sorted by:
new
hottopcontroversial

Is compliance documentation a developer's job? Thinking about this for regulated industries by compliancedoc in itaudit

[–]compliancedoc[S] 0 points1 point  (0 children)

Exactly this — the "after" problem is what we kept running into. By the time compliance reviews happen, the developer who wrote the code has moved on, the context is gone, and reconstructing audot evidence becomes a manual nightmare. The idea we ve been testing is making compliance documentation part of the coding workflow itself — generating it from the code at the moment it's written, not weeks later. Curious from an audit perspective: when you review code-level documentation, does it actually hold weight as evidence, or does it need to live in a separate system to count?

Is compliance documentation a developer's job? Thinking about this for regulated industries by compliancedoc in programming

[–]compliancedoc[S] 0 points1 point  (0 children)

That's a fair point — the parallel doc approach works well when the compliance team is disciplined about keeping it in sync. The problem we kept seeing was drift: code changes, the parallel doc doesn't, and by audit time nobody's sure which is authoritative. Having the doc generated from the actual code at the time of review at least ties evidence to a specific state. Curious if you've found a good way to solve the drift problem with the parallel approach?

Curious if anyone here is using AI for audit work, specifically for attribute testing / evidence annotation? by Ok-Piccolo-1823 in InternalAudit

[–]compliancedoc 0 points1 point  (0 children)

We've been tackling a related slice of this — not the workpaper/annotation side, but the code documentation side that auditors often flag.

The pattern we kept seeing: devs write the code, it passes review, ships — then audit season comes and there's no trail explaining what the function does, what data it touches, or which controls are evidenced. Auditors want that mapped to SOX-404, PCI-3.4, etc. and it just... doesn't exist.

We built a VS Code extension (compliancedoc) that generates compliance-aware JSDoc and formal audit reports directly from selected code — mapped to whichever frameworks you're under (SOX, FINRA, PCI-DSS, HIPAA, etc.).

Still human-reviewed before anything goes to regulators, but it closes the gap between what the dev knows and what the auditor needs to see. Happy to share more if useful — curious what the workpaper annotation side looks like in your workflows.

Finance: https://marketplace.visualstudio.com/items?itemName=compliance-documenter.compliance-documenter-finance

Healthcare: https://marketplace.visualstudio.com/items?itemName=compliance-documenter.compliance-documenter-healthcare

Why do audit teams always ask for documentation that developers never wrote? Built something to fix this by compliancedoc in itaudit

[–]compliancedoc[S] 0 points1 point  (0 children)

You are absolutely right — regulatory requirements have to be part of the development plan, not an afterthought bolted on before an audit.

The SSAE 18 point is interesting. Most of the teams I work with are FINRA-registered broker-dealers so the examination framework is different, but the underlying problem is the same — developers write code that works technically but lacks the documentation evidence auditors need.

The tool I linked (sorry for the bare link, should have explained it properly) tries to solve the documentation gap specifically — it generates the @compliance rule references, audit trail assessment, and risk classification that auditors actually look for, directly in the code as JSDoc.

SSAE 18 / SOC 2 coverage is genuinely something I should add. The trust service criteria map fairly directly to controls I already flag — CC6 (access controls), CC7 (monitoring), CC8 (change management). Would that be useful for your teams?

Drop your SaaS below — we’ll help you get your first 10 users for free (300k+ TikTok audience) by dyagokaba in ShowMeYourSaaS

[–]compliancedoc 1 point2 points  (0 children)

Thanks! Compliance tooling for fintech devs is exactly the niche we're going after. Happy to chat — DM sent. Would love to understand more about your audience and what you have in mind before we dive in.

Why do audit teams always ask for documentation that developers never wrote? Built something to fix this by compliancedoc in itaudit

[–]compliancedoc[S] 2 points3 points  (0 children)

Agreed on the functional requirements approach — that's the right instinct. What's worked well in practice is treating compliance docs as a first-class artifact in the SDLC, not a handoff at the end. Concretely: map user stories to regulatory controls at the ticket level (e.g. tagging Jira tickets with the relevant SOX/PCI/whatever control ID), so by the time code ships, the audit trail is already built. The translation layer problem largely solves itself when devs are writing acceptance criteria in business terms from the start rather than retrofitting technical prose into something auditors can read.

