# L3 M7.4: Audit Trail & Document Provenance

**Module:** Finance AI - Financial Data Ingestion & Compliance  
**Level:** L3 (Domain-Specific RAG Engineering)  
**Duration:** 45-60 minutes

---

## Learning Arc

By the end of this notebook, you will be able to:

1. **Understand audit trail requirements** - Learn why financial RAG systems need SOX-compliant logging
2. **Implement hash-chained immutable logging** - Build blockchain-inspired audit trails with SHA-256 integrity
3. **Track document provenance** - Trace the complete lineage from SEC filing → chunks → embeddings → answers
4. **Build chain-of-custody** - Document every transformation in the data pipeline
5. **Generate SOX-compliant audit reports** - Create compliance-ready reports for regulatory reviews
6. **Configure 7-year retention policies** - Meet regulatory requirements for long-term data storage

---

## Prerequisites

- **Generic CCC M1-M6:** Production-Grade RAG fundamentals
- **Finance AI M7.1-M7.3:** Document types, PII detection, parsing strategies
- **PostgreSQL basics:** SQL queries, database administration
- **Python proficiency:** Classes, error handling, type hints

---

## What You'll Build

A production-ready audit trail system that:
- Logs ALL RAG operations with cryptographic integrity
- Provides tamper detection via hash chain verification
- Tracks complete provenance from source documents to answers
- Generates compliance reports for SEC audits
- Meets SOX Section 404 requirements (7-year retention, immutability)

In [None]:
# Database Configuration Check
# This module uses PostgreSQL database only (no external APIs)

import os
import sys

# Add src to path for imports
sys.path.insert(0, os.path.abspath('..'))

from src.l3_m7_financial_data_ingestion_compliance import FinancialAuditTrail

# Database configuration
DATABASE_URL = os.getenv(
    "DATABASE_URL",
    "postgresql://user:password@localhost:5432/audit_db"
)

print("✅ L3 M7.4: Audit Trail & Document Provenance")
print("")
print("Database Configuration:")
print(f"  - PostgreSQL database (local or managed)")
print(f"  - No external API services required")
print("")
print("Note: For demo purposes, we'll use SQLite in-memory database")
print("      (Production should use PostgreSQL with immutability rules)")

---

## Section 1: Introduction & Hook

### The $100 Million Question

Imagine you're a CFO at a public company. An analyst uses your RAG system to answer:

> **"What was our Q4 revenue?"**

The RAG system responds:

> **"Q4 revenue was $94.9B, up 6% year-over-year."**

Everything seems fine... until the SEC auditor asks:

> **"Prove to me which source document this number came from. Show me the audit trail."**

If you **can't answer this question**, you have a SOX Section 404 violation. Penalties:

- **Civil fines:** $1M-$10M USD (₹8-80 crores)
- **Criminal liability:** CEO/CFO face up to **20 years prison** (SOX Section 302)
- **Stock delisting:** Loss of public market access

---

### Why This Matters

**Generic RAG logging is NOT enough for financial services.**

Standard logging:
- ❌ No provenance (which chunks influenced the answer?)
- ❌ No immutability (logs can be modified/deleted)
- ❌ No tamper detection (hash verification missing)
- ❌ No 7-year retention (compliance requirement)

**Financial RAG requires audit trails with:**
- ✅ Complete provenance (SEC filing → chunks → embeddings → answer)
- ✅ Immutable storage (append-only, no deletions)
- ✅ Hash-chained integrity (blockchain-like tamper detection)
- ✅ 7+ year retention (SOX mandates)
- ✅ Regulatory reports (quarterly compliance audits)

---

### What You'll Learn Today

In this module, we'll build a **production-grade audit trail** that:

1. Logs every RAG operation (ingestion, processing, query, retrieval, generation)
2. Forms a cryptographic hash chain (tamper detection)
3. Tracks complete document provenance (source → answer)
4. Generates compliance reports for SEC audits
5. Meets SOX Section 404 requirements

