Audit Stopping Criteria: Mathematical Foundations for Knowing When Enough Is Enough

Abstract

Every audit procedure confronts the same irreducible question: when is the accumulated evidence sufficient to terminate the examination? The answer is not a matter of professional judgment alone -- it is a mathematical problem with precise formulations, provable optimality conditions, and measurable error rates. Yet the audit profession has historically relied on heuristic sample size tables and qualitative materiality assessments, leaving the stopping decision to practitioner intuition calibrated by experience.

This paper reframes audit termination as a constrained optimization problem. We define the False Allow Rate (FAR) as the probability that a defective population passes audit -- the governance-critical error mode where the audit declares conformance when nonconformance exists. We then derive stopping rules from three mathematical foundations: MAX constraints (hard upper bounds on allowable defect counts), Sequential Probability Ratio Tests (SPRT) (likelihood-ratio-based sequential decision procedures), and Bayesian posterior thresholds (belief-state termination conditions). Each framework yields different tradeoffs between sample efficiency, error control, and computational tractability.

We extend these univariate stopping rules to the multi-dimensional case where audits must simultaneously evaluate multiple risk factors (financial accuracy, process compliance, control effectiveness) and derive the joint stopping surface that controls the family-wise FAR. We solve the optimal sample size under budget constraints via Lagrangian relaxation and show that the dual variable has a natural interpretation as the marginal value of audit effort.

The practical contribution of this work is the integration of these stopping criteria with the MARIA OS Gate Engine. In the MARIA OS architecture, every audit decision is a gate evaluation: the system must determine whether accumulated evidence is sufficient to pass the audit gate (allow the audited entity to proceed) or whether additional evidence is required (continue sampling). The Fail-Closed axiom of MARIA OS dictates that when the stopping criterion is ambiguous -- when the evidence is insufficient to declare either conformance or nonconformance with high confidence -- the gate remains closed. The audit continues. This paper provides the mathematical machinery that makes that axiom computationally precise.

Experimental results across simulated SOX compliance audits demonstrate that SPRT-based stopping achieves a FAR below 0.3% while reducing required sample sizes by 38% compared to fixed-sample plans. Bayesian stopping with conjugate priors achieves comparable FAR with smoother convergence properties. The multi-dimensional extension controls family-wise FAR at 1% across five simultaneous risk dimensions. Integration with the MARIA OS Gate Engine adds less than 12ms p99 latency per audit decision evaluation.

1. The Audit Termination Problem

An audit is a sequential evidence-gathering process. At each step, the auditor examines one or more items from the population under review, observes their conformance or nonconformance with the audit criteria, and updates their belief about the population's overall compliance state. The termination decision -- when to stop gathering evidence and issue a finding -- determines both the reliability of the audit conclusion and the resources consumed by the process.

1.1 The Sequential Observation Model

Let the audit population consist of N items. Define the population defect rate as theta -- the true proportion of items that are nonconforming. The auditor does not know theta; it is the quantity they are trying to estimate. At each step t = 1, 2, ..., the auditor draws an item (with or without replacement) and observes a binary outcome:

After n observations, the auditor has the sequence X_1, X_2, ..., X_n and the cumulative defect count D_n = sum of X_t for t from 1 to n. The sample defect rate is p-hat_n = D_n / n.

The auditor must choose a stopping time tau -- a random variable that depends only on the observations collected so far (X_1, ..., X_tau) and not on future unobserved items. Formally, tau is a stopping time with respect to the natural filtration F_n = sigma(X_1, ..., X_n). At time tau, the auditor issues one of two verdicts:

• Accept (Allow): The population is declared conforming. The audited entity passes the audit gate and proceeds.
• Reject (Deny): The population is declared nonconforming. The audited entity is flagged for remediation, escalation, or further investigation.

1.2 The Two Error Modes

The stopping rule can produce two types of errors:

False Allow (Type II error for the audit). The auditor declares the population conforming when the true defect rate theta exceeds the maximum tolerable defect rate theta_max. This is the governance-critical error. A false allow means the audit has failed its primary purpose: it has certified a nonconforming population as conforming. In financial auditing, this corresponds to issuing a clean opinion on materially misstated financial statements. In compliance auditing, this means certifying a process that violates regulatory requirements.

False Deny (Type I error for the audit). The auditor declares the population nonconforming when the true defect rate theta is below the acceptable quality level theta_0. This is the efficiency error. A false deny wastes resources on remediation that is not needed, delays operations, and erodes trust in the audit function. It is costly but not catastrophic -- the underlying population was actually conforming.

The asymmetry between these errors is fundamental. A false allow can have irreversible consequences: regulatory penalties, financial restatements, safety incidents. A false deny is reversible: the entity can be re-examined, the finding can be overturned. This asymmetry motivates the MARIA OS Fail-Closed design: when in doubt, deny. It is better to over-audit than to under-audit.

1.3 The Indifference Zone

Between theta_0 (the acceptable quality level) and theta_max (the maximum tolerable defect rate) lies the indifference zone [theta_0, theta_max]. When the true defect rate falls in this zone, neither a false allow nor a false deny is clearly incorrect. The audit design must specify behavior in this zone -- most frameworks allow both error probabilities to be relaxed here, concentrating statistical power on distinguishing clearly conforming (theta < theta_0) from clearly nonconforming (theta > theta_max) populations.

where alpha and beta are the specified error tolerances. The FAR constraint (beta) is the binding constraint in governance applications. We typically set beta << alpha -- for example, beta = 0.005 and alpha = 0.05 -- reflecting the asymmetric cost structure.

1.4 Why Fixed-Sample Plans Are Suboptimal

Traditional audit sampling standards (ISA 530, AICPA AU-C 530, PCAOB AS 2315) prescribe fixed sample sizes computed from confidence level and tolerable deviation rate. The auditor determines n before the audit begins, examines exactly n items, and issues a verdict based on the observed defect count.

Fixed-sample plans are suboptimal for two reasons. First, they cannot incorporate early evidence. If the first 20 of a planned 150-item sample reveal 15 defects, the conclusion is obvious -- but the plan requires examining all 150 items. Second, they cannot adapt to the difficulty of the audit. When the population is clearly conforming or clearly nonconforming, fewer samples suffice. When the population is in the indifference zone, more samples are needed. Fixed plans allocate the same resources regardless of difficulty.

