ACI TN-005 — Tier A System Audit Questionnaire

Ten Questions for Demonstrating Operative H-4b Compliance in Decision-Critical Public Sector Systems

Tier A -järjestelmien auditointikyselylomake: kymmenen kysymystä operationaalisen H-4b-vaatimustenmukaisuuden osoittamiseen päätöksentekokriittisissä julkisen sektorin järjestelmissä

§ 01

How to Use This Questionnaire

Instructions for system owners

This questionnaire is completed by the accountable system owner for each TN-004 Tier A classified system. It is submitted to the designated oversight body before procurement approval for new systems, and on an annual cycle for existing Tier A systems.

Each question requires a Yes or No answer accompanied by documented evidence. "Evidence" means a verifiable, auditable record — a test log, a configuration specification, a procurement contract clause, or an independent audit report. A declaration of intent, a vendor SLA, or a verbal assurance does not constitute evidence for the purposes of this questionnaire.

A No answer, or a Yes answer without supporting evidence, is recorded as Fail for that dimension. A partial answer — where the property exists for some functions but not others — is recorded as Partial, which triggers a scoping review to determine whether the covered functions include all TC-1, TC-2, and TC-3 relevant operations.

The questionnaire tests whether operative H-4b exists — whether non-compliance with D1–D4 architectural requirements produces present, attributable, and proportionate institutional cost. A system that passes all ten questions has demonstrated operative H-4b for its scope. A system that fails any question in the D-1 or D-3 dimension is presumptively non-compliant regardless of NIS2 or CER status.

§ 02

System Identity

Completed by system owner prior to questionnaire submission.

Tier A System — Audit Record

System name

Owning authority

TN-004 terminal condition(s)

TC-1 TC-2 TC-3 (circle applicable)

Named accountable authority

Audit date

Previous audit result

Pass / Partial / Fail / First audit

§ 03

D-1 Power Endurance Questions

AQ-1 D-1 · Power endurance · Local generation TN-003 §03 D-1

Can this system sustain full operational function for 72 hours or more using only locally available power, without dependency on external grid availability or real-time fuel procurement?

This question tests whether the system's power supply is duration-capable in the TN-003 sense — not merely whether a UPS or generator exists, but whether the energy source is physically on-site or in jurisdiction-controlled reserve, and whether the rated duration covers the compound stress reference window. Cloud-hosted systems that depend on the provider's datacenter power infrastructure do not satisfy this question regardless of the provider's own continuity certifications.

Required evidence

Local power system specification with rated duration under operational load · Fuel or energy reserve inventory and replenishment independence documentation · Provider contract clauses specifying local-power capability if applicable

Pass — 72h+ demonstrated with evidence

Partial — covered for some functions

Fail — no local power capability or <72h

AQ-2 D-1 · Power endurance · Test record TN-003 §03 D-1

Has this system been operated on local power without external grid input within the past 12 months, for a minimum of 8 hours under normal operational load, with results documented?

A power endurance specification that has never been tested is an architectural claim, not a demonstrated property. The 8-hour test is a minimum verification exercise — it confirms that the local power system functions as specified under real operational load, not just in a standby configuration. The test log must record: start time, end time, load level, any anomalies observed, and the name of the officer responsible for the test.

Required evidence

Dated test log signed by responsible officer · Load measurement during test period · Anomaly record (including nil-anomaly declaration)

Pass — test conducted, documented, within 12 months

Partial — test conducted but underdocumented

Fail — no test record in past 12 months

§ 04

D-2 Data Endurance Question

AQ-3 D-2 · Data endurance · Local sovereignty TN-003 §03 D-2

Are the decision-critical registers and operational data required by this system's TC functions held in jurisdiction-controlled storage, physically accessible without external network connectivity?

This question targets the primary data sovereignty condition. "Jurisdiction-controlled" means the storage infrastructure is owned, leased, or contractually controlled by the jurisdiction — not by a third-party cloud provider. "Physically accessible without external network connectivity" means that during a network separation event (loss of internet, degraded WAN, provider unavailability), the data can be read, written, and used by authorised system operators without requiring connection to external infrastructure.

Required evidence

Storage infrastructure ownership or lease documentation · Network topology diagram showing access paths under degraded connectivity · Data sovereignty declaration specifying which data sets are held locally

Pass — local sovereignty documented for all TC-relevant data

Partial — some TC-relevant data held externally

Fail — primary data held in external cloud without local copy

AQ-4 D-2 · Data endurance · Offline mode test TN-003 §03 D-2

Has this system's offline operational mode been tested within the past 12 months — demonstrating that TC functions can be executed for at least 72 hours using only locally held data, without external data access?

As with AQ-2, an untested offline capability is an architectural claim. The test must cover the specific TC functions identified in §02 (TC-1, TC-2, TC-3 as applicable) — not just general system availability. A test that shows the system boots offline but cannot process authenticated decisions does not satisfy AQ-4 for a TC-1 system. The test must be conducted against realistic operational scenarios, not synthetic load.

