orion/.audit-rules/_main.yaml

# IT Internal Audit Rules
# ========================
# These rules ensure compliance with internal governance policies,
# regulatory requirements, and audit best practices.
#
# Purpose: Independent verification of controls for:
# - SOX compliance (financial systems)
# - GDPR/CCPA compliance (data privacy)
# - Internal governance policies
# - Risk management frameworks

version: "1.0"
name: "IT Internal Audit Rules"

# Rule categories and their weights for scoring
categories:
  audit_trail:
    weight: 25
    description: "Logging, traceability, and audit log integrity"
  access_control:
    weight: 20
    description: "Authentication, authorization, and least privilege"
  data_governance:
    weight: 20
    description: "PII handling, data classification, and retention"
  compliance:
    weight: 15
    description: "Regulatory and policy compliance"
  change_management:
    weight: 10
    description: "Version control, approvals, and rollback"
  third_party:
    weight: 5
    description: "Dependency management and license compliance"
  documentation:
    weight: 5
    description: "Required documentation and traceability"

# Minimum passing score (percentage)
minimum_score: 80

# Files/directories to exclude from audit
excluded_paths:
  - ".venv/"
  - "__pycache__/"
  - ".git/"
  - "node_modules/"
  - ".pytest_cache/"
  - "htmlcov/"
  - "site/"
  - ".mypy_cache/"

# Severity levels
severity_levels:
  critical: "Must be fixed immediately - audit finding"
  high: "Must be fixed before next audit cycle"
  medium: "Should be addressed in remediation plan"
  low: "Recommendation for improvement"
  info: "Informational observation"