Sequential stopping rules address both deficiencies. They examine one item at a time (or in batches), update the evidence state, and terminate as soon as the evidence is sufficient for a confident verdict. The expected sample size under sequential rules is strictly less than the fixed sample size at every point in the parameter space, with the savings most pronounced when the population is far from the indifference zone.

2. False Allow Rate: Formal Definition

The False Allow Rate is the central quantity that audit stopping criteria must control. We provide a rigorous definition and examine its properties.

2.1 Pointwise FAR

This is the probability that the audit issues an Accept verdict when the true population defect rate is theta. For a well-designed audit, FAR(theta) should be close to 1 when theta is small (we want to accept conforming populations) and close to 0 when theta is large (we want to reject nonconforming populations).

2.2 Operating Characteristic Curve

The function theta -> FAR(theta) is the Operating Characteristic (OC) curve of the audit plan. The OC curve fully characterizes the discriminating power of the stopping rule. Key properties:

• FAR(0) = 1 -- a perfectly conforming population is always accepted.
• FAR(1) = 0 -- a fully defective population is always rejected (assuming n >= 1).
• FAR is monotonically decreasing in theta -- higher defect rates yield lower acceptance probabilities.
• The steepness of the OC curve determines the audit's resolving power. A steep curve means the audit can sharply distinguish conforming from nonconforming populations.

2.3 Maximum FAR and the Governance Constraint

The governance constraint is expressed as a bound on the maximum FAR over the nonconforming region:

This is the worst-case probability that a nonconforming population passes the audit. In the MARIA OS context, this is the probability that the audit gate opens for an entity that should have been blocked. The Fail-Closed axiom requires beta to be small -- typically 0.005 or less for high-criticality audit gates.

Proposition 2.1. For the binomial sampling model with fixed sample size n and acceptance number c (accept if D_n <= c), the maximum FAR is:

This is the CDF of the binomial distribution evaluated at c with parameters n and theta_max. Controlling FAR_max <= beta requires selecting n and c such that this sum is bounded.

2.4 Average FAR Under a Prior

When a prior distribution pi(theta) over the defect rate is available (from historical audit data, industry benchmarks, or expert elicitation), the average FAR is:

The average FAR is a Bayesian analog of the maximum FAR. It is less conservative (it averages over nonconforming rates rather than taking the worst case) but requires a defensible prior. In MARIA OS, the prior is constructed from the entity's audit history stored in the evidence ledger.

2.5 FAR Decomposition by Risk Tier

In practice, audit populations are stratified by risk tier. Let the population be partitioned into K risk strata with population sizes N_1, ..., N_K and defect rates theta_1, ..., theta_K. The overall FAR decomposes as:

where FAR_k is the stratum-specific False Allow Rate. This decomposition shows that the total FAR is dominated by the stratum with the highest FAR -- a single weak audit stratum can undermine the entire audit. The MARIA OS multi-tier gate architecture addresses this by enforcing stratum-specific FAR constraints, ensuring that no single risk tier can inflate the system-wide FAR.

3. MAX Constraint Stopping Rule

The simplest stopping rule with formal FAR guarantees is the MAX constraint: specify an absolute upper bound on the number of defects observed, and terminate the audit immediately when the bound is reached.

3.1 Definition

• At each step t, observe X_t and update D_t = D_{t-1} + X_t.
• If D_t > c, stop and reject. The defect count has exceeded the maximum allowable.
• If t = n_max and D_t <= c, stop and accept. The maximum sample size has been reached without exceeding the defect bound.
• Otherwise, continue sampling.

The stopping time is:

3.2 FAR Analysis

Under the MAX(c, n_max) rule, a false allow occurs only when D_{n_max} <= c despite theta >= theta_max. The FAR at theta is:

To satisfy FAR(theta_max) <= beta, we need to choose (c, n_max) such that the incomplete beta function I_{1-theta_max}(n_max - c, c + 1) >= 1 - beta. This relationship provides the fundamental constraint linking sample size, acceptance number, and FAR.

Theorem 3.1 (MAX Constraint FAR Bound). For the MAX(c, n_max) stopping rule with population defect rate theta >= theta_max:

where D_KL(p || q) = p ln(p/q) + (1-p) ln((1-p)/(1-q)) is the Kullback-Leibler divergence. This exponential bound shows that FAR decreases exponentially with sample size at a rate determined by the KL divergence between the empirical defect rate and the true defect rate.

Corollary 3.2 (Minimum Sample Size). To achieve FAR <= beta at theta_max with acceptance number c, the minimum required sample size is:

This implicit equation is solved iteratively. For c = 0 (zero-defect acceptance), it simplifies to:

For example, with theta_max = 0.05 and beta = 0.005: n_max >= ln(200) / -ln(0.95) = 5.298 / 0.0513 = 103.3, so n_max = 104 items.

3.3 Optimal Acceptance Number Selection

The choice of acceptance number c involves a tradeoff. Setting c = 0 (zero-defect plan) maximizes the ability to detect nonconformance but requires large samples even when a few defects are tolerable. Setting c > 0 allows some defects and reduces the required sample size for conforming populations but increases the risk of false allows.

Proposition 3.3. The optimal acceptance number c* that minimizes E[tau] subject to FAR(theta_max) <= beta and FDR(theta_0) <= alpha is the largest integer c such that:

where n*(c) is the minimum sample size satisfying both error constraints at acceptance number c. The optimization scans over candidate c values and selects the one yielding the smallest E[tau] under the assumed prior on theta.

3.4 Truncated MAX Rule with Early Stopping

The basic MAX rule permits early rejection (stop as soon as D_t > c) but not early acceptance. We can add an early acceptance condition by defining a lower boundary:

• If D_t > c, stop and reject.
• If D_t <= a_t and t >= n_min, stop and accept.
• If t = n_max and D_t <= c, stop and accept.
• Otherwise, continue.

The acceptance boundary a_t is chosen to maintain the FAR constraint. A common choice is the Poisson approximation: a_t = floor(t theta_0 - z_alpha sqrt(t theta_0 (1 - theta_0))), where z_alpha is the standard normal quantile. This allows early acceptance when the observed defect rate is substantially below the acceptable quality level.

The truncated MAX rule achieves expected sample sizes 20-40% lower than the basic MAX rule when the population is clearly conforming (theta << theta_0), with negligible impact on FAR when the population is nonconforming.

4. Sequential Probability Ratio Test for Audit

The Sequential Probability Ratio Test (SPRT), introduced by Abraham Wald in 1945, is the optimal sequential test for deciding between two simple hypotheses. Applied to audit stopping, it provides the minimum expected sample size among all tests with given error probabilities.

