Peveka.
InsightsForensic Methodology
Forensic Methodology

Bayesian Forensics for Project Controls: From Probability Theory to Continuous Detection of Schedule Manipulation

A working framework for converting forensic project controls from a binary compliance exercise into a continuous probabilistic detection capability — with the math grounded in the existing federal compliance apparatus, not introduced as a parallel regime.

The Defense Contract Management Agency’s 14-Point Schedule Assessment evaluates each schedule against fourteen specific structural and integrity tests. Each test produces a pass-fail outcome against a numerical threshold. A schedule with 4% missing logic passes the missing-logic test, which has a 5% threshold; a schedule with 6% fails. The framework is binary, deterministic, and easy to audit — which is precisely its limitation.

Real schedule manipulation rarely fails any individual threshold. Float falsification, retroactive baseline modification, narrative-versus-data divergence, and mathematically implausible resource loading distribute their signature under the threshold of any single test. Each individual indicator looks unremarkable. The combination of indicators carries the manipulation signal.

This is the gap a probabilistic framework closes. Where threshold-based compliance asks if this metric exceeds its boundary, a Bayesian framework asks, given the joint pattern of observed indicators, what is the posterior probability that this schedule has been manipulated. The shift from threshold logic to posterior probability is not cosmetic. It is the mathematical apparatus that converts forensic project controls from a binary compliance exercise into a continuous detection capability.

This post walks the framework from probability theory through the operational mechanics: sequential updating across reporting periods, decision-theoretic action thresholds, and the calibrated likelihood ratios that ground the entire apparatus in real audit history. The objective is to give project controls professionals a working vocabulary for what continuous probabilistic detection requires, why it succeeds where threshold compliance fails, and which components of the framework are doing the load-bearing work.

A note on positioning before proceeding. The Forensic Intelligence Engine (FIE) currently operationalizes the deterministic substrate of this framework: the observable features that enter Bayesian inference as evidence. DCMA 14-Point metrics, BEI with strict baseline traceability, the four NDIA IEAC variants computed in a pre-parsing layer, calendar-aware schedule integrity checks, EIA-748 guideline mapping, and resource histogram flatness detection. Each detection result is finding-level traceable, and every flagged Activity ID carries the specific datum that triggered it. The Bayesian apparatus described in this post is the analytical layer this substrate composes into, and the direction the platform is being built. The math is presented here both as engineering reference and as the architectural argument for why deterministic features and probabilistic inference belong in the same system.

First Principles: Conditional Probability and Bayes’ Theorem

Begin with the most fundamental object in the framework: the conditional probability of one event given another. For two events AA and BB, the conditional probability of AA given BB is defined as:

P(AB)  =  P(AB)P(B)P(A \mid B) \;=\; \frac{P(A \cap B)}{P(B)}

By symmetry,

P(BA)  =  P(AB)P(A)P(B \mid A) \;=\; \frac{P(A \cap B)}{P(A)}

Rearranging and equating the shared joint probability produces Bayes’ theorem:

P(HD)  =  P(DH)P(H)P(D)P(H \mid D) \;=\; P(D \mid H) \cdot \frac{P(H)}{P(D)}

In words:

  • P(HD)P(H \mid D) is the posterior: the probability of hypothesis HH after observing data DD.
  • P(DH)P(D \mid H) is the likelihood: the probability of observing DD if HH were true.
  • P(H)P(H) is the prior: what we believed about HH before observing any data.
  • P(D)P(D) is the evidence: the probability of observing DD averaged across all hypotheses.

The denominator expands using the law of total probability. If HH and ¬H\neg H partition the hypothesis space:

P(D)  =  P(DH)P(H)  +  P(D¬H)P(¬H)P(D) \;=\; P(D \mid H) \cdot P(H) \;+\; P(D \mid \neg H) \cdot P(\neg H)

For forensic project controls, the natural choice of hypotheses is HH = schedule has been manipulated and ¬H\neg H = schedule reflects honest reporting. The data DD is the observable pattern of features extracted from the schedule and cost submission. The posterior P(HD)P(H \mid D) is the quantity a forensic system actually wants: the probability of manipulation given everything observed.

Likelihood Functions: Where the Real Moat Lives

The likelihood P(DH)P(D \mid H) is where domain knowledge enters the framework. It is a model of how observable features arise under each hypothesis. Building well-calibrated likelihood functions is the technical core of applied Bayesian forensics, and strategically, it is the component of the framework that is hardest to replicate.

Consider a single binary feature: the schedule’s total float distribution shows statistical clustering inconsistent with random network topology. Call this feature X1X_1. Under the manipulation hypothesis, the probability of observing this clustering signature is high — manipulated schedules concentrate float redistribution near critical-path activities to mask delay exposure. Under the honest hypothesis, the probability of observing the same signature is low, though not zero.