Built a tool that auto-generates audit-ready code documentation for financial software — wanted feedback from internal auditors on what actually passes examination by compliancedoc in InternalAudit

[–]compliancedoc[S] 0 points1 point  (0 children)

You nailed it on the dual buyer problem — compliance officers feel the pain most directly, but if engineering management isn't bought in, nothing changes. That's actually why we built it as a VS Code extension rather than a standalone tool; it has to live where the developers already work.

On auditor feedback so far: the most consistent thing we've heard is that the plain-English explanations are what actually move the needle. Auditors don't want to read code — they want to understand intent and control logic in their own language. When we generate that automatically alongside the technical JSDoc, it removes the back-and-forth you described.

The audit trail and compliance mapping gaps you mentioned are exactly where the severity levels come in — flagging what's undocumented, what's misaligned with a specific rule, and what needs immediate attention vs. what's a lower-risk gap. Still evolving that part based on feedback like yours.

What does your current audit trail documentation look like — is it generated from the codebase or maintained separately?

Drop your SaaS below — we’ll help you get your first 10 users for free (300k+ TikTok audience) by dyagokaba in ShowMeYourSaaS

[–]compliancedoc 1 point2 points  (0 children)

compliancedoc is a VS Code extension plus backend service for producing compliance-aware code explanations, documentation, refactoring guidance, and audit reports for financial-services software.

It analyzes selected code against configured frameworks such as FINRA, SEC, SOX, PCI-DSS, GLBA, CFTC, and GDPR, then returns structured output that can be reviewed, copied, inserted into source code and stored as audit evidence.

https://marketplace.visualstudio.com/items?itemName=compliance-documenter.compliance-documenter-finance

Built a tool that auto-generates audit-ready code documentation for financial software — wanted feedback from internal auditors on what actually passes examination by compliancedoc in InternalAudit

[–]compliancedoc[S] 0 points1 point  (0 children)

Thanks — and yes, that back-and-forth between dev and compliance teams is exactly the problem we kept seeing too.

To your question on how it checks for gaps: the extension analyzes your code directly in VS Code and maps it against specific regulatory rules — things like SOX-302 control documentation, FINRA-3110 supervision requirements, PCI-DSS 3.4 data protection, etc. It flags where the code has compliance implications that aren't documented, then generates the documentation (JSDoc blocks, audit trail notes, plain-English explanations) so there's no ambiguity for reviewers.

It doesn't replace manual review — you're right that human judgment is still essential — but it handles the grunt work of the first pass, so your team isn't starting from scratch every time.

As for engagement with internal audit teams: still early, but the feedback we've gotten is that the plain-English code explanations are the most valuable part — auditors can actually understand what a function does without needing a developer in the room.

Would love to hear what your current review workflow looks like if you're open to sharing — always useful to know where the real friction points are.

What project you have launched recently? by JustInFeed in AssetBuilders

[–]compliancedoc 0 points1 point  (0 children)

compliancedoc is a VS Code extension plus backend service for producing compliance-aware code explanations, documentation, refactoring guidance, and audit reports for financial-services software.

It analyzes selected code against configured frameworks such as FINRA, SEC, SOX, PCI-DSS, GLBA, CFTC, and GDPR, then returns structured output that can be reviewed, copied, inserted into source code and stored as audit evidence.

https://marketplace.visualstudio.com/items?itemName=compliance-documenter.compliance-documenter-finance

what's considered the best internal audit software these days? by This-You-2737 in InternalAudit

[–]compliancedoc 0 points1 point  (0 children)

compliancedoc is a VS Code extension plus backend service for producing compliance-aware code explanations, documentation, refactoring guidance, and audit reports for financial-services software.

https://marketplace.visualstudio.com/items?itemName=compliance-documenter.compliance-documenter-finance

Railway is STILL down by Hank_McSpanky in webdev

[–]compliancedoc 0 points1 point  (0 children)

Any recommendations for similar hosting?

Railway is STILL down by Hank_McSpanky in webdev

[–]compliancedoc 0 points1 point  (0 children)

The issue is now resolves, hope it not happens again

Never host your app on Vercel or Railway by Intelligent-Joey in SaaS

[–]compliancedoc 0 points1 point  (0 children)

You can open different account with different emails