LLM-Assisted Forensic and Compliance Auditing for Public Sector Organizations

Abstract

From an IT perspective, modern organizations often exhibit a dichotomy between day-to-day operational practice and formal policy enforcement for security, quality, and regulatory compliance. Reconciling these dimensions remains challenging, particularly in large-scale infrastructures that generate high-volume, heterogeneous, and unstructured data, while relevant policies and standards are typically expressed in natural language and therefore difficult to translate into actionable rules and automated compliance checks. This paper presents FOCUS-PA, a project that develops methods and tools to strengthen digital forensics and continuous auditing for compliance management in the Public Administration (PA) sector. FOCUS-PA delivers a Forensic and Compliance Auditing (FCA) platform tailored to public-sector environments, explicitly accounting for the specific characteristics of administrative information systems, their data sources, workflows, and domain-driven legal and privacy constraints. The platform is designed for the continuous ingestion and analysis of operational data, enabling both ongoing compliance monitoring and the forensic investigation of security incidents. To address these requirements, FOCUS-PA introduces an agentic framework that leverages Large Language Models (LLMs) via a Retrieval-Augmented Generation (RAG) approach. By adopting the Model Context Protocol (MCP), the platform provides a unified mechanism to connect natural-language policy documents with structured operational logs, supporting consistent interpretation, correlation, and evidence-driven auditing. A central contribution of FOCUS-PA is reducing the cost of security policy engineering in compliance-auditing solutions. Today, experts must translate regulatory texts and internal procedures into machine-readable specifications - a process that is slow, expensive, and quickly becomes outdated as policies and regulations evolve. We investigate how large language models (LLMs) can help extract and structure policy specifications from unstructured documents (e.g., procedure manuals) and observed operational data, facilitating their conversion into machine-verifiable rules (“Policy as Code”). This approach aims to accelerate policy onboarding and maintenance and to enable the timely adoption of emerging regulations and standards (e.g., NIS2) by streamlining the translation of high-level requirements into actionable compliance checks. We detail requirements for PA deployments and LLM-assisted policy engineering, describe the platform architecture and implementation, and discuss integration aspects, demonstrating how FOCUS-PA can improve compliance governance and accelerate incident investigation through scalable analytics and expert-supervised automation.