4.1 Formulation

The SPRT tests the null hypothesis H_0: theta = theta_0 (the population is conforming at the acceptable quality level) against the alternative H_1: theta = theta_max (the population is nonconforming at the maximum tolerable level).

After n observations, the likelihood ratio is:

The log-likelihood ratio is:

4.2 Decision Boundaries

The SPRT defines two boundaries A and B (with A < 0 < B) and operates as follows:

• If lambda_n >= B, stop and reject (evidence favors nonconformance).
• If lambda_n <= A, stop and accept (evidence favors conformance).
• If A < lambda_n < B, continue sampling.

Wald's fundamental identity gives the boundary values:

where alpha is the false deny probability and beta is the false allow probability (FAR). For alpha = 0.05 and beta = 0.005:

4.3 Optimality of SPRT

Theorem 4.1 (Wald-Wolfowitz). Among all sequential tests with error probabilities at most alpha (false deny at theta_0) and at most beta (false allow at theta_max), the SPRT minimizes the expected sample size E[tau | theta] simultaneously at both theta = theta_0 and theta = theta_max.

This is a remarkably strong result. It means the SPRT is not merely a good sequential test -- it is the best possible sequential test for the two-point audit stopping problem. No other sequential procedure can achieve the same error guarantees with a smaller expected sample size.

4.4 Expected Sample Size

The expected sample size of the SPRT is given by Wald's equation:

More precisely, using the Wald identity for the operating characteristic function, the expected sample sizes at the two hypotheses are:

The denominator in both expressions is the KL divergence D_KL(theta_0 || theta_max) or D_KL(theta_max || theta_0), respectively. Larger KL divergence (more separated hypotheses) yields smaller expected sample sizes -- the test terminates faster when the two hypotheses are easy to distinguish.

Numerical example. With theta_0 = 0.02, theta_max = 0.05, alpha = 0.05, beta = 0.005:

D_KL(theta_0 || theta_max) = 0.02 ln(0.02/0.05) + 0.98 ln(0.98/0.95) = 0.02(-0.916) + 0.98(0.0311) = -0.01832 + 0.03048 = 0.01216

E[tau | theta_0] = ((0.95)(-5.247) + (0.05)(2.990)) / 0.01216 = (-4.985 + 0.1495) / 0.01216 = -4.835 / 0.01216. Taking absolute value (the Wald approximation uses the convention that the denominator matches sign): E[tau | theta_0] approximately equals 398 items.

Compare this to the fixed-sample size under the same error constraints, which requires approximately 642 items. The SPRT achieves a 38% reduction in expected sample size under the null hypothesis.

4.5 Truncated SPRT for Budget Compliance

The pure SPRT has an unbounded maximum sample size -- in theory, if the true theta falls exactly between theta_0 and theta_max, the test can continue indefinitely. For practical audit applications, we truncate the SPRT at a maximum sample size n_max:

• If lambda_{n_max} >= 0, reject.
• If lambda_{n_max} < 0, accept.

Proposition 4.2. The truncated SPRT with n_max >= 2 * E[tau | theta_max] maintains FAR within 10% of the nominal beta for theta in the nonconforming region. For tighter FAR control, adjusted boundaries A' and B' can be computed via Monte Carlo simulation or the method of Armitage (1957).

The truncation point n_max serves as the budget ceiling for the audit. In the MARIA OS framework, this maps directly to the resource allocation parameter of the audit gate: the gate specifies not only the required confidence level but also the maximum evidence-gathering budget.

4.6 SPRT with Composite Hypotheses

The basic SPRT tests two simple hypotheses. In audit practice, we rarely know the exact defect rate under conformance or nonconformance -- we specify regions rather than points. The generalized SPRT (GSPRT) handles composite hypotheses by using the generalized likelihood ratio:

where L(theta; X_1, ..., X_n) is the likelihood function. Under the binomial model, the suprema are achieved at theta = max(p-hat_n, theta_max) and theta = min(p-hat_n, theta_0), yielding a computationally tractable test statistic.

The GSPRT does not achieve the exact optimality of the simple SPRT (Wald-Wolfowitz does not extend to composite hypotheses), but simulation studies show that it achieves within 5-15% of the optimal expected sample size across the parameter space, making it a practical choice for audit applications.

5. Bayesian Stopping Criteria

The Bayesian approach to audit stopping replaces the frequentist error constraints with a decision-theoretic framework. Instead of controlling worst-case error rates over a parameter space, the Bayesian auditor maintains a posterior distribution over the defect rate and terminates when the posterior provides sufficient confidence for a verdict.

5.1 Prior Specification

The natural conjugate prior for the binomial defect model is the Beta distribution:

where alpha_0 and beta_0 are the prior hyperparameters. The prior mean is alpha_0 / (alpha_0 + beta_0) and the prior variance is alpha_0 beta_0 / ((alpha_0 + beta_0)^2 (alpha_0 + beta_0 + 1)). Common choices:

• Non-informative prior: alpha_0 = beta_0 = 1 (uniform on [0,1]). This encodes no prior knowledge about the defect rate.
• Jeffreys prior: alpha_0 = beta_0 = 0.5. This is invariant under reparameterization and is often considered the "least informative" proper prior.
• Historical prior: alpha_0 and beta_0 chosen to match historical audit data. If previous audits of similar populations found d defects in m items, set alpha_0 = d + 1 and beta_0 = m - d + 1. In MARIA OS, these parameters are automatically computed from the entity's evidence ledger.
• Skeptical prior: alpha_0 >> beta_0, encoding a prior belief that defect rates are high. This is appropriate for Fail-Closed audit gates where the default assumption is nonconformance.

5.2 Posterior Update

After observing D_n defects in n items, the posterior distribution is:

The posterior mean is (alpha_0 + D_n) / (alpha_0 + beta_0 + n) and the posterior variance decreases as O(1/n). The conjugate update is computationally trivial -- it requires only incrementing two counters -- making it suitable for real-time audit gate evaluation in the MARIA OS pipeline.

5.3 Bayesian Stopping Rule

where epsilon is the posterior uncertainty tolerance. The first condition triggers rejection (strong evidence of nonconformance). The second triggers acceptance (strong evidence of conformance).

The posterior exceedance probability is:

where I_x(a, b) is the regularized incomplete beta function. This can be computed numerically in O(1) time using standard library functions.

