Compliance & FCA Evidence
SGD turns governance data into audit-ready evidence. Instead of spending weeks assembling compliance packs from scattered tools, you configure scheduled reports that generate themselves — complete with traceability chains, approval records, and trend analysis.
Scheduled reports
SGD ships with four report types, each designed for a specific compliance need:
| Report | Frequency | Contents | Audience |
|---|---|---|---|
| Quarterly Governance | Every 90 days | All changes across governed repos, governance check results, full traceability chains, coherence score trends, remediation actions taken | CTO, Head of Engineering, Compliance Officer |
| Monthly Coherence | Every 30 days | Coherence score trends per capability, spec coverage changes, governance check pass/fail rates, coverage gaps identified | Engineering Leads, Architects |
| Annual AI Governance | Every 12 months | AI tools used across the organisation, provenance metadata, AI-authored code quality metrics, policy compliance per tool | CTO, Risk Committee, AI Governance Board |
| Ad Hoc Audit | On demand | Focused on a specific capability, time range, repository, or change type. Configurable filters for targeted investigation | Auditors, Compliance Officers, Regulators |
Report contents in detail
Quarterly Governance Report includes:
- Total PRs merged, segmented by governance check result (pass / warn / fail)
- Full traceability chains for every merged PR (spec → PR → check → deploy)
- Coherence score trends with dimension breakdowns
- List of governance check failures and their resolution status
- Remediation actions taken (automated PRs, manual fixes)
- Exception log — PRs that were merged despite governance warnings, with justification
Monthly Coherence Report includes:
- Coherence score movement per capability (improving / stable / worsening)
- Spec coverage delta — which capabilities gained or lost spec coverage
- Top 5 governance check failure reasons (helps teams focus improvement effort)
- Repositories with the largest coherence score changes (positive and negative)
Annual AI Governance Report includes:
- AI tools detected across the organisation (Claude Code, Copilot, Cursor, etc.)
- Code volume attributed to each tool (PRs, lines changed, files modified)
- Quality comparison per tool: rework rate, test coverage, first-time approval rate
- Policy compliance — which repos/capabilities restrict AI tool usage and whether restrictions were honoured
- Provenance chain completeness for AI-authored changes
Ad Hoc Audit Report is fully configurable:
- Filter by: capability, repository, time range, author, AI tool, governance check result
- Includes full traceability chains for matching changes
- Exportable as PDF (formatted evidence pack) or CSV (raw data for external analysis)
Time saved
Assembling a quarterly governance report manually — pulling data from GitHub, Jira, CI/CD logs, and incident trackers — typically takes 40+ person-hours per quarter. SGD generates the same report on a configurable schedule. Set it once, receive it automatically.
FCA Consumer Duty compliance
For organisations regulated by the FCA, SGD provides evidence for key Consumer Duty requirements. The platform does not replace your compliance framework — it provides the raw evidence that your framework needs.
Change governance
Every change to a governed repository passes through the SGD governance pipeline:
| Requirement | How SGD provides evidence |
|---|---|
| Changes are intentional | Feature specs document the business intent before code is written. PRs reference specs. |
| Changes are reviewed | Governance checks verify spec traceability, design system compliance, and coherence. Results recorded. |
| Changes are approved | PR merge requires passing governance checks. Approval chain recorded in the audit trail. |
| Changes are traceable | Full chain from business intent (Jira) to production deployment, with every link timestamped. |
Approval chains
SGD records the complete approval chain for every change:
- Spec approval — Who approved the feature spec, when, and which version
- PR approval — GitHub reviewers, governance check results, merge actor
- Deployment approval — Pipeline execution, environment, deployment timestamp
Each approval is stored with the actor, timestamp, and the state of the artefact at the time of approval. This is not reconstructed — it is recorded as it happens.
Audit trail
The SGD audit trail captures every significant event:
- Spec created, updated, approved, deprecated
- Governance check executed (with full rule-by-rule results)
- PR linked to spec, PR merged, PR governance override (with justification)
- Deployment recorded, deployment rolled back
- Coherence score changes, remediation actions triggered
- AI tool usage detected, AI policy evaluated
The audit trail is append-only and tamper-evident. Events cannot be edited or deleted through the application.
Evidence packs
When an auditor needs evidence for a specific change, capability, or time period, SGD generates an evidence pack — a self-contained PDF that includes:
- The traceability chain for every change in scope
- Governance check results with individual rule outcomes
- Approval records with actor and timestamp
- Coherence score context (before and after the change)
- AI provenance data (if the change involved AI tooling)
Evidence packs can be generated on demand or included in scheduled reports.
Report configuration
Reports are configured in the SGD dashboard under Settings > Compliance Reports.
| Setting | Options | Default |
|---|---|---|
| Schedule | Weekly, Monthly, Quarterly, Annually, Custom cron | Per report type |
| Recipients | Email addresses, Slack channels, webhook URLs | Organisation admins |
| Format | PDF, CSV, or both | |
| Scope | All capabilities, specific capabilities, specific repos | All capabilities |
| Retention | 1 year, 3 years, 7 years, indefinite | 3 years |
Reports are versioned. If you regenerate a report for the same period, the original is preserved alongside the new version.