**By the end, you'll know how to avoid the $100M fine.**

In [None]:
# Example: The Difference Between Generic Logging and Audit Trails

print("Generic Application Logging:")
print("  - INFO: User queried 'What was Q4 revenue?'")
print("  - INFO: Retrieved 3 chunks")
print("  - INFO: Generated answer")
print("")
print("Problems:")
print("  ❌ Which 3 chunks? (no chunk IDs)")
print("  ❌ Which source document? (no provenance)")
print("  ❌ Can logs be modified? (no integrity check)")
print("  ❌ How long retained? (no policy)")
print("")
print("---")
print("")
print("Financial Audit Trail:")
print("  - Event 1: document_ingested (aapl_10k_2024, hash: abc123...)")
print("  - Event 2: query_executed (Q4 revenue?, hash: def456...)")
print("  - Event 3: retrieval_completed (chunks: [127, 128, 45], hash: ghi789...)")
print("  - Event 4: generation_completed (answer + citations, hash: jkl012...)")
print("")
print("Benefits:")
print("  ✅ Complete provenance chain")
print("  ✅ Tamper detection via hash chain")
print("  ✅ Immutable (cannot delete/modify)")
print("  ✅ 7-year retention policy")

---

## Section 2: Theory & Conceptual Foundation

### What is an Audit Trail?

An **audit trail** is an **immutable, chronological record** of ALL events in a system.

**Key Properties:**

1. **Immutability** - Events cannot be modified or deleted after creation
2. **Chronological** - Events are ordered by timestamp (UTC)
3. **Complete** - EVERY operation is logged (no gaps)
4. **Tamper-Evident** - Hash chain detects unauthorized changes
5. **Attributable** - Every event has a user_id (who did what)

---

### What Gets Logged?

For a **financial RAG system**, we log:

1. **Ingestion Events**
   - Document downloaded from SEC EDGAR
   - Filing date, document type (10-K, 10-Q, 8-K)
   - Source URL (for verification)

2. **Processing Events**
   - Parsing completed (PDF → text)
   - Chunking completed (text → 512-token chunks)
   - Embedding created (chunks → vectors)
   - Processing time (performance monitoring)

3. **Query Events**
   - User executed query (natural language question)
   - Query timestamp (for pre-announcement access audits)
   - User ID (analyst, executive, etc.)

4. **Retrieval Events (CRITICAL for Provenance)**
   - Which chunks were retrieved (chunk IDs)
   - Similarity scores (how relevant?)
   - Page numbers (for citation)
   - Text previews (for auditor review)

5. **Generation Events**
   - LLM-generated answer
   - Citations (source documents + page numbers)
   - Model used (GPT-4, Claude, etc.)

---

### Hash Chains (Blockchain-Inspired Integrity)

A **hash chain** links events cryptographically:

```
Event 1: data="doc_ingested", hash=H(data),              previous_hash=null
Event 2: data="doc_processed", hash=H(data + H1),        previous_hash=H1
Event 3: data="query_executed", hash=H(data + H2),       previous_hash=H2
```

**How it works:**
1. Compute hash of event data: `H(data)` using SHA-256
2. Include previous event's hash: `H(data + previous_hash)`
3. Store both in database: `hash` and `previous_hash` columns

**Tamper Detection:**
- If Event 2 is modified, `H2` changes
- Event 3's `previous_hash` no longer matches `H2` → chain broken
- Verification: recompute all hashes and compare

---

### SOX Compliance Requirements

**Sarbanes-Oxley Act (SOX) Section 404:**
- Public companies must maintain **internal controls** over financial reporting
- CFO/CEO must **certify** these controls (Section 302)
- False certification = **criminal offense** (up to 20 years prison)

**Audit Trail Requirements:**
- ✅ **7-year minimum retention** (often 10 years in practice)
- ✅ **Immutable storage** (no deletions/modifications)
- ✅ **Tamper detection** (hash verification)
- ✅ **Access controls** (who can view audit logs?)
- ✅ **Quarterly reviews** (compliance officers check integrity)

---

### Document Provenance Example

**Question:** "What was Apple's Q4 2024 revenue?"

**Provenance Chain:**

```
1. SEC Filing Ingested
   - document_id: aapl_10k_2024
   - source_url: https://sec.gov/.../aapl-20240930.htm
   - filing_date: 2024-03-15

2. Document Processed
   - chunks_created: 487
   - embeddings_created: 487

3. Query Executed
   - query_id: q_001
   - query_text: "What was Apple's Q4 revenue?"
   - user_id: analyst@company.com

4. Retrieval Completed
   - chunks_retrieved: [127, 128, 45]
   - chunk_127: page 28, score 0.87, "Revenue for Q4..."

5. Generation Completed
   - answer: "According to the 10-K, Q4 revenue was $94.9B..."
   - citations: ["[1] AAPL 10-K FY2024, p.28"]
```

