datasynth-core 2.4.0

Core domain models, traits, and distributions for synthetic enterprise data generation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371

//! Combined Risk Assessment (CRA) models per ISA 315.
//!
//! The CRA is the cornerstone of a risk-based audit.  For each account area and
//! financial statement assertion the auditor combines inherent risk (IR) and
//! control risk (CR) into a single CRA level that drives the nature, extent,
//! and timing of planned audit procedures.
//!
//! References:
//! - ISA 315 (Revised 2019) — Identifying and Assessing Risks of Material Misstatement
//! - ISA 315.28 — Significant risks require special audit consideration
//! - ISA 240 — Revenue occurrence is always presumed a significant fraud risk

use serde::{Deserialize, Serialize};

// ---------------------------------------------------------------------------
// Core enums
// ---------------------------------------------------------------------------

/// Financial statement assertion being assessed (ISA 315.A129).
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AuditAssertion {
    // ---- Transaction-level assertions (ISA 315.A129a) ----
    /// Recorded transactions and events have occurred and pertain to the entity.
    Occurrence,
    /// All transactions and events that should have been recorded have been.
    Completeness,
    /// Amounts and other data have been recorded appropriately.
    Accuracy,
    /// Transactions have been recorded in the correct accounting period.
    Cutoff,
    /// Transactions have been recorded in the proper accounts.
    Classification,
    // ---- Account-balance assertions (ISA 315.A129b) ----
    /// Assets, liabilities and equity interests exist at the period end.
    Existence,
    /// The entity holds or controls the rights to assets; liabilities are obligations.
    RightsAndObligations,
    /// All assets, liabilities and equity interests that should have been recorded are.
    CompletenessBalance,
    /// Assets, liabilities and equity interests are included at appropriate amounts.
    ValuationAndAllocation,
    // ---- Presentation assertions (ISA 315.A129c) ----
    /// All disclosures are appropriately described, disclosed and presented.
    PresentationAndDisclosure,
}

impl std::fmt::Display for AuditAssertion {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let s = match self {
            Self::Occurrence => "Occurrence",
            Self::Completeness => "Completeness",
            Self::Accuracy => "Accuracy",
            Self::Cutoff => "Cutoff",
            Self::Classification => "Classification",
            Self::Existence => "Existence",
            Self::RightsAndObligations => "Rights & Obligations",
            Self::CompletenessBalance => "Completeness (Balance)",
            Self::ValuationAndAllocation => "Valuation & Allocation",
            Self::PresentationAndDisclosure => "Presentation & Disclosure",
        };
        write!(f, "{s}")
    }
}

/// Individual risk rating — used separately for inherent risk and control risk.
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum RiskRating {
    /// Well below the acceptable threshold.
    Low,
    /// Moderate — some risk present but not pervasive.
    Medium,
    /// Elevated — significant susceptibility to misstatement.
    High,
}

impl std::fmt::Display for RiskRating {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let s = match self {
            Self::Low => "Low",
            Self::Medium => "Medium",
            Self::High => "High",
        };
        write!(f, "{s}")
    }
}

/// Combined Risk Assessment level — derived from the IR × CR matrix.
///
/// | IR \ CR  | Low      | Medium   | High  |
/// |----------|----------|----------|-------|
/// | Low      | Minimal  | Low      | Moderate |
/// | Medium   | Low      | Moderate | High  |
/// | High     | Moderate | High     | High  |
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum CraLevel {
    /// Low IR + Low CR.
    Minimal,
    /// Low IR + Medium CR, or Medium IR + Low CR.
    Low,
    /// Medium IR + Medium CR, or High IR + Low CR.
    Moderate,
    /// High IR + Medium CR, or High IR + High CR, or Medium IR + High CR.
    High,
}

