In financial services, engineering metrics aren't just about velocity and productivity—they're about demonstrating compliance with regulatory requirements like SOC 2, PCI-DSS, and internal audit frameworks. This guide explains how to use GitHub analytics to maintain audit trails, enforce separation of duties, and report engineering controls to boards and auditors.
Whether you're preparing for your first SOC 2 audit or responding to regulatory inquiries about your software development lifecycle, having verifiable engineering metrics is no longer optional.
Regulatory Context: Why Fintech Needs Engineering Metrics
The Compliance Landscape
Financial services organizations operate under intense regulatory scrutiny. When auditors examine your technology controls, they're looking for evidence that your software development process includes appropriate safeguards:
- SOC 2: Requires documented change management processes, including code review and approval workflows
- PCI-DSS: Mandates separation of duties for changes to cardholder data environments
- FFIEC Guidelines: Expect risk-based controls for software changes, including peer review and testing
- ISO 27001: Requires controlled change management procedures with documented approvals
What Auditors Want to See
During compliance audits, expect questions like:
- "How do you ensure all code changes are reviewed before production?"
- "Can you prove that no developer deploys their own code without review?"
- "Show me the approval trail for this specific production change."
- "What percentage of changes bypass your review process?"
- "How do you detect when separation of duties is violated?"
Without engineering metrics and audit trails from your GitHub activity, answering these questions requires manual investigation of individual pull requests—a process that's both time-consuming and error-prone.
The Cost of Non-Compliance
Inadequate engineering controls can lead to:
- Failed audits: SOC 2 qualifications or PCI-DSS deficiencies that delay customer deals
- Regulatory fines: Particularly for publicly traded fintechs under SEC oversight
- Customer churn: Enterprise customers require clean audit reports
- Insurance issues: Cyber insurance may be denied or premiums increased
- Reputational damage: Public disclosure of control weaknesses
Separation of Duties: Tracking Review Compliance
The "Maker-Checker" Principle in Code
Separation of duties—the principle that no single person should control all aspects of a critical transaction—is fundamental to financial services. In engineering, this translates to: no developer should merge their own code to production without independent review and approval.
Key Metrics for Separation of Duties
CodePulse tracks two critical metrics that demonstrate separation of duties compliance:
1. Review Coverage
Review Coverage
This metric shows what percentage of code changes received any review before merging. For regulated environments, anything less than 100% represents a control gap.
Interpretation:
2. Merge Without Approval Rate
Merge Without Approval Rate
This is your smoking gun metric. For SOC 2 and PCI-DSS compliance, auditors want to see this at or near 0%.
Interpretation:
This metric catches:
- PRs reviewed but never formally approved
- Admin bypasses of branch protection
- Self-merged changes
- Hotfixes that skip approval workflow
📊How to See This in CodePulse
Your separation of duties metrics are visible in multiple places:
- Dashboard: Visit /dashboard to see Review Coverage and Merge Without Approval cards with current percentages and trends
- Alerts: Set up automatic alerts at /alerts to notify you immediately when merge without approval rate exceeds your threshold
- Historical data: CodePulse stores complete PR history including all review timestamps and approval events—essential for audit trail requirements
- Export capability: Export metrics to CSV for audit documentation or board presentations
Enforcing Separation of Duties with GitHub
Metrics show you violations, but prevention is better. Enforce separation of duties technically using GitHub branch protection:
GitHub Branch Protection for Production
Required Settings
- Require a pull request before merging
- Require approvals: 1 (minimum)
- Dismiss stale pull request approvals when new commits are pushed
- Require review from Code Owners (for critical paths)
- Do not allow bypassing the above settings (critical!)
Additional Recommended
- Require status checks to pass before merging
- Require branches to be up to date before merging
- Require conversation resolution before merging
For PCI-DSS Environments (Cardholder Data)
- Require 2 approvals (not just 1)
- Restrict who can push to production branches
Even with perfect GitHub settings, track metrics to detect when protection rules are bypassed by admins or when developers find workarounds.