5.4 Loss-Based Stopping

A more principled Bayesian stopping criterion minimizes the expected posterior loss. Define the loss function:

where c_FA is the cost of a false allow and c_FD is the cost of a false deny. The expected posterior loss of accepting is:

The expected posterior loss of rejecting is:

The cost of continuing (sampling one more item) is the per-sample audit cost c_s. The optimal stopping rule is:

Stop and accept if R_A(tau) < R_R(tau); stop and reject otherwise. This dynamic programming formulation can be solved via backward induction on a discretized state space (n, D_n), making it computationally feasible for audit populations of practical size.

5.5 Bayesian vs. Frequentist FAR Control

A natural concern is whether the Bayesian stopping rule provides valid frequentist FAR control. The answer depends on the prior.

Proposition 5.1. If the prior pi(theta) satisfies pi(theta) > 0 for all theta in [theta_max, 1], then the Bayesian posterior threshold stopping rule with tolerance epsilon achieves pointwise FAR(theta) -> 0 as epsilon -> 0 for all theta > theta_max.

However, the rate of convergence depends on the prior. A prior that places little mass near theta_max may require many observations before the posterior concentrates sufficiently. In practice, we calibrate epsilon to achieve a target FAR_max via simulation: for a grid of theta values in [theta_max, 1], simulate the Bayesian stopping rule and compute the empirical FAR. Adjust epsilon until the maximum empirical FAR is below beta.

This calibration is performed offline when configuring the MARIA OS audit gate and stored as a gate parameter. At runtime, the gate evaluates only the posterior threshold condition, which is computationally instantaneous.

5.6 Empirical Bayes for Repeated Audits

In enterprise settings, the same entity is audited repeatedly over time. The Empirical Bayes approach uses the outcomes of previous audits to construct the prior for the current audit:

where gamma in (0, 1] is a discount factor that controls how much weight is given to historical audits. Setting gamma = 1 gives full weight to all historical data; gamma < 1 downweights older audits. This creates an adaptive stopping rule that becomes more efficient over time as the system accumulates audit history.

In MARIA OS, gamma is a configurable parameter per audit gate. Entities with stable compliance histories get tighter priors and faster audit termination. Entities with volatile histories get wider priors and more thorough auditing. This is graduated autonomy applied to the audit function itself: trustworthy entities earn faster audits.

6. Multi-dimensional Stopping: Multiple Risk Factors

Real-world audits rarely evaluate a single dimension. A SOX compliance audit simultaneously assesses financial accuracy, internal control effectiveness, process adherence, data integrity, and disclosure completeness. Each dimension has its own defect rate, tolerance, and cost structure. The stopping criterion must account for all dimensions jointly.

6.1 Problem Formulation

Let the audit evaluate K risk dimensions indexed by k = 1, ..., K. For each dimension k, define:

• theta_k: the true defect rate in dimension k
• theta_{max,k}: the maximum tolerable defect rate in dimension k
• D_{n,k}: the cumulative defect count in dimension k after n items
• beta_k: the FAR tolerance for dimension k

An item may be defective in multiple dimensions simultaneously. Let X_{t,k} be the indicator that item t is defective in dimension k. The observation at step t is the vector X_t = (X_{t,1}, ..., X_{t,K}).

6.2 Family-wise FAR Control

The family-wise FAR is the probability that any nonconforming dimension passes the audit:

By the union bound:

where FAR_k is the dimension-specific FAR. To control FAR_FW <= beta, the Bonferroni correction allocates beta_k = beta / K to each dimension. This is conservative but simple.

6.3 Holm-Bonferroni Improvement

The Holm-Bonferroni procedure improves on straight Bonferroni by using ordered p-values. At each step, compute the p-value for each dimension's current evidence:

Order the p-values: p_{(1)} <= p_{(2)} <= ... <= p_{(K)}. For the dimension with the smallest p-value, apply threshold beta / K. For the second smallest, apply beta / (K-1). And so on. This step-down procedure controls the family-wise FAR at beta while being strictly more powerful than Bonferroni.

6.4 Joint Stopping Surface

The multi-dimensional stopping rule defines a stopping surface in the K-dimensional evidence space. Let the evidence state at step n be the vector s_n = (D_{n,1}/n, ..., D_{n,K}/n) of dimension-specific sample defect rates. The stopping surface partitions the evidence space into three regions:

• Accept region A: All dimensions have sufficient evidence of conformance. The audit terminates with an Accept verdict on all dimensions.
• Reject region R: At least one dimension has sufficient evidence of nonconformance. The audit terminates with a Reject verdict.
• Continue region C: At least one dimension has insufficient evidence. The audit continues.

The shape of the stopping surface is determined by the dimension-specific thresholds and the correlation structure among the defect indicators. When defects are positively correlated across dimensions (a common pattern in practice -- entities that fail on financial accuracy often also fail on process adherence), the stopping surface is more compact and the audit terminates faster.

6.5 Formal Joint Stopping Criterion

The joint stopping criterion that controls FAR_FW <= beta is:

In words: stop and accept when all dimensions are individually confident of conformance at the Bonferroni-adjusted level, or stop and reject when any dimension is individually confident of nonconformance.

Theorem 6.1 (Family-wise FAR guarantee). The joint stopping criterion above satisfies FAR_FW <= beta for any correlation structure among the K dimensions.

The proof follows directly from the union bound and the dimension-specific posterior threshold guarantees. The conservative nature of the Bonferroni correction means the actual FAR_FW is typically well below beta, especially when K is moderate (K <= 10 in most audit applications).

6.6 Dimension Prioritization

In practice, not all risk dimensions are equally important. Financial accuracy may carry 10x the consequence of process documentation completeness. We extend the stopping criterion with dimension weights w_k > 0 (summing to 1):

The weighted family-wise FAR allocates more FAR budget to lower-consequence dimensions and less to higher-consequence dimensions. This is achieved by setting beta_k = beta * w_k / w_{max} where w_{max} = max_k w_k, ensuring that the most consequential dimension receives the tightest FAR control.

In MARIA OS, dimension weights are configured per audit gate and stored in the gate's evidence requirements specification. The Gate Engine evaluates all dimensions in parallel and applies the weighted stopping criterion at each evidence update.

7. Optimal Sample Size Under Budget Constraints

Every audit operates under resource constraints: time, personnel, budget, and access to the audited population. The optimization problem is to allocate limited audit resources across risk strata and dimensions to minimize the total FAR subject to a budget ceiling.