Required evidence

Dated offline test log specifying TC functions tested · Confirmation that all tested TC functions executed successfully · Duration of offline operation achieved

Pass — 72h offline test completed for all TC functions

Partial — offline mode works but TC functions incomplete

Fail — no offline test or offline mode not functional

§ 05

D-3 Identity Endurance Questions

AQ-5 D-3 · Identity endurance · Local authority TN-003 §03 D-3 · WP-003

Can the authentication and authorisation functions required for this system's TC operations proceed without dependency on any external identity provider, PKI authority, or internet-connected service?

This is the TN-004 Q-3 cascade dependency question in audit form. Identity failure is frequently the first failure mode in compound stress — not because the decision system itself fails, but because the authentication layer fails first and takes all downstream systems with it. A system whose local identity authority depends on an external cloud SSO, a geographically remote certificate authority, or a provider-managed token service does not satisfy AQ-5 even if the primary system is locally hosted. The question traces the identity chain to its root.

Required evidence

Local identity authority technical specification · Identity provider dependency map showing all external dependencies in the authentication chain · Confirmation that no external network call is required to authenticate a decision-authorised user

Pass — local identity authority operational, no external dependency

Partial — local fallback exists but not primary

Fail — authentication chain has external dependency with no local fallback

AQ-6 D-3 · Identity endurance · Stress credentials TN-003 §03 D-3

Is there a documented, tested procedure for activating fallback credentials for TC functions under compound stress conditions — specifying who holds the credentials, under what conditions they are activated, and how their integrity is cryptographically secured?

Normal-operation authentication procedures frequently depend on infrastructure that fails under compound stress — networked HSMs, cloud-hosted credential stores, email-based MFA. A stress credential procedure addresses the specific condition where normal authentication infrastructure is unavailable. The procedure must be written, not improvised. The credentials must be physically secured and jurisdiction-controlled. The activation conditions must be explicit — ambiguity about when fallback credentials may be used creates governance risk independent of technical capability.

Required evidence

Written stress credential procedure document · Physical security record for credential storage · Test record showing procedure was exercised within 12 months

Pass — procedure documented, credentials secured, tested

Partial — procedure exists but untested or credentials not physically secured

Fail — no documented stress credential procedure

§ 06

D-4 Audit Endurance Questions

AQ-7 D-4 · Audit endurance · Physical separation TN-003 §03 D-4

Are the decision audit logs for this system's TC functions held in jurisdiction-controlled storage that is physically separated from the primary system and cannot be accessed, modified, or deleted by primary system administrators?

Audit log integrity depends on the log being held by a system that is independent of the system being audited. A log held in the same cloud environment as the primary system is accessible to anyone with administrative access to that environment — provider staff, compromised administrators, or an attacker who has reached the primary system. Physical separation is a structural requirement: the audit system and the primary system must have different access control surfaces, different administrative domains, and ideally different physical locations.

Required evidence

Audit log storage architecture documentation showing physical separation · Access control specification confirming different administrative domain · Ownership documentation for audit storage infrastructure

Pass — physically separated, different admin domain, jurisdiction-controlled

Partial — separated but same provider or partially shared admin

Fail — audit logs in same environment as primary system

AQ-8 D-4 · Audit endurance · Cryptographic integrity TN-003 §03 D-4 · TN-002 §03

Can the completeness and authenticity of the decision audit trail be verified independently of primary system availability — through a cryptographic hash chain or equivalent mechanism that does not require access to the primary system?

A log that can only be verified through the primary system provides no accountability in the scenario where the primary system has failed, been compromised, or is under dispute. Independent verifiability requires that the log's integrity is cryptographically sealed at the time of writing — each entry references its predecessor, and the chain can be verified by any party holding the public verification key without requiring access to the primary system. This is the standard established in TN-002 §03 for audit endurance in edge intelligence nodes.

Required evidence

Cryptographic integrity mechanism specification (hash chain algorithm, key management) · Independent verification test record — log verified without primary system access · Key custody documentation

Pass — cryptographic chain verifiable independently, tested

Partial — integrity mechanism exists but verification requires partial system access

Fail — no independent integrity verification mechanism

§ 07

Systemic Endurance Questions

These questions address properties that span multiple D-dimensions and concern the system's behaviour under compound stress as a whole.

AQ-9 Cross-dimensional · Compound stress integration test TN-003 §04 · WP-006

Has this system been tested under simultaneous D-1, D-2, and D-3 stress conditions — simulating grid unavailability, external network separation, and external identity provider unavailability — with all TC functions demonstrated as operational for the 72-hour reference window?