Common Compliance Violations to Watch For
| Violation | How to Detect | Risk Level |
|---|---|---|
| Self-merged PRs | Author = Merger with no approvals | High |
| Hotfix bypasses | Merge without approval spike on weekends/nights | High |
| Stale approvals | Approval timestamp before last commit timestamp | Medium |
| Rubber stamp reviews | Approval within seconds of PR creation | Medium |
| Admin bypass | Force push or branch protection override | Critical |
Audit Trails for Code Changes
What Constitutes an Adequate Audit Trail?
For compliance purposes, an audit trail for code changes must demonstrate the "who, what, when, and why" of every production change. Specifically, auditors expect:
- Who: Identity of the developer who made the change AND the reviewer(s) who approved it
- What: Description of the change and its scope (files modified, lines changed)
- When: Timestamps for PR creation, review, approval, and merge
- Why: Justification for the change (linked issues, tickets, or business requirements)
- Testing: Evidence that changes were tested (CI/CD status checks)
Complete PR History: The Foundation of Audit Trails
CodePulse stores complete pull request history including:
- PR creation timestamp and author
- All review timestamps and reviewer identities
- Approval events with explicit approval states
- Merge timestamp and merge author
- Status check results (CI/CD pass/fail)
- Changes in PR state (draft, ready for review, merged, closed)
This data provides an immutable record of your development process—critical when auditors ask "prove that this specific change was reviewed and approved."
Audit Trail Requirements by Framework
| Framework | Specific Requirements |
|---|---|
| SOC 2 (CC8.1) | Changes authorized, tested, approved, and documented. Must demonstrate access restrictions for code deployment. |
| PCI-DSS (6.3) | Separation of duties between development and production. Changes to cardholder data environments must be approved by separate individuals. |
| ISO 27001 (A.12.1.2) | Change control procedures including documentation of changes, testing, and approval prior to implementation. |
| FFIEC | Risk-based change management with documentation of approvals, testing results, and rollback procedures. |
Responding to Audit Requests
When auditors request evidence of your change management controls, you need to produce:
- Policy documentation: Written policies describing your code review and approval process
- Configuration evidence: Screenshots or exports of GitHub branch protection settings
- Population data: Metrics showing review coverage and approval rates across all changes in the audit period
- Sample testing: Detailed audit trails for 15-25 randomly selected PRs showing proper review and approval
- Exception analysis: List of any violations with root cause analysis and remediation
CodePulse streamlines this process by providing both aggregate metrics (population data) and the ability to drill down into individual PRs (sample testing). For more on audit requirements, see our Security & Compliance for GitHub Analytics guide.
Setting Up Compliance Alerts
Real-Time Compliance Monitoring
Don't wait for audits to discover control violations. Set up alerts to catch compliance issues immediately when they occur.
Recommended Alert Configuration for Fintech
Compliance Alert Configuration
Alert 1: Merge Without Approval - Critical
- Metric: merge_without_approval_rate_percent
- Operator: > | Threshold: 0
- Severity: critical
- Notification: Slack + Email to VP Engineering + Compliance Officer
- Rationale: In regulated environments, ANY merge without approval is a control violation that requires immediate investigation
Alert 2: Review Coverage Warning
- Metric: review_coverage_percent
- Operator: < | Threshold: 100
- Severity: warning
- Notification: Slack to Engineering Leadership
- Rationale: Leading indicator that separation of duties may be at risk
Alert 3: Test Failure Rate Critical
- Metric: test_failure_rate_percent
- Operator: > | Threshold: 5
- Severity: critical
- Notification: Email to CTO
- Rationale: High test failure rate suggests testing controls are not preventing defects from reaching production
Alert Response Procedures
Having alerts is only useful if you have clear response procedures. For fintech compliance alerts:
- Immediate acknowledgment: Designated responder confirms alert within 15 minutes
- Investigation: Identify the specific PR(s) that triggered the alert and determine root cause
- Remediation: If it's a true violation, determine if code needs to be reverted or if post-facto review is acceptable
- Documentation: Log the incident, root cause, and remediation in your incident tracking system
- Prevention: Update processes or GitHub settings to prevent recurrence
For detailed alert setup, see our Alert Rules Guide.