Encode this as a Bernoulli likelihood:

P(X1=1H)  =  p1P(X_1 = 1 \mid H) \;=\; p_1
(probability of clustering signal under manipulation)
P(X1=1¬H)  =  q1P(X_1 = 1 \mid \neg H) \;=\; q_1
(probability of clustering signal under honest reporting)

The ratio p1q1\dfrac{p_1}{q_1} is the likelihood ratio for this feature. It captures how strongly the feature distinguishes manipulation from honest reporting. A likelihood ratio of 5 means observing the clustering signal is five times more probable if the schedule has been manipulated than if it has not.

For continuous features — say the magnitude of retroactive baseline drift measured between consecutive reporting periods — a Gaussian likelihood is often appropriate:

P(X2=xH)    N(μH,  σH2)P(X_2 = x \mid H) \;\sim\; \mathcal{N}(\mu_H,\; \sigma^2_H)
P(X2=x¬H)    N(μ¬H,  σ¬H2)P(X_2 = x \mid \neg H) \;\sim\; \mathcal{N}(\mu_{\neg H},\; \sigma^2_{\neg H})

The manipulation distribution typically has a higher mean and possibly heavier tails than the honest distribution. The likelihood ratio for a specific observed value xx is then:

LR(x)  =  N(xμH,σH2)N(xμ¬H,σ¬H2)\mathrm{LR}(x) \;=\; \frac{\mathcal{N}(x \mid \mu_H,\, \sigma^2_H)}{\mathcal{N}(x \mid \mu_{\neg H},\, \sigma^2_{\neg H})}

The natural follow-up question is where pip_i and qiq_i actually come from. The answer is what makes this concept architecturally consequential rather than aspirational. The likelihood parameters are estimated, not declared. The estimation source is labeled historical audit data: projects with confirmed outcomes from DCMA surveillance findings, GAO audit reports, settled claims, formal compliance interventions, and externally validated forensic schedule analyses under AACE 29R-03. For each forensic feature, the estimation procedure measures the empirical frequency of the feature firing across the labeled-manipulation cohort and the labeled-honest cohort, producing maximum likelihood estimates of pip_i and qiq_i. Bayesian estimation with Beta conjugate priors stabilizes the estimates when either cohort is small. Periodic re-estimation keeps the likelihood parameters calibrated to the current population.

This is the strategic point: the platform that assembles the labeled corpus first has the structurally calibrated likelihoods, and that lead compounds. The math is in the public domain. The data is not. Federal contracts that settle, DCMA findings that close, GAO audits that publish, AACE forensic reports that get cited — these are the corpus that makes posterior probabilities defensible rather than declarative. Building this corpus is not an engineering problem. It is a sourcing and legal-release problem, and it pays off over years.

Priors: Encoding Base Rates and the Cost of Getting Them Wrong

The prior P(H)P(H) is the base rate of manipulation in the population being audited. This is where the framework either succeeds or quietly fails.

If 1 in 50 federal capital projects exhibits material schedule manipulation in a given reporting period — a defensible base rate consistent with what GAO findings and DCMA surveillance suggest — then the prior is P(H)=0.02P(H) = 0.02 and P(¬H)=0.98P(\neg H) = 0.98. Now consider a forensic feature with likelihood ratios pq=0.950.05=19\tfrac{p}{q} = \tfrac{0.95}{0.05} = 19. This sounds extremely diagnostic. Applying Bayes’ theorem with the prior:

P(HX=1)  =  (0.95)(0.02)(0.95)(0.02)+(0.05)(0.98)  =  0.0190.068    0.28P(H \mid X = 1) \;=\; \frac{(0.95)(0.02)}{(0.95)(0.02) + (0.05)(0.98)} \;=\; \frac{0.019}{0.068} \;\approx\; 0.28

A single very-diagnostic feature firing produces a posterior probability of manipulation of only 28%, because the base rate is so low that even strong evidence is largely absorbed by the prior. This is the base rate problem, and it is the dominant operational risk in forensic detection. Threshold-based compliance frameworks ignore it entirely.

The framework’s response is to combine multiple features and to elicit better priors from domain knowledge. For prior elicitation, a Beta distribution over the manipulation rate is the natural conjugate choice:

P(H)    Beta(α,β)whereαα+β=E[P(H)]P(H) \;\sim\; \mathrm{Beta}(\alpha,\, \beta) \quad \text{where} \quad \frac{\alpha}{\alpha + \beta} = \mathbb{E}[P(H)]

The shape parameters can be calibrated from program portfolio history: if 8 of 400 historical projects exhibited manipulation, a Beta(8,392)\mathrm{Beta}(8, 392) prior encodes that evidence with appropriate uncertainty. Empirical Bayes estimates priors from data and is the principled way to ground priors in observed base rates rather than declaring them arbitrarily.