**Result:** Auditor can trace answer back to original SEC filing.


In [None]:
# Example: Hash Chain Demonstration

import hashlib
import json

def compute_hash(data, previous_hash=None):
    """Compute SHA-256 hash of event data."""
    data_str = json.dumps(data, sort_keys=True)
    if previous_hash:
        combined = f"{data_str}|{previous_hash}"
    else:
        combined = data_str
    return hashlib.sha256(combined.encode('utf-8')).hexdigest()

# Create a simple hash chain
event1_data = {"type": "document_ingested", "doc_id": "aapl_10k_2024"}
event1_hash = compute_hash(event1_data)

event2_data = {"type": "query_executed", "query": "What was revenue?"}
event2_hash = compute_hash(event2_data, previous_hash=event1_hash)

print("Hash Chain Example:")
print(f"Event 1: hash={event1_hash[:16]}..., previous_hash=None")
print(f"Event 2: hash={event2_hash[:16]}..., previous_hash={event1_hash[:16]}...")
print("")
print("✅ Chain formed - Event 2's hash includes Event 1's hash")

# Expected: Different hashes for each event

---

## Section 3: Technology Stack & Setup

### Technology Choices

**Database:** PostgreSQL 14+
- **Why:** JSONB support for flexible event schemas
- **Why:** Immutability rules (`CREATE RULE no_update/no_delete`)
- **Why:** High availability options (RDS, Aurora)
- **Why:** 7+ year proven reliability

**Hash Algorithm:** SHA-256
- **Why:** Cryptographically secure (vs MD5, SHA-1)
- **Why:** Standard library support (no dependencies)
- **Why:** 64-character hex digest (collision-resistant)

**Logging:** structlog 24.1+
- **Why:** Structured JSON logging (machine-readable)
- **Why:** Context binding (add user_id, request_id automatically)
- **Why:** Performance (async logging support)

**ORM:** SQLAlchemy 2.0+
- **Why:** Type-safe database access
- **Why:** Migration support (Alembic)
- **Why:** Connection pooling (performance)

**NO External API Dependencies:**
- ❌ No OpenAI/Anthropic (this module is the logger, not the LLM consumer)
- ❌ No Pinecone/Qdrant (vector storage is separate module)
- ❌ No EDGAR API (data ingestion is M7.1-M7.3)
- ✅ Only PostgreSQL database + Python stdlib


In [None]:
# Setup: Initialize Audit Trail

from src.l3_m7_financial_data_ingestion_compliance import FinancialAuditTrail

# For demo, use SQLite in-memory (production should use PostgreSQL)
DATABASE_URL = "sqlite:///:memory:"

# Initialize audit trail
audit_trail = FinancialAuditTrail(DATABASE_URL)

print("✅ FinancialAuditTrail initialized")
print(f"   Database: {DATABASE_URL}")
print(f"   Total events: {audit_trail.get_event_count()}")

# Expected: 0 events in fresh database

---

## Section 4: Core Implementation

### Database Schema

```sql
CREATE TABLE audit_events (
  id BIGSERIAL PRIMARY KEY,
  timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
  event_type VARCHAR(50) NOT NULL,
  event_data JSONB NOT NULL,
  previous_hash VARCHAR(64),
  hash VARCHAR(64) NOT NULL UNIQUE,
  user_id VARCHAR(255),
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

CREATE INDEX idx_timestamp ON audit_events(timestamp);
CREATE INDEX idx_event_type ON audit_events(event_type);
CREATE INDEX idx_hash ON audit_events(hash);

-- Immutability (CRITICAL for SOX)
CREATE RULE no_update AS ON UPDATE TO audit_events DO INSTEAD NOTHING;
CREATE RULE no_delete AS ON DELETE TO audit_events DO INSTEAD NOTHING;
```

---

### Logging Events

**Core Method:** `log_event(event_type, event_data, user_id)`

**Process:**
1. Get last event's hash (for chaining)
2. Create event payload (timestamp + type + data)
3. Compute hash (data + previous_hash)
4. Insert into database
5. Return hash (for verification)

