering related-party, sanctions, and security posture screening. (3) Portal control restricting requests to listed vendors with a defined exception path."
  }
]