7.1 The Audit Budget Model

Let the total audit budget be B (measured in cost units). The cost of examining item j in stratum k is c_{j,k}. For simplicity, assume homogeneous costs within each stratum: c_{j,k} = c_k for all j. The budget constraint is:

where n_k is the number of items sampled from stratum k. The total FAR is a function of the sample allocation (n_1, ..., n_K):

7.2 Lagrangian Relaxation

The optimization problem is:

The Lagrangian is:

Taking the derivative with respect to n_k and setting it to zero:

Using the chain rule on the product form of FAR_total:

The first-order condition becomes:

7.3 Interpretation of the Dual Variable

The Lagrange multiplier mu has a natural interpretation: it is the marginal value of audit budget. Specifically, mu = -dFAR_total/dB at the optimum. If mu is large, additional audit budget would significantly reduce FAR, indicating that the audit is budget-constrained. If mu is small, additional budget would have little impact, indicating that the audit has reached diminishing returns.

Proposition 7.1. At the optimal allocation, the marginal FAR reduction per unit cost is equalized across all strata:

This is the audit analog of the equimarginal principle in economics: resources should be allocated such that the last dollar spent on any stratum produces the same marginal FAR reduction. Strata with high per-item FAR sensitivity (high-risk strata where each additional sample significantly reduces uncertainty) receive more samples. Strata with low sensitivity (low-risk strata where the population is clearly conforming) receive fewer samples.

7.4 Closed-Form Solution Under Exponential FAR Model

When the stratum-specific FAR follows the exponential decay model FAR_k(n_k) = exp(-r_k * n_k) for some rate parameter r_k > 0, the optimization has a closed-form solution.

The first-order condition gives:

For well-separated strata where FAR_k << 1 (large n_k), the product term is approximately 1, and the condition simplifies to:

Solving for n_k:

Substituting into the budget constraint sum_k n_k* c_k = B and solving for mu gives the optimal allocation. The solution allocates more samples to strata with higher FAR sensitivity (larger r_k) and lower per-item cost (smaller c_k), as expected.

7.5 Dynamic Budget Reallocation

In sequential auditing, the budget allocation can be updated dynamically as evidence accumulates. At each step, the remaining budget B_remaining = B - sum_k n_k c_k is reallocated across strata based on the current posterior uncertainty:

Strata with high posterior variance (high remaining uncertainty) receive a larger share of the remaining budget. Strata where the posterior has already concentrated (either clearly conforming or clearly nonconforming) receive less. This adaptive allocation is the Bayesian analog of Neyman allocation in stratified sampling.

In MARIA OS, dynamic budget reallocation is performed by the Gate Engine at each evidence update event. The gate's resource allocator redistributes the remaining audit budget across open dimensions, ensuring that evidence-gathering effort is concentrated where it has the most impact on the stopping decision.

8. Integration with MARIA OS Gate Engine

The mathematical stopping criteria derived in the preceding sections are implemented within the MARIA OS Gate Engine as audit-type gates. This section describes the architecture, the gate evaluation pipeline for audit decisions, and the connection to the Fail-Closed axiom.

8.1 Audit Gates as Gate Evaluators

In the MARIA OS architecture, every decision that requires audit verification passes through a gate evaluator. The gate evaluator for audit decisions implements the stopping criteria as follows:

The gate maintains an audit state for each active audit, consisting of:

• The accumulated evidence vector (D_{n,1}, ..., D_{n,K}) across K risk dimensions
• The sample count n
• The prior hyperparameters (alpha_{0,k}, beta_{0,k}) for each dimension
• The posterior parameters (alpha_{0,k} + D_{n,k}, beta_{0,k} + n - D_{n,k}) for each dimension
• The stopping criterion configuration: (theta_{max,k}, beta_k, epsilon_k) for each dimension
• The remaining budget B_remaining
• The chosen stopping method (MAX, SPRT, Bayesian, or hybrid)

8.2 Gate Evaluation Pipeline

When a new evidence item arrives at the audit gate, the evaluation pipeline proceeds:

Step 1: Evidence Ingestion. The evidence item is received and validated. Each item produces a K-dimensional binary vector (X_{t,1}, ..., X_{t,K}) indicating conformance or nonconformance in each risk dimension. The cumulative defect counts are updated: D_{n+1,k} = D_{n,k} + X_{t+1,k}.

Step 2: Posterior Update. For Bayesian stopping, the posterior parameters are updated: alpha_k <- alpha_k + X_{t+1,k}, beta_k <- beta_k + (1 - X_{t+1,k}). For SPRT, the log-likelihood ratio is updated: lambda_{n+1,k} = lambda_{n,k} + X_{t+1,k} ln(theta_{max,k}/theta_{0,k}) + (1 - X_{t+1,k}) ln((1-theta_{max,k})/(1-theta_{0,k})).

Step 3: Stopping Criterion Evaluation. The chosen stopping criterion is evaluated against the updated evidence state. If the criterion is met (either accept or reject), the gate transitions to a terminal state. If not, the gate remains open.

Step 4: Budget Check. If the remaining budget is exhausted (B_remaining <= 0) and the stopping criterion has not been met, the gate invokes the Fail-Closed rule: the audit result is Reject. This ensures that budget exhaustion never produces a false allow -- if we cannot afford to gather sufficient evidence, we default to the conservative verdict.

Step 5: Resource Reallocation. If the gate remains open, the resource allocator redistributes the remaining budget across dimensions based on the current posterior variance structure.

8.3 The Fail-Closed Axiom in Audit Context

The MARIA OS Fail-Closed axiom has three specific manifestations in the audit context:

Axiom 1: Default Deny on Insufficient Evidence. If the stopping criterion has not been met and no more evidence can be gathered (budget exhaustion, time limit, access restriction), the gate issues a Reject verdict. The audited entity does not pass. This is the audit-specific instantiation of the general Fail-Closed principle: when the gate cannot determine that an action is safe, it denies the action.

Axiom 2: Default Deny on Criterion Ambiguity. If the stopping criterion produces an ambiguous result (the evidence is in the indifference zone where neither acceptance nor rejection is clear), the gate issues a Reject verdict. In the SPRT framework, this means: if lambda_n is in the continue region (A < lambda_n < B) and the audit must terminate, the verdict is Reject. In the Bayesian framework: if neither P(theta <= theta_max | D_n) nor P(theta > theta_max | D_n) exceeds 1 - epsilon, the verdict is Reject.

