Kognita.Blog
Finance and Legal Teams Shouldn't Need an Engineer to Answer Compliance Questions
10 min read
“Audit prep took three weeks this year. Most of that time was not doing the audit — it was waiting for engineering to tell us where specific data types live, how they are transmitted, who has access to them, and whether the log retention we promised auditors was actually in place.”
This is not a compliance process failure. It is an access problem. Finance and legal teams are asking questions that the system can answer directly. They have no path to the system.
The dependency on engineering for compliance questions is accepted as default in most software companies. It should not be. The questions that slow audit prep — where data lives, who has access to it, what retention policies are actually implemented, which third parties receive regulated data — are not engineering judgment calls. They are factual questions about a system that already has concrete answers. The answers are in the codebase, in configuration files, in service definitions. Finance and legal cannot see them. Engineering is the only route to the system, and that route is expensive for everyone.
The questions that should not route through engineering
The questions finance and legal teams ask at audit time are not ambiguous. They are specific, factual, and answerable from the codebase without any engineering interpretation required.
“Where is customer payment data stored?” That is a question with a specific answer — a database table, a service, a third-party system — defined in code. “Which third-party services receive PII?” That is an integration question answerable by tracing what data each external API call sends. “What does the log retention look like for user activity?” That is a configuration question: there is a cleanup job, it has a schedule, it has a retention window, and that window is either what was promised or it is not. “Which services have access to our financial transaction records?” That is an access control question with a definitive list as its answer.
“Are there any automated processes that touch regulated data without human review?” That one requires reading code logic rather than just configuration — but it still has a concrete answer, and that answer does not require engineering judgment to interpret. It requires engineering access to read.
None of these should require an engineering ticket. All of them currently do.
Why this dependency compounds at audit time
When auditors arrive, they come with a list of questions. Finance and legal have to gather answers to that list. In organizations where those answers route through engineering, every question becomes a dependency. Not one dependency — a queue of dependencies, each waiting on an engineering response.
Engineering is not sitting idle during audit prep. The sprint continues. Production incidents still happen. Engineering has its own workload and the audit questions arrive on top of it. Response times slow. The queue backs up. Finance and legal wait. Auditors wait. Three weeks of prep time is the outcome — and most of that time is queue time, not analysis time.
The compounding effect is that each engineering response usually generates a follow-up question. “The payment data is in the user_payments table” prompts “which services write to that table?” which prompts “does admin-service have write access, and is it logged?” Each follow-up restarts the queue. A single audit line item that should take twenty minutes to answer can span two days of ticket threading.
This is not a compliance dysfunction. This is what happens when the people responsible for answering compliance questions have no direct path to the system that holds the answers. Non-technical teams spending hours waiting on engineering for answers that the system could give directly is a structural problem, and audit season is when it becomes expensive enough to be visible.
What finance teams specifically need to know about the system
Finance teams have a specific set of system questions that recur across audits, due diligence processes, and regulatory reviews. They cluster around four areas.
Data flows for financial information
Where does financial data go? Which services touch it, in what order, with what permissions? Which third-party vendors receive financial transaction data, and what specifically do they receive? These questions define the scope of PCI compliance, data processing agreements, and vendor risk assessments. Finance cannot conduct those assessments without the answers, and the answers live in the integration layer of the codebase.
Retention policy implementation
What the company committed to auditors — “we retain user activity logs for twelve months” — and what is actually implemented in code are two things that should match. Finance needs to verify that they do. The implementation is a cleanup job with a schedule and a retention window. Whether that window matches the commitment is a factual question. Answering it currently requires asking engineering to look at the job configuration, which is a ticket.
Transaction audit trails
What events are logged for financial transactions? Where are those logs stored? How accessible are they for auditor review or forensic inquiry? If an auditor asks for a complete record of all changes to a specific customer account's billing status over the past year, can that record be produced, and from where? These are audit readiness questions that require knowing the logging architecture — which is in code.
Exposure analysis
If a specific service is compromised, what financial data is at risk? This requires understanding which services have access to which data stores, what data flows where, and what a breach perimeter would look like. Finance and security both need this for breach notification readiness and insurance documentation. It is an architecture question with a codebase answer.
What legal and compliance teams need to know
Legal and compliance have a parallel set of system questions that are distinct from finance's but equally grounded in the codebase.