impl CraLevel {
    /// Compute the CRA level from individual IR and CR ratings.
    ///
    /// | IR \ CR  | Low     | Medium   | High     |
    /// |----------|---------|----------|----------|
    /// | Low      | Minimal | Low      | Moderate |
    /// | Medium   | Low     | Moderate | High     |
    /// | High     | Moderate| High     | High     |
    pub fn from_ratings(ir: RiskRating, cr: RiskRating) -> Self {
        match (ir, cr) {
            (RiskRating::Low, RiskRating::Low) => Self::Minimal,
            (RiskRating::Low, RiskRating::Medium) | (RiskRating::Medium, RiskRating::Low) => {
                Self::Low
            }
            (RiskRating::Medium, RiskRating::Medium)
            | (RiskRating::High, RiskRating::Low)
            | (RiskRating::Low, RiskRating::High) => Self::Moderate,
            _ => Self::High,
        }
    }
}

impl std::fmt::Display for CraLevel {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let s = match self {
            Self::Minimal => "Minimal",
            Self::Low => "Low",
            Self::Moderate => "Moderate",
            Self::High => "High",
        };
        write!(f, "{s}")
    }
}

// ---------------------------------------------------------------------------
// Planned response
// ---------------------------------------------------------------------------

/// Nature of planned audit procedures in response to the CRA.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum ProcedureNature {
    /// Substantive procedures only — no reliance on controls.
    SubstantiveOnly,
    /// Combined approach — tests of controls plus reduced substantive procedures.
    Combined,
    /// Controls reliance — extensive controls testing with minimal substantive.
    ControlsReliance,
}

/// Planned extent of substantive testing (maps to relative sample sizes).
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum SamplingExtent {
    /// Below-standard sample sizes applicable to low-risk areas.
    Reduced,
    /// Standard sample sizes.
    Standard,
    /// Above-standard sample sizes for high-risk or significant-risk areas.
    Extended,
}

/// Timing of planned procedures relative to the period end.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum ProcedureTiming {
    /// Procedures performed at an interim date only.
    Interim,
    /// Procedures performed at or after the period end only.
    YearEnd,
    /// Procedures at both interim and year-end (roll-forward required).
    Both,
}

/// Planned response design driven by the CRA level.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CraPlannedResponse {
    /// Nature: substantive only, combined, or controls reliance.
    pub nature: ProcedureNature,
    /// Extent: reduced, standard, or extended.
    pub extent: SamplingExtent,
    /// Timing: interim, year-end, or both.
    pub timing: ProcedureTiming,
}

impl CraPlannedResponse {
    /// Derive a planned response from the CRA level per ISA 330 guidance.
    ///
    /// | CRA level | Nature           | Extent   | Timing   |
    /// |-----------|------------------|----------|----------|
    /// | Minimal   | SubstantiveOnly  | Reduced  | YearEnd  |
    /// | Low       | SubstantiveOnly  | Reduced  | YearEnd  |
    /// | Moderate  | Combined         | Standard | YearEnd  |
    /// | High      | SubstantiveOnly  | Extended | Both     |
    pub fn from_cra_level(level: CraLevel) -> Self {
        match level {
            CraLevel::Minimal | CraLevel::Low => Self {
                nature: ProcedureNature::SubstantiveOnly,
                extent: SamplingExtent::Reduced,
                timing: ProcedureTiming::YearEnd,
            },
            CraLevel::Moderate => Self {
                nature: ProcedureNature::Combined,
                extent: SamplingExtent::Standard,
                timing: ProcedureTiming::YearEnd,
            },
            CraLevel::High => Self {
                nature: ProcedureNature::SubstantiveOnly,
                extent: SamplingExtent::Extended,
                timing: ProcedureTiming::Both,
            },
        }
    }
}

// ---------------------------------------------------------------------------
// Main struct
// ---------------------------------------------------------------------------

/// Combined Risk Assessment for a single account area / assertion pair.
///
/// One `CombinedRiskAssessment` is generated for each (account area, assertion)
/// combination that the auditor scopes into the engagement.  The CRA drives the
/// design of audit procedures (ISA 330) and the allocation of materiality.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CombinedRiskAssessment {
    /// Unique identifier (deterministic slug).
    pub id: String,
    /// Entity / company code the assessment belongs to.
    pub entity_code: String,
    /// Audit scope this assessment belongs to (FK → AuditScope.id).
    #[serde(default)]
    pub scope_id: Option<String>,
    /// Account area (e.g. "Revenue", "Trade Receivables", "Inventory").
    pub account_area: String,
    /// The specific assertion being assessed.
    pub assertion: AuditAssertion,
    /// Inherent risk rating.
    pub inherent_risk: RiskRating,
    /// Control risk rating (effectiveness of related internal controls).
    pub control_risk: RiskRating,
    /// Combined risk level derived from the IR × CR matrix.
    pub combined_risk: CraLevel,
    /// Whether this is a significant risk per ISA 315.28 requiring special consideration.
    pub significant_risk: bool,
    /// Descriptive risk factors supporting the assessment.
    pub risk_factors: Vec<String>,
    /// Planned audit response designed for this CRA.
    pub planned_response: CraPlannedResponse,
}