**Specialized Methods:**
- `log_document_ingested()` - SEC filing downloaded
- `log_document_processed()` - Parsing/chunking completed
- `log_query()` - User query executed
- `log_retrieval()` - Chunks retrieved (provenance)
- `log_generation()` - Answer generated with citations


In [None]:
# Example 1: Log Document Ingestion

event_hash = audit_trail.log_document_ingested(
    document_id="aapl_10k_2024",
    source_url="https://www.sec.gov/Archives/edgar/data/320193/...",
    filing_date="2024-03-15",
    document_type="10-K",
    user_id="data_pipeline@company.com"
)

print(f"✅ Logged document ingestion: {event_hash[:16]}...")
print(f"   Total events: {audit_trail.get_event_count()}")

# Expected: 1 event logged

In [None]:
# Example 2: Log Query Execution

event_hash = audit_trail.log_query(
    query_text="What was Apple's revenue in Q4 2024?",
    query_id="q_20241115_001",
    user_id="analyst@company.com"
)

print(f"✅ Logged query: {event_hash[:16]}...")
print(f"   Total events: {audit_trail.get_event_count()}")

# Expected: 2 events total

In [None]:
# Example 3: Log Retrieval (Provenance Tracking)

chunks_retrieved = [
    {
        "chunk_id": "aapl_10k_2024#chunk_127",
        "page_num": 28,
        "score": 0.87,
        "text_preview": "Revenue for Q4 2024 was $94.9B..."
    },
    {
        "chunk_id": "aapl_10k_2024#chunk_128",
        "page_num": 28,
        "score": 0.84,
        "text_preview": "iPhone revenue contributed $46.2B..."
    }
]

event_hash = audit_trail.log_retrieval(
    query_id="q_20241115_001",
    chunks_retrieved=chunks_retrieved,
    user_id="analyst@company.com"
)

print(f"✅ Logged retrieval: {event_hash[:16]}...")
print(f"   Chunks: {len(chunks_retrieved)}")
print(f"   Total events: {audit_trail.get_event_count()}")

# Expected: 3 events total

In [None]:
# Example 4: Verify Hash Chain Integrity

is_valid, broken_events = audit_trail.verify_integrity()

print(f"Hash Chain Verification:")
print(f"  - Valid: {is_valid}")
print(f"  - Broken events: {len(broken_events)}")
print(f"  - Total events verified: {audit_trail.get_event_count()}")

if is_valid:
    print("\n✅ Hash chain intact - no tampering detected")
else:
    print("\n❌ Hash chain compromised:")
    for event in broken_events:
        print(f"   - {event}")

# Expected: Valid chain with 0 broken events

---

## Section 5: Reality Check - Production Considerations

### Performance Considerations

**Write Latency:**
- Hash computation: ~0.5ms (SHA-256 is fast)
- Database write: 5-20ms (depends on connection)
- **Total:** 10-25ms per event

**At Scale (500K queries/month):**
- 500K queries × 5 events each = **2.5M events/month**
- Storage: 2.5M × 5KB = **12.5GB/month**
- 7-year retention: 12.5GB × 84 months = **1TB total**

**Solutions:**
- Connection pooling (reuse DB connections)
- Async writes (don't block request)
- Partition tables by month (faster queries)
- Archive to S3 Glacier after 1 year

---

### Storage Growth Management

**Problem:** Audit trail grows forever (7+ years)

**Strategy:**
1. **Active (0-12 months):** PostgreSQL, SSD storage
2. **Warm (1-3 years):** S3 Standard, slower queries
3. **Cold (3-7 years):** S3 Glacier Deep Archive, compliance-only

**Cost Comparison:**
- PostgreSQL SSD: $0.10/GB/month
- S3 Standard: $0.023/GB/month (4× cheaper)
- Glacier Deep Archive: $0.00099/GB/month (100× cheaper)

---

### Security Considerations

**Access Control:**
- Audit logs should be **read-only** for most users
- Only compliance officers can query full logs
- Auditors get temporary read-only access

**Meta-Logging:**
- Log who accessed audit logs (audit the auditors)
- Alert on unusual access patterns

**Encryption:**
- Encrypt database at rest (AES-256)
- Encrypt backups (S3 server-side encryption)
- TLS for database connections

---

### Failure Modes to Avoid

See Section 8 for detailed failure modes and solutions.