D1, D2, and D3 properties tested individually may each pass while failing in combination — if, for example, the offline data access relies on authentication infrastructure that also fails under network separation. The compound stress integration test is the only verification that all four endurance properties work together under the conditions they are actually designed to address. This test is more demanding than the individual dimension tests in AQ-2 and AQ-4 and should be conducted at least annually for all Tier A systems.

Required evidence

Compound stress test scenario specification · Test execution log covering all three simultaneous stress conditions · Confirmation of TC function availability throughout 72-hour window · Named responsible officer for test

Pass — compound test conducted, all TC functions operational for 72h

Partial — test conducted but TC functions degraded during test window

Fail — no compound stress test conducted

AQ-10 Labour Continuity Reserve · DA-006 intersection DA-006 · TN-004 §07 Q-4

Is there documented evidence that the personnel required to operate this system's TC functions under compound stress conditions are available, trained, and able to perform those functions without external support — including senior staff, not only junior operators?

TN-004 §07 Q-4 identifies the unresolved intersection between technical D1–D4 compliance and the DA-006 Labour Continuity Reserve finding. A technically compliant system may fail if the operators required to run it under stress are unavailable — through attrition, the +55 cohort atrophy mechanism documented in DA-006, or external dependency on vendor support staff. This question directly operationalises the DA-006/TN-004 intersection. "Senior staff" is explicit: compound stress scenarios frequently require judgment and authority beyond what junior operators can provide. The question is not satisfied by a staffing chart; it requires evidence of training exercises under stress conditions and a succession plan for key roles.

Required evidence

Stress scenario training records for TC-relevant staff within 12 months · Succession documentation for each TC-critical operator role · Confirmation that TC functions can be performed without vendor or external contractor presence

Pass — trained staff documented, succession plan in place, vendor-independent

Partial — training incomplete or succession gaps identified

Fail — TC functions require external support or training not documented

§ 08

Audit Summary and Verdict

Question	Dimension	Result	Evidence ref.
AQ-1	D-1 Power — local generation
AQ-2	D-1 Power — test record
AQ-3	D-2 Data — local sovereignty
AQ-4	D-2 Data — offline mode test
AQ-5	D-3 Identity — local authority
AQ-6	D-3 Identity — stress credentials
AQ-7	D-4 Audit — physical separation
AQ-8	D-4 Audit — cryptographic integrity
AQ-9	Compound stress integration test
AQ-10	Labour continuity reserve

Audit verdict — select one

Pass — operative H-4b confirmed

All ten questions answered Yes with documented evidence. System is compliant with TN-003 D1–D4 requirements. Procurement proceeds or annual certification renewed.

Fail — operative H-4b not demonstrated

One or more questions answered No or without supporting evidence. Procurement is blocked pending remediation. Override requires named accountable authority, documented risk acceptance, and time-bounded remediation plan per TN-004 §06.

Partial — elevated review required

One or more questions answered Partial. The system owner and oversight authority must jointly determine whether the partial coverage includes or excludes the specific TC functions that triggered Tier A classification. If TC functions are within the uncovered scope, the system is treated as Fail for procurement purposes. If TC functions are demonstrably within the covered scope, a time-bounded plan to close the partial coverage is required as a condition of approval.

AQ-10 note — not a blocking condition in isolation

AQ-10 (Labour Continuity Reserve) is the only question that does not map directly to a TN-003 D1–D4 dimension. A Fail on AQ-10 does not automatically block procurement or trigger the TN-004 override mechanism — it triggers a mandatory workforce continuity review. The review determines whether the identified gap constitutes an operational risk sufficient to affect the audit verdict. This distinction is necessary because AQ-10 addresses a structural labour market condition (DA-006 L-4 segmentation) that a single system owner cannot resolve through procurement alone.

Viitteet

Cross-references

TN-003

D1–D4 Architectural Audit Metrics. Defines the properties each AQ question tests. TN-005 is the evidence-based questionnaire form for TN-003 §03 compliance demonstration.

TN-004

Decision-Critical System Scoping Tool. Determines which systems are subject to TN-005. A system must be TN-004 Tier A classified before TN-005 applies. The TN-004 override mechanism is activated by a Fail verdict in TN-005.

WP-003

Institutional Termination Time. AQ-5 and AQ-6 (identity endurance) connect directly to the ITT mechanism: identity layer failure is the most common first event in an ITT sequence.

TN-002

Duration-Capable Edge Intelligence Node. AQ-8 cryptographic integrity criterion references TN-002 §03 post-quantum attestation specification.

DA-006

Labour Market Allocation Diagnostic. AQ-10 directly operationalises the DA-006/TN-004 §07 Q-4 intersection: the Labour Continuity Reserve finding applied to the specific human operators required for Tier A system TC functions.

WP-011

The TN-005 audit verdict mechanism is the operative H-4b enforcement point WP-011 §08 identifies as the missing link. A Pass verdict confirms operative H-4b for the scoped system. A Fail verdict with override confirms nominal H-4b with named political accountability — the H-4a fallback in WP-011 §04.