Tensor AnalyticsTM
AI in operationsCourse moduleIntermediate

Module 8: Audit, compliance, and the board pack

Kislay S·8 Jul 2026·13 min

Self-assessment answers from Module 7

One. The five categories are: forecast generation (running models and presenting the baseline), exception triage (scanning for anomalies and ranking by severity), supply netting (running the deterministic computation and surfacing gaps), scenario generation (proposing what-if scenarios based on detected patterns), and board pack generation (assembling cycle performance reports).

Two. The principle means the AI can read data, run computations, and propose actions, but cannot execute write actions without human approval. It exists for three reasons: accountability (a human must be able to explain what happened), judgment (the AI lacks business context that the human has), and regulatory compliance (EU AI Act, DPDP Act, and CCPA/CPRA all require human oversight of automated decisions).

Three. The four properties are: the AI proposes never executes (every write action requires human approval), the proposal includes a rationale (enough information for the human to form an independent judgment), the human can reject with a reason (captured in the audit trail), and the human can modify (the modified action is what gets executed, with the modification captured).

Four. The three tests are: median time between proposal and human action (under 10 seconds means no review), modification rate (under 1% means no judgment exercised, genuine is 5-15%), and rejection rate (under 0.1% means rubber-stamping, genuine is 1-5%).

Five. A genuine audit trail entry contains: the AI proposed X at time T1 with rationale R. The human (actor A) reviewed at time T2, modified to X-prime with reason M (or approved or rejected). The system executed the action at time T3. The trail shows the full chain from proposal to execution with actor, timestamp, and rationale at each step.

If you got all five, continue.

What this module covers

This is the final module of the Planning Foundations course. It covers how to close the planning cycle with a defensible record. The module has three parts: the audit trail (what to log, how to store it, how long to keep it), regulatory compliance (what DPDP, CCPA, and the EU AI Act require), and the board pack (the artifact that communicates the cycle's results to leadership).

The audit trail

The audit trail is the record of every decision made in the planning cycle. It is not a log file. It is a structured, queryable record that answers the question "who decided what, when, and why?" for any planning decision.

Every create, update, delete, and approve action in the planning system should produce an audit trail entry. The entry contains: the action type (create, update, delete, approve, reject, modify), the resource affected (SKU, location, period, plan version), the actor (human user or AI agent), the timestamp, the previous value (for updates), the new value, and the reason (for overrides, rejections, and modifications).

The audit trail must be append-only. No entry can be edited or deleted. This is a system property, not a policy. The database must enforce immutability, either through database constraints or through a write-once storage layer. If the audit trail can be edited, it is not an audit trail. It is a log that someone can tamper with.

The audit trail must be queryable. You must be able to query by actor (what did this planner do last month), by resource (what happened to SKU-4471), by time period (all decisions in the July cycle), and by action type (all overrides). Without queryability, the audit trail is useless for investigation because you cannot find the relevant entries.

What to log

At minimum, log the following events:

Forecast changes. Every override to the statistical baseline, with the baseline value, the override value, the actor, and the reason.

Approval decisions. Every S&OP gate approval or rejection, with the gate, the approver, the timestamp, and meeting notes if applicable.

Plan publications. Every cycle lock, with the plan version, the approver, and the timestamp.

Supply actions. Every planned order creation, modification, or cancellation, with the actor and reason.

AI proposals. Every AI-proposed action, with the rationale, the human response (approved, modified, rejected), and the modification if applicable.

Configuration changes. Every change to safety stock parameters, reorder points, exception thresholds, or model settings, with the actor and the reason.

Retention

Retain audit trail data for 36 months at minimum. This covers the DPDP Act's purpose-limitation principle (with a reasonable ceiling), CCPA's 24-month consumer request retention requirement, and the EU AI Act's "appropriate period" for high-risk system logs. Beyond 36 months, delete unless a specific legal hold applies.

Separation from the operational system

The audit trail should not be in the same database as the planning system. If the planning system is compromised or corrupted, the audit trail must survive. At minimum, the audit trail should be in a separate database with separate access controls. Ideally, the audit trail should be in a write-once-read-many storage layer that cannot be modified even by database administrators.

Regulatory compliance

Three regulatory frameworks require audit trails for AI-influenced operational decisions. The requirements overlap but are not identical.

DPDP Act (India)

The Digital Personal Data Protection Act, 2023 requires Data Fiduciaries to maintain records of processing activities. For AI systems that process personal data, this means a record of what data was input, what the system produced, and what action was taken. The DPDP Rules, notified in 2025, require a grievance redressal mechanism where a Data Principal can ask what the AI system did with their data, and you must be able to answer.

The DPDP compliance deadline is phased through 2026 and 2027 depending on the classification of the Data Fiduciary. The audit trail must be in place before the deadline applies to your organization.

CCPA/CPRA (California)

The CCPA, as amended by the CPRA, gives California residents the right to know about automated decision-making. The implementing regulations require businesses to disclose, upon request, the categories of personal information used, the system's output, and the rationale. This is not possible without an audit trail.