**Preview:**
- Timezone bugs (use UTC always)
- Non-deterministic JSON hashing (sort keys)
- Lost provenance (log chunk IDs, not just counts)
- Storage exhaustion (implement retention policy)
- Race conditions (use database locking)


In [None]:
# Example: Generate Compliance Report

from datetime import datetime, timezone

# Generate report for all events
start_date = datetime(2024, 1, 1, tzinfo=timezone.utc)
end_date = datetime(2024, 12, 31, tzinfo=timezone.utc)

report = audit_trail.generate_compliance_report(start_date, end_date)

print("Compliance Report:")
print(f"  Period: {report['report_period']['start_date'][:10]} to {report['report_period']['end_date'][:10]}")
print(f"  Total events: {report['total_events']}")
print(f"  Unique users: {report['unique_users']}")
print(f"  Chain valid: {report['chain_valid']}")
print("")
print("Event breakdown:")
for event_type, count in report['event_breakdown'].items():
    print(f"  - {event_type}: {count}")

# Expected: Summary of all events logged so far

---

## Section 6: Alternative Approaches

### Approach 1: Application Logs Only

**What:** Use existing logging (CloudWatch, DataDog, Splunk)

**Pros:**
- ✅ No additional infrastructure
- ✅ Already integrated

**Cons:**
- ❌ Not immutable (logs can be rotated/deleted)
- ❌ No hash chain (tamper detection missing)
- ❌ No provenance tracking
- ❌ **Does NOT meet SOX requirements**

**Verdict:** ❌ Insufficient for financial compliance

---

### Approach 2: Blockchain (Hyperledger, Ethereum)

**What:** Store audit events on a blockchain

**Pros:**
- ✅ Maximum immutability (distributed ledger)
- ✅ Hash chaining built-in

**Cons:**
- ❌ Expensive (gas fees on public chains)
- ❌ Complex infrastructure (node management)
- ❌ Slow writes (10-60 seconds per transaction)
- ❌ Privacy concerns (public data)

**Verdict:** ❌ Overkill for most use cases

---

### Approach 3: PostgreSQL + Hash Chain (This Module)

**What:** Database with hash-chained events and immutability rules

**Pros:**
- ✅ Fast writes (10-20ms)
- ✅ Cost-effective ($25-750/month)
- ✅ Immutability via SQL rules
- ✅ Hash chain tamper detection
- ✅ Meets SOX requirements

**Cons:**
- ⚠️ Requires database management
- ⚠️ Not as "bulletproof" as blockchain (but sufficient for SOX)

**Verdict:** ✅ Recommended for financial RAG

---

### Approach 4: AWS CloudTrail

**What:** AWS managed audit logging service

**Pros:**
- ✅ Managed service (no infrastructure)
- ✅ AWS API calls logged automatically

**Cons:**
- ❌ Only logs AWS API calls (not RAG operations)
- ❌ No provenance tracking for documents
- ❌ No hash chaining

**Verdict:** ⚠️ Useful supplement, but NOT sufficient alone


---

## Section 7: When NOT to Use This Module

### Skip This Module If:

1. **Non-Financial Domain**
   - E-commerce, social media, general content
   - No regulatory requirements
   - Example: Blog recommendation system

2. **Early-Stage Startup**
   - < $10M ARR, no regulatory oversight
   - Limited resources (engineers, budget)
   - Example: MVP RAG chatbot

3. **Performance-Critical Applications**
   - High-frequency trading (need <1ms logging)
   - Real-time analytics (cannot tolerate 20ms write latency)
   - Example: Trading algorithm execution logs

4. **No Compliance Team**
   - No CFO/CCO to certify controls
   - No quarterly audit reviews
   - Example: Side project, internal tool

5. **Budget Constraints**
   - Cannot afford $500+/month for PostgreSQL + storage
   - No 7-year retention budget
   - Example: Bootstrapped startup

---

### What to Use Instead

**For Non-Regulated Use Cases:**
- CloudWatch Logs (simple, cheap)
- DataDog APM (observability)
- Lightweight logging (Python logging module)

**For Performance-Critical:**
- Async logging with buffering
- Sampling (log 1% of events)
- In-memory logging with periodic flush