Privacy law compliance verification
Where does PII live? How does it flow between services? What is stored versus processed versus transmitted to third parties? GDPR and CCPA compliance verification requires mapping PII flows accurately. Legal cannot verify compliance against what is actually implemented — they can only verify compliance against what engineering has told them is implemented. If those two things diverge, the discrepancy is invisible until an audit or incident reveals it.
Consent mechanism implementation
The privacy policy describes consent mechanisms. The codebase either implements them as described or it does not. Legal needs to verify that the implementation matches the description. That verification currently requires engineering to confirm it — which means legal is relying on the same team that built the implementation to verify that it is correct. Direct system access changes who is verifying what.
Third-party data sharing
Which integrations send which data to which vendors? What specifically does each third-party service receive? Data processing agreements require knowing this. Legal cannot negotiate or maintain those agreements accurately without a true picture of what data leaves the system and where it goes. That picture is in the integration layer of the codebase.
Contractual commitment verification
Enterprise contracts often include data handling commitments: “customer data will not be shared with third parties without consent,” “data will be stored in EU-region infrastructure,” “audit logs will be retained for X years.” Legal needs to verify that the system was actually built to honor those commitments. That is a system verification question, and it requires either engineering confirmation or direct system access.
The cost of the bottleneck at critical moments
The engineering dependency for compliance questions has material cost at the moments when it matters most. Those moments are not routine — they are due diligence, audits, regulatory inquiries, and security incidents. Each one carries a consequence for delay.
During M&A due diligence, the acquiring party asks detailed questions about data architecture, compliance posture, and system behavior. Those questions have to be answered accurately and quickly. Every day of delay in due diligence is a day of deal risk. When finance and legal are routing every system question through engineering, and engineering is simultaneously trying to maintain normal operations, due diligence prep stretches from weeks to months. Non-technical leaders assessing system risk without direct visibility are forced to rely on engineering intermediaries at exactly the moment when accuracy and speed both matter.
During compliance audits, auditors bill by the hour. When finance and legal cannot answer questions directly — when every answer requires a ticket, a wait, and a follow-up — the audit extends. Auditors wait. The meter runs. This is not a hypothetical cost; it is a line item.
During regulatory inquiries and security incidents, response windows are real. A data breach notification requirement under GDPR has a 72-hour window. Identifying the scope of affected records — which requires knowing which services had access to what data — in 72 hours while simultaneously managing the incident is not achievable if every system question routes through an engineering team that is also managing the incident response.
What direct system visibility changes
When finance and legal can query the system directly in plain language, the audit prep process changes fundamentally. Not because the questions change — they are the same questions — but because the answer latency drops from hours and days to minutes, and the answers come from the system itself rather than from engineering's recollection of it.
“Which services write to the user_payments table?” becomes a query, not a ticket. The answer comes back immediately: billing-service, subscription-service, refund-service, and admin-service, with access scope and audit logging status for each. “What third-party services does our billing module communicate with?” returns a complete list with what each service sends and receives — derivable from the actual integration code, not from someone's memory of the architecture.
Follow-up questions work the same way. The entire thread of audit questions that currently spans days of ticket-and-response cycles becomes a self-directed query session that finance or legal can run independently. Engineering is not removed from the process for questions that require engineering judgment — actual code defects, architectural changes, incident remediation. Engineering is removed from the process for the factual system questions that should never have required engineering in the first place.
Operations managers face the same bottleneck for process questions — the pattern of non-technical teams being held accountable for things they cannot independently verify applies across the organization, and the solution is the same in each case: plain-language access to system answers.
What Kognita gives finance and legal teams
Kognita provides a plain-language dashboard designed for non-technical users. Finance and legal can ask system behavior questions — about data flows, service access, retention policies, integration data sharing — and receive answers derived from the actual codebase. No code reading required. No engineering ticket. No wait.
The Jira integration means finance and legal can also see what has changed in recent sprints and verify it against prior commitments. If a sprint introduced a change to the data retention configuration, that is visible. If a new integration was added that sends customer data to a third party, that is visible. Compliance drift — the gap between what was documented and what is currently implemented — becomes detectable without waiting for an audit to surface it.
Automatic re-indexing means answers reflect current system state. When the billing service adds a new third-party integration, the answer to “which external services does billing communicate with” changes to include it. When a retention job configuration is updated, the retention policy answer reflects the update. Finance and legal are not relying on documentation that was accurate six months ago — they are querying the live system.