CCPA also requires risk assessments for automated decision-making technology that presents significant risk. The risk assessment must document the system's logic, the data used, the outputs, and the human oversight measures. The audit trail is the operational evidence that the documented oversight is actually occurring.

EU AI Act

The EU AI Act, in force from August 2024 with phased application through 2026 and 2027, classifies AI systems by risk level. Operational AI in manufacturing that affects resource allocation is likely to be classified as high-risk under Annex III. High-risk systems are subject to Article 12, which requires automatic logging of events during operation.

Article 12 specifically requires logs that ensure traceability appropriate to the intended purpose. The logs must allow monitoring of the system's operation and must be kept for a period appropriate to the system's purpose. For operational planning AI, this means logging every forecast, every exception, every override, and every approval.

The single design that satisfies all three

A single audit trail design satisfies all three frameworks. Log every AI-influenced decision with input, output, human action, actor, and timestamp. Make it append-only. Make it queryable. Retain for 36 months. Separate it from the operational database. This design is covered in detail in the dedicated article on audit trails for AI.

The board pack

The board pack is the artifact that communicates the planning cycle's results to leadership. It is the output of the cycle, not a byproduct. A well-constructed board pack enables leadership to understand the plan, the risks, and the tradeoffs in 15 minutes. A poorly constructed board pack buries the signal in data and wastes the executive review.

The board pack should contain six sections.

Cycle summary. One page. What cycle is this (monthly S&OP, quarterly IBP), what period does it cover, what is the status (draft, in review, approved, locked), who approved it and when.

Forecast accuracy. One page. MAPE and WMAPE for the most recent cycle, compared to the previous 3 cycles and to the naive baseline. Bias. FVA. A chart showing the accuracy trend. The key question this answers: is our forecast getting better, worse, or staying the same?

Demand plan highlights. One page. Top 5 demand changes from the previous cycle (biggest increases and decreases), with reasons. New product launches in the horizon. Promotional assumptions. The key question: what is different from last month, and why?

Supply position. One page. Total supply gap (if any), number of SKUs with gaps, top 5 critical gaps by impact. Inventory projection versus target. Working capital projection. The key question: where are we exposed, and what are we doing about it?

Exception summary. One page. Number of open exceptions by severity. Top 5 exceptions by impact. Aging of exceptions (how long have they been open). The key question: what needs attention that has not been resolved yet?

Risk and scenario summary. One page. Top 3 risks to the plan (demand, supply, external). Active scenarios and their impact. The key question: what could go wrong, and how prepared are we?

The board pack should be auto-generated from the planning system's data, not manually assembled in PowerPoint. Manual assembly introduces errors, takes time, and produces a document that is out of date the moment a number changes. Auto-generation means the board pack is always current, always consistent with the system, and always reproducible.

Closing the course

This is the final module of the Planning Foundations for Manufacturing course. Over eight modules, we covered:

  1. Foundations of demand planning (vocabulary, stakeholders, what good looks like)
  2. Statistical forecasting models (ETS, ARIMA, decomposition)
  3. Forecast accuracy metrics (MAPE, WMAPE, bias, FVA)
  4. The S&OP cycle and sequential gates (demand review, supply review, exec S&OP, cycle lock)
  5. Supply netting and inventory policy (netting, safety stock, reorder points, gap analysis)
  6. Scenario planning and what-ifs (overlays, comparison, promotion)
  7. AI agents and human-in-loop (agent proposes, planner disposes, the rubber-stamp test)
  8. Audit, compliance, and the board pack (append-only trails, DPDP/CCPA/EU AI Act, the six-section board pack)

The course is designed to be taken in order, but each module is self-contained enough to reference independently. If you completed all eight modules and answered the self-assessment questions, you have the foundation to evaluate any planning tool, run an S&OP cycle, or diagnose a planning failure.

The next step is practice. Pick one thing from this course that your organization does not do well today. Implement it. Measure the result. Then pick the next thing. Planning is a craft, and crafts improve through deliberate practice, not through reading more modules.

Final self-assessment

One. What are the six events that must be logged in the audit trail at minimum?

Two. Why must the audit trail be append-only and separated from the operational database?

Three. What is the 36-month retention rationale, and which three regulatory frameworks does it satisfy?

Four. What are the six sections of a well-constructed board pack, and what question does each answer?

Five. Why should the board pack be auto-generated rather than manually assembled?

Answers: there are no more modules to put answers in. If you can answer all five without looking back, you have completed the course.

Course completion

If you have read all eight modules and can answer the self-assessment questions, you have completed Planning Foundations for Manufacturing. The course is free, open, and indexed by search. Share it with colleagues who plan, forecast, or manage supply chain operations. The more practitioners who understand these foundations, the better the industry gets.

Learning trackFoundationsAudit trailComplianceBoard packCourse
Written by Kislay S