**For Startups:**
- Start simple (application logs)
- Add audit trail when:
  - Raising Series A+ ($10M+ funding)
  - Entering regulated market
  - Getting first enterprise customer with compliance requirements


---

## Section 8: Common Failure Modes

### Failure 1: Timezone Bugs

**Symptom:** Events logged with local time instead of UTC

**Cause:** Using `datetime.now()` instead of `datetime.now(timezone.utc)`

**Impact:** Auditor confusion during DST transitions

**Fix:**
```python
# ✅ Correct
timestamp = datetime.now(timezone.utc)

# ❌ Wrong
timestamp = datetime.now()
```

---

### Failure 2: Non-Deterministic JSON Hashing

**Symptom:** Same event produces different hashes

**Cause:** Dictionary key ordering varies between runs

**Impact:** Hash chain verification fails

**Fix:**
```python
# ✅ Deterministic
json.dumps(data, sort_keys=True)

# ❌ Non-deterministic
json.dumps(data)
```

---

### Failure 3: Lost Provenance

**Symptom:** Cannot trace answer to source document

**Cause:** Incomplete `event_data` (missing chunk IDs, page numbers)

**Impact:** Fails SOX audit (cannot prove data lineage)

**Fix:**
```python
# ✅ Complete provenance
log_retrieval(
    query_id="q_001",
    chunks_retrieved=[
        {
            "chunk_id": "doc#chunk_127",  # Required
            "page_num": 28,               # Required
            "score": 0.87,                # Recommended
            "text_preview": "..."         # Recommended
        }
    ]
)

# ❌ Incomplete
log_retrieval(
    query_id="q_001",
    chunks_retrieved=[{"score": 0.87}]  # Missing chunk_id, page_num
)
```

---

### Failure 4: Storage Exhaustion

**Symptom:** Disk full after 6 months

**Cause:** No retention policy, storing full responses (10KB each)

**Impact:** Database crashes, events lost

**Fix:**
- Partition by month
- Store text_preview (500 chars max)
- Archive to S3 Glacier after 1 year

---

### Failure 5: Race Conditions in Hash Chain

**Symptom:** Duplicate `previous_hash` values

**Cause:** Concurrent writes not serialized

**Impact:** Hash chain breaks

**Fix:**
```python
# Use database-level locking
last_event = session.query(AuditEvent).with_for_update().order_by(AuditEvent.id.desc()).first()
```


In [None]:
# Example: Demonstrating Deterministic Hashing

import json
import hashlib

# Same data, different key order
data1 = {"b": 2, "a": 1}
data2 = {"a": 1, "b": 2}

# Without sort_keys (non-deterministic)
hash1 = hashlib.sha256(json.dumps(data1).encode()).hexdigest()
hash2 = hashlib.sha256(json.dumps(data2).encode()).hexdigest()

print("Without sort_keys:")
print(f"  Hash 1: {hash1[:16]}...")
print(f"  Hash 2: {hash2[:16]}...")
print(f"  Match: {hash1 == hash2}")
print("")

# With sort_keys (deterministic)
hash1_sorted = hashlib.sha256(json.dumps(data1, sort_keys=True).encode()).hexdigest()
hash2_sorted = hashlib.sha256(json.dumps(data2, sort_keys=True).encode()).hexdigest()

print("With sort_keys=True:")
print(f"  Hash 1: {hash1_sorted[:16]}...")
print(f"  Hash 2: {hash2_sorted[:16]}...")
print(f"  Match: {hash1_sorted == hash2_sorted}")
print("")
print("✅ Always use sort_keys=True for deterministic hashing")

# Expected: Hashes match when sort_keys=True

---

## Section 9: Finance AI Domain Considerations

### Insider Trading Prevention

**Scenario:** Analyst accesses Q4 earnings data 2 days before public announcement.

**Audit Trail Query:**
```sql
SELECT user_id, timestamp, event_data
FROM audit_events
WHERE event_data->>'document_id' LIKE '%_10q_2024_q4'
  AND timestamp < '2024-10-20T16:00:00Z'  -- Before earnings call
ORDER BY timestamp;
```

**Action:** Flag for compliance review, potential SEC investigation.

---

### Material Event Disclosure (8-K Filings)

**Scenario:** Company must disclose material events within 4 business days.

**Audit Trail Use:**
- Prove when event was discovered (timestamp)
- Show chain-of-custody for disclosure decision
- Demonstrate timely processing

**SOX Requirement:** If RAG system influences disclosure timing, full audit trail required.

---

### Executive Certifications (SOX Section 302)

**CFO/CEO Must Certify:**
> "We have established and maintained internal controls over financial reporting, including adequate audit trails for all data systems influencing financial statements."