Axiom 3: Default Deny on System Failure. If the Gate Engine encounters a runtime error during stopping criterion evaluation (numerical overflow, database unavailability, corrupted evidence state), the gate issues a Reject verdict. The audit does not pass by default when the evaluation machinery fails. This is the infrastructure-level Fail-Closed guarantee.

8.4 Audit Gate Configuration Schema

Each audit gate in MARIA OS is configured with the following parameters, stored in the gate_configurations table:

{
  gate_id: "audit-sox-financial-accuracy",
  gate_type: "audit",
  stopping_method: "bayesian_posterior_threshold",
  dimensions: [
    {
      name: "financial_accuracy",
      theta_max: 0.05,
      weight: 0.35,
      prior_alpha: 1.0,
      prior_beta: 19.0
    },
    {
      name: "control_effectiveness",
      theta_max: 0.03,
      weight: 0.30,
      prior_alpha: 1.0,
      prior_beta: 32.0
    },
    {
      name: "process_adherence",
      theta_max: 0.08,
      weight: 0.20,
      prior_alpha: 1.0,
      prior_beta: 11.5
    },
    {
      name: "data_integrity",
      theta_max: 0.02,
      weight: 0.10,
      prior_alpha: 1.0,
      prior_beta: 49.0
    },
    {
      name: "disclosure_completeness",
      theta_max: 0.10,
      weight: 0.05,
      prior_alpha: 1.0,
      prior_beta: 9.0
    }
  ],
  far_target: 0.005,
  budget_max: 500,
  n_max: 300,
  empirical_bayes_discount: 0.85,
  fail_closed: true
}

The fail_closed: true flag is mandatory for audit gates. The MARIA OS Gate Engine rejects gate configurations where fail_closed is set to false for audit-type gates, enforcing the Fail-Closed axiom at the configuration level.

8.5 Real-time Stopping Criterion Dashboard

The MARIA OS dashboard exposes the audit stopping state in real time. For each active audit gate, the dashboard displays:

• The current evidence state: sample count n, defect counts D_{n,k} per dimension, sample defect rates p-hat_{n,k}
• The posterior distributions: Beta(alpha_k + D_{n,k}, beta_k + n - D_{n,k}) visualized as density curves
• The stopping boundaries: SPRT boundaries (A, B) or Bayesian threshold (1 - epsilon) overlaid on the evidence trajectory
• The remaining budget and projected termination point
• The current verdict if the audit were forced to terminate now (the Fail-Closed default)

This transparency ensures that human auditors can monitor the automated stopping criterion and intervene if necessary -- the system does not make the final determination in a black box. Every intermediate state is visible, every threshold is explicit, and the Fail-Closed default is always shown.

9. Case Study: SOX Compliance Audit

We apply the mathematical stopping criteria to a simulated SOX (Sarbanes-Oxley) compliance audit to demonstrate practical performance. SOX Section 404 requires management to assess and report on the effectiveness of internal controls over financial reporting. The external auditor must independently evaluate these controls and issue an opinion on their effectiveness.

9.1 Scenario Setup

The audit targets a mid-size financial services firm with the following characteristics:

• Population: 12,400 financial transactions processed in Q4 2025
• Risk dimensions: 5 (financial accuracy, control effectiveness, process adherence, data integrity, disclosure completeness)
• Materiality threshold: $500K (transactions above this threshold receive 100% examination)
• Tolerable deviation rates: theta_max = (0.05, 0.03, 0.08, 0.02, 0.10) across the 5 dimensions
• Acceptable quality levels: theta_0 = (0.01, 0.005, 0.02, 0.005, 0.03) across the 5 dimensions
• Target FAR_FW: 0.01 (1% family-wise False Allow Rate)
• Audit budget: 500 items (the maximum number of transactions the audit team can examine within the engagement timeline)
• Per-item costs: c_k = (1.0, 1.5, 0.8, 1.2, 0.6) cost units across dimensions (reflecting the varying complexity of evaluating each dimension)

9.2 Stopping Method Configuration

We configure three stopping methods and compare their performance:

Method A: Fixed-Sample Plan. Traditional audit sampling per PCAOB AS 2315. Sample size computed using AICPA sample size tables: n = 156 for financial accuracy (theta_max = 0.05, confidence = 95%), n = 195 for control effectiveness (theta_max = 0.03), etc. Total fixed sample: 156 + 195 + 93 + 240 + 65 = 749 items. This exceeds the budget of 500 items, so the fixed plan must either reduce confidence or limit the number of dimensions tested.

Method B: SPRT-Based Stopping. Truncated SPRT for each dimension with boundaries computed from alpha_k = 0.05 and beta_k = 0.01/5 = 0.002 (Bonferroni correction). Expected sample sizes under H_0: E[tau_1] = 98, E[tau_2] = 145, E[tau_3] = 62, E[tau_4] = 178, E[tau_5] = 45. Total expected: 528 items. This is slightly above budget but feasible with the sequential nature (many dimensions will terminate early).

Method C: Bayesian Posterior Stopping. Beta priors from historical audit data (3 prior years). Posterior threshold epsilon_k calibrated via Monte Carlo to achieve per-dimension FAR_k <= 0.002. Dynamic budget reallocation across dimensions.

9.3 Simulation Results

We simulate 10,000 audit engagements for each method under three scenarios:

Scenario 1: Fully conforming population (theta_k = theta_{0,k} for all k).

Under the conforming scenario, both sequential methods achieve approximately 38-43% sample reduction vs. the budget-capped fixed plan. The SPRT achieves the lowest FAR (0.18%) while the Bayesian method achieves the lowest false deny rate (3.9%).

Scenario 2: One nonconforming dimension (theta_3 = 0.12, all others at theta_{0,k}).

When one dimension is nonconforming, the sequential methods terminate even faster (the nonconforming dimension triggers early rejection) and achieve higher correct rejection rates. The SPRT is particularly efficient here, using only 198 items on average to identify the nonconforming dimension with 99.2% correct rejection.

Scenario 3: Borderline population (theta_k approximately equal to theta_{max,k} for all k).

The borderline scenario is the most challenging. The fixed-sample plan produces an alarmingly high FAR of 12.3% -- one in eight nonconforming populations would pass the audit. Both sequential methods maintain FAR well below 1% by using nearly the full budget but applying it adaptively. The tradeoff is a higher false deny rate (12-14%), which is acceptable given the asymmetric cost structure.