The deeper point: in forensic detection, uninformative priors are not neutral. They are wrong. A Uniform(0,1)\mathrm{Uniform}(0, 1) prior over manipulation rates implies a 50% expected base rate, which is orders of magnitude higher than reality. Bad priors in low-base-rate problems produce systematically miscalibrated posteriors, and miscalibrated posteriors produce systematically wrong compliance decisions.

Bayesian Networks: Avoiding the Pile-On Failure Mode

Forensic features are not independent. Float distribution patterns correlate with baseline modification history. Narrative-data divergence correlates with both. Resource loading curves correlate with all three. Treating these features as conditionally independent overweights the evidence, and the same underlying manipulation signal gets counted multiple times across correlated features.

A Bayesian network is a directed acyclic graph that encodes the conditional independence structure of a joint distribution. Each node represents a variable; each directed edge represents a probabilistic dependency. The joint distribution factorizes according to the graph:

P(X1,X2,,Xn)  =  iP(Xiparents(Xi))P(X_1, X_2, \ldots, X_n) \;=\; \prod_i P\bigl(X_i \mid \mathrm{parents}(X_i)\bigr)

A representative network for federal capital project forensics:

H (manipulation hypothesis) │ ▼ B (baseline modification rate) ╱ ╲ ▼ ▼ F N (float redistribution, narrative-data divergence) ╲ ╱ ▼ R (resource loading anomalies)

The hypothesis HH is the unobservable root. The baseline modification rate BB is the latent intermediate variable that captures how aggressively the contractor is editing baselines across reporting periods. The three observable features depend on BB through distinct mechanisms. The factorization is:

P(H,B,F,N,R)  =  P(H)P(BH)P(FB)P(NB)P(RF,B)P(H, B, F, N, R) \;=\; P(H) \cdot P(B \mid H) \cdot P(F \mid B) \cdot P(N \mid B) \cdot P(R \mid F, B)

Inference computes the posterior P(HF,N,R)P(H \mid F, N, R) after observing the features, marginalizing over the unobserved BB. The structural insight is that the network forces explicit representation of how features depend on each other. Threshold compliance frameworks assume independence implicitly and overweight correlated evidence. Bayesian networks make the dependency structure auditable: every edge is a defensible claim about which forensic features share underlying causes.

This isn’t the most commercially differentiating component of the framework — most buyers won’t notice — but it is the technical defense when a DCMA evaluator asks why the system doesn’t double-count baseline drift through both float and narrative pathways.

Hierarchical Models: Portfolio-Level Inference

Federal capital project oversight does not see one project in isolation. It sees portfolios: DOE’s NNSA portfolio, DCMA’s surveillance cohort, an Office of Environmental Management contractor’s body of work. The projects within a portfolio share statistical structure. They use the same scheduling software, are subject to the same contracting framework, employ overlapping personnel, and respond to correlated incentives.

The Bayesian framework for this situation is the hierarchical model. Project-level parameters are themselves drawn from a portfolio-level distribution:

θip(θφ)for each project iφp(φ)portfolio-level hyperparametersXi,Dip(Dθi)observations on project i\begin{array}{rcll}\theta_i & \sim & p(\theta \mid \varphi) & \quad \textit{for each project } i \\[4pt]\varphi & \sim & p(\varphi) & \quad \textit{portfolio-level hyperparameters} \\[4pt]X_i,\, D_i & \sim & p(D \mid \theta_i) & \quad \textit{observations on project } i\end{array}

The portfolio-level hyperparameters φ\varphi are estimated jointly with all the project-level parameters. This produces partial pooling: each project’s inference is informed both by its own data and by the patterns of other projects in the portfolio.

Partial pooling has two operational consequences. First, it stabilizes inference on data-sparse projects — a new project with only two months of reporting data borrows strength from the rest of the portfolio. Second, it surfaces portfolio-level patterns single-project analysis cannot see. If a contractor’s projects systematically exhibit elevated retroactive baseline drift, the hierarchical posterior reflects that even when no single project breaks an individual threshold.

Hierarchical models also support partial exchangeability assumptions that match the actual structure of federal oversight: projects nested within contractors, contractors nested within agencies. This is the technical mechanism that unlocks portfolio-buyer use cases such as agency PMOs that need cross-project pattern detection, not just project-by-project analysis.

Bayesian Decision Theory: From Posterior to Action

A posterior probability of manipulation is necessary but not sufficient. A forensic system has to decide: flag this project for surveillance, hold for follow-up, or pass without action. Bayesian decision theory provides the framework for converting posterior probabilities into actions, and it is one of the two highest-leverage components of the framework for federal procurement contexts.