**If Audit Trail is Incomplete:**
- ❌ False certification = **criminal offense** (up to 20 years prison)
- ❌ SEC enforcement action
- ❌ Personal liability (cannot be indemnified)

**This Module Helps:**
- ✅ Provides certifiable audit trail
- ✅ Quarterly compliance reports
- ✅ Tamper detection via hash chain

---

### Quarterly Audit Reviews

**Process:**
1. Generate compliance report (last quarter)
2. Verify hash chain integrity
3. Review unusual access patterns
4. Export for external auditors
5. CFO/CCO sign off

**Frequency:** At minimum, quarterly (often monthly in practice)


---

## Section 10: Decision Card & Cost Analysis

### Use This Module When:

✅ **Processing financial data** (10-K, 10-Q, 8-K filings)  
✅ **Subject to SOX compliance** (public companies, regulated firms)  
✅ **Need to prove provenance** ("Which document influenced this answer?")  
✅ **Executive liability** (CEO/CFO certifications required)  
✅ **7+ year retention mandated**  
✅ **Multi-million dollar fines** if audit trail incomplete  

### Do NOT Use When:

❌ **Early-stage startup** (< $10M ARR, no oversight)  
❌ **Non-financial domain** (e-commerce, social media)  
❌ **No SOX requirements**  
❌ **Performance > compliance** (high-frequency trading)  
❌ **Budget limited** (< $500/month infrastructure)  

---

### Cost Analysis

**Small (5K queries/month):**
- PostgreSQL: ₹2,000/mo ($25)
- Storage: ₹150/mo ($2)
- **Total: ₹2,150/mo ($27)**

**Medium (50K queries/month):**
- PostgreSQL HA: ₹8,000/mo ($100)
- Storage: ₹1,500/mo ($20)
- Backup: ₹800/mo ($10)
- **Total: ₹10,300/mo ($130)**

**Large (500K queries/month):**
- PostgreSQL HA: ₹32,000/mo ($400)
- Storage (1TB): ₹15,000/mo ($200)
- Archival: ₹8,000/mo ($100)
- Monitoring: ₹4,000/mo ($50)
- **Total: ₹59,000/mo ($750)**

**Trade-offs:**
- Storage grows linearly (5KB/event)
- 7-year retention = 7× storage cost
- Hash verification adds 10-20ms/write
- **BUT prevents ₹5-66 crore fines** (SOX violations)


In [None]:
# Example: Cost Calculator

def estimate_monthly_cost(queries_per_month, events_per_query=5, retention_years=7):
    """Estimate monthly cost for audit trail system."""
    
    # Calculate events
    monthly_events = queries_per_month * events_per_query
    monthly_storage_gb = monthly_events * 5 / 1024 / 1024  # 5KB per event
    total_storage_gb = monthly_storage_gb * (retention_years * 12)
    
    # Cost estimates (USD)
    if queries_per_month < 10000:
        db_cost = 25
    elif queries_per_month < 100000:
        db_cost = 100
    else:
        db_cost = 400
    
    storage_cost = total_storage_gb * 0.10  # PostgreSQL SSD
    
    total_cost = db_cost + storage_cost
    
    return {
        "queries_per_month": queries_per_month,
        "monthly_events": monthly_events,
        "monthly_storage_gb": round(monthly_storage_gb, 2),
        "total_storage_gb": round(total_storage_gb, 2),
        "db_cost_usd": db_cost,
        "storage_cost_usd": round(storage_cost, 2),
        "total_cost_usd": round(total_cost, 2)
    }

# Example scenarios
scenarios = [5000, 50000, 500000]

for queries in scenarios:
    cost = estimate_monthly_cost(queries)
    print(f"Scenario: {queries:,} queries/month")
    print(f"  - Events: {cost['monthly_events']:,}/month")
    print(f"  - Storage (7 years): {cost['total_storage_gb']} GB")
    print(f"  - Total cost: ${cost['total_cost_usd']}/month")
    print("")

# Expected: Costs scale with query volume

---

## Section 11: PractaThon Mission

### Your Challenge

Build a **complete provenance chain** for a financial RAG query.