9.4 Key Findings

The case study demonstrates three critical results:

Finding 1: Sequential methods are strictly superior for FAR control. Across all scenarios, both SPRT and Bayesian stopping achieve FAR at least 5x lower than the fixed-sample plan, while using 30-60% fewer samples. The improvement is most dramatic in the borderline scenario, where the fixed plan's FAR (12.3%) is unacceptable for governance purposes.

Finding 2: Budget constraints make fixed plans dangerous. When the audit budget is insufficient for the full fixed-sample plan, the fixed plan must compromise on confidence or coverage. In our simulation, the budget-capped fixed plan could not examine all dimensions at the required confidence level, leading to the high FAR in the borderline scenario. Sequential methods adapt naturally to budget constraints because they allocate resources dynamically.

Finding 3: The Fail-Closed axiom prevents catastrophic FAR. In the 2.1% of SPRT simulation runs and 2.8% of Bayesian runs where the budget was exhausted before the stopping criterion was met, the Fail-Closed default (Reject) prevented every potential false allow. Without the Fail-Closed axiom, these budget-exhaustion cases would have been resolved by forced acceptance, increasing the FAR by an estimated 1.5-2.0 percentage points.

10. Comparison with Traditional Audit Sampling Standards

The mathematical stopping criteria presented in this paper depart significantly from the heuristic methods prescribed by traditional audit sampling standards. This section compares the two approaches across several dimensions.

10.1 ISA 530 and AICPA AU-C 530

The International Standard on Auditing 530 (ISA 530) and its US equivalent (AU-C 530) establish the framework for audit sampling in financial audits. Key characteristics of the traditional approach:

• Fixed sample sizes determined from tables based on confidence level, tolerable deviation rate, and expected deviation rate. The auditor selects these parameters based on professional judgment.
• No sequential updating. The sample size is determined before the audit begins and is not adjusted based on interim results (except in rare cases where the auditor exercises professional judgment to extend sampling).
• Qualitative tolerable deviation rates. The standards describe tolerable deviation rates in terms like "low," "moderate," and "high" rather than precise numerical thresholds.
• Professional judgment for stopping. The standards state that the auditor should "consider whether the results of the sample provide a reasonable basis for conclusions" -- a subjective evaluation with no mathematical formalization.

10.2 PCAOB AS 2315

The PCAOB's Auditing Standard 2315 (Audit Sampling) provides more specific guidance for US public company audits but retains the fundamental limitations:

• Sample sizes are based on tables that assume a fixed confidence level (typically 90% or 95%).
• The standard acknowledges that "the auditor should consider the qualitative aspects of misstatements" but does not formalize how these considerations affect the stopping decision.
• There is no explicit FAR calculation. The standard's sample size tables implicitly target a certain FAR but do not expose this parameter to the auditor.

10.3 Comparative Analysis

10.4 The Reproducibility Argument

Perhaps the most consequential difference is reproducibility. Under traditional standards, two auditors examining the same population with the same risk assessment may reach different stopping decisions because the stopping criterion depends on professional judgment. Under the mathematical framework, two audit systems with the same configuration will make identical stopping decisions on the same evidence sequence. This reproducibility is essential for governance: it ensures that audit quality does not depend on individual auditor calibration.

The MARIA OS implementation enforces reproducibility by design. The stopping criterion is a deterministic function of the evidence state and the gate configuration. The gate configuration is version-controlled and auditable. The evidence state is maintained in an immutable ledger. Together, these properties ensure that any audit decision can be exactly reproduced from the recorded inputs.

10.5 Backward Compatibility

The mathematical framework does not invalidate traditional audit standards -- it subsumes them. A fixed-sample plan is a special case of the sequential framework where the stopping criterion is tau = n_max (always sample exactly n_max items). The traditional sample size tables can be derived from the FAR constraint by setting beta to the implicit confidence level and solving for n_max. Organizations that require compliance with ISA 530 or AS 2315 can configure MARIA OS audit gates to emulate the traditional fixed-sample behavior while still benefiting from the Fail-Closed axiom and multi-dimensional tracking.

11. Benchmarks

We report quantitative benchmarks from the simulation study and the MARIA OS Gate Engine integration tests.

11.1 FAR Performance Across Stopping Methods

Across 50,000 simulated audit populations with theta drawn from a mixture distribution (70% conforming at theta_0, 20% borderline at theta_max, 10% clearly nonconforming at 2*theta_max):

The hybrid method (use SPRT for rejection, Bayesian for acceptance) achieves the best overall performance: lowest mean FAR (0.15%) and lowest mean sample size (165.2 items).

11.2 Sample Efficiency Gains

Compared to the fixed-sample plan (MAX(0, 104) as baseline):

• SPRT achieves 38% reduction in expected sample size under H_0 (conforming population)
• Bayesian achieves 42% reduction in expected sample size under H_0
• Under H_1 (nonconforming population), SPRT achieves 67% reduction and Bayesian 61% reduction
• The efficiency gains are largest when the population is far from the indifference zone, as predicted by theory

11.3 Multi-dimensional Performance

For the 5-dimensional SOX audit configuration with FAR_FW target of 1%:

The Bayesian method with dynamic budget reallocation achieves the highest budget utilization (94.2%) by concentrating remaining audit effort on the dimensions with the most remaining uncertainty. The Holm-Bonferroni SPRT uses the fewest total samples but achieves lower budget utilization because it allocates samples uniformly rather than adaptively.

11.4 Gate Engine Latency

Measured on the MARIA OS Gate Engine processing audit evidence updates:

The total end-to-end latency of 12.1ms at p99 is well within the MARIA OS Gate Engine's SLA of 50ms per gate evaluation. The stopping criterion evaluation is computationally lightweight; the majority of the latency is in evidence ingestion (database write) and budget reallocation (optimization computation).

12. Future Directions

The mathematical framework presented in this paper opens several avenues for future research and engineering development.

12.1 Non-stationary Defect Rates

The current framework assumes that the defect rate theta is constant throughout the audit. In practice, defect rates may change over time -- for example, a system that was nonconforming at the start of the audit period may have been remediated partway through, or a conforming system may have degraded. Extending the stopping criteria to handle non-stationary defect rates requires either change-point detection (identifying when theta shifts) or time-weighted models (discounting older observations). The CUSUM (Cumulative Sum) control chart provides a natural starting point for change-point detection within the sequential audit framework.