The practical outcome during audit prep is that finance and legal can work through an auditor checklist independently, verify answers against the system directly, and identify discrepancies before the auditors do. That is the correct workflow. It is what the workflow should always have been — the only thing missing was the access layer.
Final take
Finance and legal teams are being held responsible for system compliance they cannot independently verify. That is not a process problem. It is an access problem, and the system already has all the answers.
The three-week audit prep cycle is not three weeks of compliance work. It is mostly queue time — waiting for engineering to answer questions that have concrete, factual answers in the codebase. Each answer generates follow-up questions. Each follow-up resets the queue. The audit extends. Auditors wait. Due diligence drags. Regulatory windows close.
None of this is necessary. The questions finance and legal are asking — where data lives, who has access to it, what retention policies are actually implemented, which third parties receive what — are system questions with system answers. The bottleneck is access, not capability, and it is removable.
Questions finance currently routes through engineering — with wait time:
Data storage and access:
-> "Where is customer payment data stored?"
Typical wait: 2–4 hours (engineering ticket or Slack ping)
Why it matters: auditor checklist item, PCI scope determination
-> "Which third-party services receive PII?"
Typical wait: 4–8 hours (requires someone to trace integrations)
Why it matters: data processing agreements, vendor compliance review
-> "Which services have access to our financial transaction records?"
Typical wait: 1–2 days (requires architecture-level understanding)
Why it matters: SOC 2 access control requirements
Log retention:
-> "What does the log retention look like for user activity?"
Typical wait: 2–4 hours
Why it matters: we committed to 12-month retention in our audit response
-> "Are there any automated processes that touch regulated data
without human review?"
Typical wait: 1–3 days (requires reading code logic, not just config)
Why it matters: financial controls documentation, SOX considerations
Exposure analysis:
-> "If the billing service has a breach, what financial data is at risk?"
Typical wait: 2–5 days (cross-service analysis required)
Why it matters: breach notification scope, insurance, regulatory reporting
All of the above have concrete answers in the codebase.
None of them should require an engineering ticket.Legal and compliance questions by category:
──────────────────────────────────────────────────────────────────────
Category What they need to know Current source
──────────────────────────────────────────────────────────────────────
Privacy law Where does PII live? Engineering ticket
compliance How does it flow between (2–5 day wait)
services? What is stored vs.
processed vs. transmitted?
Consent Are consent mechanisms Engineering review
mechanisms actually implemented as of frontend and
described in the privacy backend (1–3 days)
policy?
Third-party Which integrations send Architecture
data sharing what data where? What walkthrough with
does each vendor receive? engineering lead
Incident Can we identify affected Unknown — requires
response records quickly if a code audit under
readiness service is compromised? incident pressure
Contractual Did we build what we Engineering
commitments agreed to build? Does the confirmation
implementation match the required
agreed data handling spec?
──────────────────────────────────────────────────────────────────────What direct system access enables — example queries and answers:
Finance query: "Which services write to the user_payments table?"
System answer:
billing-service: writes on successful charge (stripe webhook handler)
subscription-service: writes on plan change, proration adjustment
refund-service: writes on full/partial refund events
admin-service: writes on manual adjustment (requires 2FA, audit logged)
Read-only access: reporting-service, finance-export-service
No other services have write access to user_payments.
──────────────────────────────────────────────────────────────────────
Legal query: "What third-party services does our billing module
communicate with?"
System answer:
Stripe: payment processing, webhook delivery
-> sends: card data (tokenized), amount, customer_id, metadata
-> receives: payment intent status, dispute notifications
Avalara: tax calculation
-> sends: transaction amount, billing address, product type
-> receives: tax breakdown, jurisdiction
SendGrid: billing email delivery
-> sends: customer email, invoice PDF (generated in-app), amount
-> receives: delivery status
No other external services called by billing-service.
──────────────────────────────────────────────────────────────────────
Finance query: "What is our log retention for user activity events?"
System answer:
User activity events: written to activity_log table (PostgreSQL)
Retention policy: 365 days, enforced by cleanup job
(jobs/activity-log-cleanup.ts, cron: 0 3 * * *, deletes rows
older than NOW() - INTERVAL '365 days')
Audit-flagged events: retained indefinitely (separate table:
activity_log_audit, no deletion job present)
Last verified: cleanup job ran successfully 14 hours ago