**Requirements:**

1. ✅ Log document ingestion (use any public 10-K/10-Q)
2. ✅ Log document processing (simulated chunks/embeddings)
3. ✅ Log user query (financial question)
4. ✅ Log retrieval with chunk IDs and page numbers
5. ✅ Log generation with citations
6. ✅ Verify hash chain integrity
7. ✅ Generate compliance report

**Bonus:**
- Simulate tamper detection (modify an event, show verification fails)
- Calculate storage costs for your organization's scale
- Write SQL query to find pre-announcement access

**Deliverable:**
- Working notebook demonstrating full provenance chain
- Compliance report (JSON/CSV)
- Hash chain verification results


In [None]:
# PractaThon: Complete this implementation

# TODO: Initialize your audit trail
# audit_trail = FinancialAuditTrail("sqlite:///:memory:")

# TODO: Log document ingestion
# event1_hash = audit_trail.log_document_ingested(...)

# TODO: Log document processing
# event2_hash = audit_trail.log_document_processed(...)

# TODO: Log query
# event3_hash = audit_trail.log_query(...)

# TODO: Log retrieval (with chunk IDs!)
# event4_hash = audit_trail.log_retrieval(...)

# TODO: Log generation (with citations!)
# event5_hash = audit_trail.log_generation(...)

# TODO: Verify integrity
# is_valid, broken = audit_trail.verify_integrity()

# TODO: Generate compliance report
# report = audit_trail.generate_compliance_report(...)

print("✅ Complete the PractaThon mission above!")

---

## Section 12: Conclusion & Next Steps

### What You've Learned

In this module, you learned how to:

1. ✅ **Design SOX-compliant audit trails** with immutability and hash chaining
2. ✅ **Track complete document provenance** from SEC filing to RAG answer
3. ✅ **Implement hash-chained integrity** for tamper detection
4. ✅ **Generate compliance reports** for regulatory audits
5. ✅ **Configure 7-year retention** to meet SOX requirements
6. ✅ **Avoid common failure modes** (timezone bugs, lost provenance, etc.)

---

### Production Readiness Checklist

Before deploying to production:

**Infrastructure:**
- [ ] PostgreSQL database configured (not SQLite)
- [ ] Immutability rules applied (`CREATE RULE no_update/no_delete`)
- [ ] Connection pooling enabled
- [ ] Backups configured (daily minimum)

**Security:**
- [ ] Database encryption at rest (AES-256)
- [ ] TLS for database connections
- [ ] Access controls (read-only for most users)
- [ ] Meta-logging (audit the auditors)

**Compliance:**
- [ ] CFO/CCO reviewed implementation
- [ ] Legal counsel signed off
- [ ] 7-year retention policy documented
- [ ] Quarterly review process established

**Monitoring:**
- [ ] Hash verification runs daily
- [ ] Storage growth monitored
- [ ] Alert on integrity failures
- [ ] Performance metrics tracked

---

### Next Steps

1. **Complete the PractaThon Mission** (Section 11)
2. **Integrate with your RAG pipeline** (call log_* methods)
3. **Set up PostgreSQL production database**
4. **Configure retention policy** (7+ years)
5. **Schedule quarterly compliance reviews**

---

### Additional Resources

**Documentation:**
- SOX Section 404: https://www.sec.gov/spotlight/sarbanes-oxley.htm
- PostgreSQL JSONB: https://www.postgresql.org/docs/current/datatype-json.html
- SQLAlchemy ORM: https://docs.sqlalchemy.org/

**Community:**
- TechVoyageHub Discord
- Course Forum
- GitHub Issues

---

### Key Takeaways

1. **Generic logging ≠ Audit trail** - Financial RAG needs provenance + immutability
2. **Hash chains prevent tampering** - Blockchain-inspired, database-friendly
3. **Provenance is critical** - Log chunk IDs, page numbers, citations
4. **SOX compliance is serious** - $1M-$10M fines, 20 years prison for violations
5. **Cost scales with usage** - Budget for 7× storage (retention)

---

**Thank you for completing L3 M7.4: Audit Trail & Document Provenance!**

**Next Module:** M8 - Advanced RAG Optimization Techniques