12.2 Correlated Defects

The current multi-dimensional stopping criterion assumes conditional independence across risk dimensions given the defect rates. When defects are correlated (e.g., a transaction with a financial accuracy defect is more likely to also have a control effectiveness defect), the joint stopping surface should account for this correlation structure. Copula models or multivariate Bayesian updating with conjugate priors (Dirichlet-Multinomial) can capture these dependencies and potentially reduce the required sample size by exploiting cross-dimensional information.

12.3 Adversarial Populations

The standard audit model assumes that the population is fixed and the auditor samples randomly. In adversarial settings (e.g., fraud detection), the auditee may manipulate the population to evade detection -- for example, by concentrating defects in rarely-sampled strata. Game-theoretic stopping criteria that account for strategic adversaries would extend the framework to forensic and fraud audit applications. Minimax stopping rules provide FAR guarantees under worst-case adversarial behavior but may be overly conservative for routine compliance audits.

12.4 Continuous Monitoring Integration

As enterprises move from periodic audits to continuous monitoring, the audit stopping problem transforms from a batch decision (examine N items, issue verdict) to a streaming decision (continuously ingest evidence, maintain a running verdict). The Bayesian framework is naturally suited to this extension: the posterior is updated continuously, and the stopping criterion is evaluated in real time. The MARIA OS Gate Engine already supports streaming evidence ingestion, making continuous audit monitoring a near-term engineering goal.

12.5 Causal Stopping Criteria

The current stopping criteria are correlational: they estimate the defect rate from observed data without modeling the causal mechanisms that produce defects. Causal stopping criteria would incorporate a structural model of defect generation and terminate the audit when the causal model is identified with sufficient confidence. This would enable not only pass/fail verdicts but also root cause identification -- the audit would terminate when it has gathered enough evidence to explain why defects occur, not merely how many there are.

12.6 Human-in-the-Loop Stopping

The framework currently treats the stopping decision as fully automated (the criterion is evaluated by the Gate Engine). A hybrid approach would allow human auditors to influence the stopping decision -- for example, by providing soft evidence (expert opinions, contextual knowledge) that updates the posterior but does not count as a formal sample. This requires extending the Bayesian model to accommodate heterogeneous evidence types with varying reliability.

12.7 Regulatory Adoption Path

For mathematical stopping criteria to gain adoption in regulated audit environments, they must be validated against existing standards bodies' requirements. We envision a three-stage adoption path: (1) use mathematical criteria as a supplementary decision aid alongside traditional sampling, (2) demonstrate equivalence or superiority in controlled comparison studies, (3) propose amendments to ISA 530 / AS 2315 that formally permit sequential and Bayesian stopping methods. The MARIA OS audit gate implementation serves as a reference architecture for stage (1), and the simulation results in this paper provide evidence for stage (2).

13. Conclusion

The audit stopping problem is a mathematical problem. It has been treated as a judgment problem for decades -- auditors decide when they have "seen enough" based on experience, intuition, and qualitative guidelines from auditing standards. This paper demonstrates that the stopping decision can be formalized with precision, optimized with rigor, and implemented with transparency.

The three mathematical frameworks -- MAX constraints, SPRT, and Bayesian posterior thresholds -- each provide different tradeoffs. MAX constraints offer simplicity and interpretability but waste samples on clearly conforming or nonconforming populations. SPRT provides optimal sample efficiency for two-point hypothesis testing but requires specification of exact null and alternative defect rates. Bayesian stopping provides smooth convergence and natural incorporation of prior information but requires careful prior specification and calibration.

The multi-dimensional extension is essential for real-world audits that evaluate multiple risk factors simultaneously. The Bonferroni-adjusted joint stopping criterion provides family-wise FAR control with minimal implementation complexity. The weighted extension allows organizations to encode the relative importance of different risk dimensions into the stopping criterion.

The budget-constrained optimization reveals a fundamental insight: audit resources should be allocated where they produce the most marginal FAR reduction, not distributed uniformly across risk strata. The Lagrangian dual variable quantifies the marginal value of audit budget, providing a decision-support metric for audit resource allocation.

Integration with the MARIA OS Gate Engine provides the architectural foundation for deploying these stopping criteria in production. The Fail-Closed axiom -- when in doubt, deny -- is the critical design choice that prevents the audit stopping problem from degrading into a throughput optimization problem. Without Fail-Closed, there is always pressure to terminate audits early to reduce cost and delay. With Fail-Closed, the system defaults to continued auditing when evidence is insufficient, ensuring that the governance objective (controlling FAR) takes precedence over the efficiency objective (minimizing sample size).

The case study results are encouraging: sequential methods achieve 38-42% sample size reductions while maintaining FAR below 0.3%, and the Fail-Closed axiom prevents every potential false allow in budget-exhaustion scenarios. These are not marginal improvements -- they represent a qualitative change in audit reliability and efficiency.

The question "when should the audit stop?" now has a precise answer: when the accumulated evidence, evaluated through mathematically rigorous stopping criteria, provides sufficient confidence that the governance constraint is satisfied. Not before. Not by judgment. By proof.

References

1. Wald, A. (1945). Sequential Tests of Statistical Hypotheses. Annals of Mathematical Statistics, 16(2), 117-186. 2. Wald, A. & Wolfowitz, J. (1948). Optimum Character of the Sequential Probability Ratio Test. Annals of Mathematical Statistics, 19(3), 326-339. 3. Armitage, P. (1957). Restricted Sequential Procedures. Biometrika, 44(1-2), 9-26. 4. AICPA (2019). AU-C Section 530: Audit Sampling. Professional Standards. 5. IAASB (2009). ISA 530: Audit Sampling. International Standards on Auditing. 6. PCAOB (2017). AS 2315: Audit Sampling. Auditing Standards. 7. Berger, J. O. (1985). Statistical Decision Theory and Bayesian Analysis. Springer-Verlag. 8. DeGroot, M. H. (1970). Optimal Statistical Decisions. McGraw-Hill. 9. Ghosh, B. K. & Sen, P. K. (1991). Handbook of Sequential Analysis. Marcel Dekker. 10. Tartakovsky, A., Nikiforov, I., & Basseville, M. (2014). Sequential Analysis: Hypothesis Testing and Changepoint Detection. Chapman & Hall/CRC. 11. MARIA OS Architecture Documentation (2026). Fail-Closed Gate Design for Agent Governance. Decision Inc. Internal Technical Report.