impl CombinedRiskAssessment {
    /// Build a `CombinedRiskAssessment` and derive the CRA level and response.
    pub fn new(
        entity_code: &str,
        account_area: &str,
        assertion: AuditAssertion,
        inherent_risk: RiskRating,
        control_risk: RiskRating,
        significant_risk: bool,
        risk_factors: Vec<String>,
    ) -> Self {
        let combined_risk = CraLevel::from_ratings(inherent_risk, control_risk);
        let planned_response = CraPlannedResponse::from_cra_level(combined_risk);
        let id = format!(
            "CRA-{}-{}-{}",
            entity_code,
            account_area.replace(' ', "_").to_uppercase(),
            format!("{assertion:?}").to_uppercase(),
        );

        Self {
            id,
            entity_code: entity_code.to_string(),
            scope_id: None,
            account_area: account_area.to_string(),
            assertion,
            inherent_risk,
            control_risk,
            combined_risk,
            significant_risk,
            risk_factors,
            planned_response,
        }
    }
}

// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------

#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
    use super::*;

    #[test]
    fn cra_matrix_low_low_is_minimal() {
        let level = CraLevel::from_ratings(RiskRating::Low, RiskRating::Low);
        assert_eq!(level, CraLevel::Minimal);
    }

    #[test]
    fn cra_matrix_high_high_is_high() {
        let level = CraLevel::from_ratings(RiskRating::High, RiskRating::High);
        assert_eq!(level, CraLevel::High);
    }

    #[test]
    fn cra_matrix_medium_medium_is_moderate() {
        let level = CraLevel::from_ratings(RiskRating::Medium, RiskRating::Medium);
        assert_eq!(level, CraLevel::Moderate);
    }

    #[test]
    fn cra_matrix_high_low_is_moderate() {
        let level = CraLevel::from_ratings(RiskRating::High, RiskRating::Low);
        assert_eq!(level, CraLevel::Moderate);
    }

    #[test]
    fn cra_matrix_low_high_is_moderate() {
        // Low IR caps the combined level even when controls provide no assurance.
        let level = CraLevel::from_ratings(RiskRating::Low, RiskRating::High);
        assert_eq!(level, CraLevel::Moderate);
    }

    #[test]
    fn cra_matrix_medium_high_is_high() {
        let level = CraLevel::from_ratings(RiskRating::Medium, RiskRating::High);
        assert_eq!(level, CraLevel::High);
    }

    #[test]
    fn planned_response_high_cra_is_extended_both() {
        let resp = CraPlannedResponse::from_cra_level(CraLevel::High);
        assert_eq!(resp.extent, SamplingExtent::Extended);
        assert_eq!(resp.timing, ProcedureTiming::Both);
        assert_eq!(resp.nature, ProcedureNature::SubstantiveOnly);
    }

    #[test]
    fn planned_response_moderate_cra_is_combined_standard() {
        let resp = CraPlannedResponse::from_cra_level(CraLevel::Moderate);
        assert_eq!(resp.nature, ProcedureNature::Combined);
        assert_eq!(resp.extent, SamplingExtent::Standard);
    }

    #[test]
    fn cra_new_derives_combined_risk() {
        let cra = CombinedRiskAssessment::new(
            "C001",
            "Revenue",
            AuditAssertion::Occurrence,
            RiskRating::High,
            RiskRating::Medium,
            true,
            vec!["Presumed fraud risk per ISA 240".into()],
        );
        assert_eq!(cra.combined_risk, CraLevel::High);
        assert!(cra.significant_risk);
    }
}