Security Considerations for Regulated Industries
Data Security for Engineering Analytics
When evaluating CodePulse or any engineering analytics platform, fintech security teams should ask:
1. GitHub OAuth Scopes
CodePulse uses read-only scopes: read:org, read:user, and repo (read-only for metadata—does not modify code).
Crucially, CodePulse does NOT request admin:repo_hook or write permissions, meaning the platform cannot modify your code, change settings, or alter your repositories.
2. Code Content Access
CodePulse accesses metadata (PR titles, commit messages, review activity, timestamps) but does NOT read or store the actual source code files. This minimizes exposure of proprietary algorithms or security vulnerabilities.
3. Data Retention
Understand how long your engineering data is retained and what happens when you terminate the service. For compliance purposes, you may need to retain audit trails even after canceling.
4. Access Controls
Within CodePulse, implement role-based access control (RBAC) so that only authorized personnel can view engineering metrics and audit trails. Consider:
- Engineering leaders: Full access to all metrics
- Compliance officers: Read-only access to audit trail reports
- External auditors: Temporary read-only access with time-limited credentials
Vendor Risk Management
For regulated financial institutions, any third-party vendor (including CodePulse) should go through your vendor risk management process:
- Request SOC 2 Type II report (if required by your policy)
- Review data processing agreement (DPA) for GDPR compliance
- Confirm data residency meets your geographic requirements
- Verify incident response and breach notification procedures
- Assess vendor's cybersecurity insurance coverage
For a comprehensive vendor security checklist, see our Security & Compliance Guide.
Board Reporting for Fintech Engineering
What Boards Want to Know
For fintech companies, board members (especially those on audit or risk committees) care deeply about engineering controls. They want assurance that:
- Software development follows documented, auditable processes
- Separation of duties is enforced consistently
- Quality gates prevent defects from reaching production
- The company can demonstrate compliance during audits
Engineering Metrics for Board Presentations
When presenting to the board or audit committee, focus on metrics that demonstrate control effectiveness:
| Metric | What It Demonstrates | Board-Level Target |
|---|---|---|
| Review Coverage | All code changes receive oversight | 100% |
| Merge Without Approval | Separation of duties compliance | 0% |
| Test Failure Rate | Quality gate effectiveness | < 5% |
| Mean Time to Recovery | Incident response capability | < 1 hour |
| Deployment Frequency | Release process maturity | Daily (or as appropriate) |
Framing Engineering Metrics as Risk Indicators
Board members think in terms of risk. Frame engineering metrics accordingly:
Operational Risk - Code Review Controls
Board Presentation ExampleQuarterly Board Materials Checklist
For fintech companies preparing board materials on engineering controls:
- Trend charts: Show review coverage and merge without approval rate over last 4 quarters
- Comparison to targets: Highlight where metrics meet or exceed board-approved targets
- Exception analysis: Explain any control violations and remediation taken
- Audit readiness statement: Confirm team is prepared for upcoming audits
- Process improvements: Highlight any enhancements to engineering controls
CodePulse's export functionality makes it easy to generate board-ready reports and charts. For more on board reporting, see our Board-Ready Engineering Metrics Guide.
The Bottom Line
In fintech, engineering metrics are as much about compliance and risk management as they are about developer productivity. By tracking separation of duties metrics, maintaining complete audit trails, and setting up real-time compliance alerts, you demonstrate to auditors, regulators, and board members that your engineering organization operates with appropriate controls.
More importantly, these metrics help you prevent compliance violations before they occur— turning engineering analytics from a reporting tool into a proactive risk management system.
See these insights for your team
CodePulse connects to your GitHub and shows you actionable engineering metrics in minutes. No complex setup required.
Free tier available. No credit card required.
Related Guides
The SOC 2 Question That Eliminates 80% of Analytics Vendors
Everything you need to know about data security, SOC 2 compliance, and privacy when evaluating engineering analytics platforms.
100% Review Coverage Is a Lie (Here's What Actually Matters)
Why 100% review coverage matters, how to track it, and practical steps to build a consistent code review culture across your team.
The Alert Rules That Actually Get Action (Not Ignored)
A practical guide to configuring engineering metric alerts that catch problems early without causing alert fatigue.