The framework requires a loss function L(δ,θ)L(\delta, \theta) that specifies the cost of taking action δ\delta when the true state is θ\theta. For a binary decision problem:

L(flag,H)L(\text{flag},\, H)
=  0=\;0
no cost for correctly flagging manipulation
L(pass,H)L(\text{pass},\, H)
=  cmm=\;c_{\text{mm}}
cost of missing manipulation (false negative)
L(flag,¬H)L(\text{flag},\, \neg H)
=  cff=\;c_{\text{ff}}
cost of falsely flagging an honest project
L(pass,¬H)L(\text{pass},\, \neg H)
=  0=\;0
no cost for correctly passing

The Bayes-optimal decision minimizes expected posterior loss:

δ(D)  =  argminδ  Eθ ⁣[L(δ,θ)D]\delta^{*}(D) \;=\; \arg\min_{\delta} \;\mathbb{E}_{\theta}\!\bigl[L(\delta, \theta) \mid D\bigr]

For binary states, this simplifies to a threshold on the posterior:

flag if P(HD)  >  cffcff+cmm\text{flag if } P(H \mid D) \;>\; \frac{c_{\text{ff}}}{\,c_{\text{ff}} + c_{\text{mm}}\,}

The threshold is determined by the ratio of costs. If missing a $4.8B manipulation costs 100 times more than falsely flagging an honest project for surveillance, the threshold for action is 11010.01\tfrac{1}{101} \approx 0.01 — much lower than the 50% that intuition suggests. The asymmetry of forensic costs is the structural reason why purely statistical thresholds (flag if P(HD)>0.5P(H \mid D) > 0.5) systematically under-detect manipulation.

This is the layer where compliance policy meets statistical inference. The loss function is a policy decision; the posterior is a statistical output; the optimal action follows mechanically. The framing matters for federal buyers specifically: program offices already think in terms of asymmetric costs and are accustomed to defending decision thresholds against oversight. Bayesian decision theory gives them an auditable artifact — here is our posterior, here is our loss function, here is the threshold that follows — rather than a black box.

Sequential Updating and the Mechanics of Continuous Detection

Federal capital projects produce monthly performance data over multi-year project lifetimes. The Bayesian update is recursive: the posterior at month tt becomes the prior at month t+1t+1. The math is the standard Bayesian formula applied sequentially. A concrete trajectory clarifies the operational shape:

Month  1
P(HD1)P(H \mid D_1)
= 0.02
(prior — base rate)
Month  3
P(HD1..D3)P(H \mid D_1..D_3)
= 0.03
(early data consistent with honest reporting)
Month  6
P(HD1..D6)P(H \mid D_1..D_6)
= 0.18
(baseline drift signal begins to register)
Month  9
P(HD1..D9)P(H \mid D_1..D_9)
= 0.42
(drift plus emerging narrative divergence)
Month 12
P(HD1..D12)P(H \mid D_1..D_{12})
= 0.71
(full pattern established; action threshold crossed)
Month 15
P(HD1..D15)P(H \mid D_1..D_{15})
= 0.89
(high-confidence manipulation posterior)
Month 18
P(HD1..D18)P(H \mid D_1..D_{18})
= 0.94
(continued accumulation tightens posterior)

The trajectory above is a synthetic illustration calibrated to the base rate and likelihood parameters described in preceding sections, not a posterior drawn from a specific project.

The biennial GAO audit cadence would not measure this project until month 24 at the earliest. The structural performance issues GAO will eventually document have been mathematically detectable since month 9. The corrective intervention available at month 9 is qualitatively different from the corrective intervention available at month 24 — different in scope, different in cost, different in the contractual mechanisms still available to the federal program office.

The decision threshold from the previous section determines when continuous detection actually triggers an action. If the cost-asymmetry-driven threshold is P(HD)>0.4P(H \mid D) > 0.4, this project crosses it at month 9 — fifteen months before the audit cadence would have surfaced it. If the threshold is 0.70.7, action triggers at month 12. The earlier the threshold is crossed, the more recovery optionality the federal owner retains.

Two operational properties follow. First, early detection is mathematically inevitable when the manipulation pattern produces persistent evidence and the framework is calibrated. The recursive update will surface the signal; the only question is which month the threshold is crossed. Second, continuous detection compounds with intervention. When the posterior crosses the action threshold and the federal owner responds, the response itself becomes evidence in subsequent updates. If the contractor corrects the underlying pattern, posteriors decline; if they do not, posteriors keep climbing. The system is closed-loop, not open-loop.

This is what the word continuous actually means in the framework. Not real-time monitoring of raw data. Recursive posterior updating against accumulating evidence, with the decision threshold determined by the cost asymmetry between false flags and missed manipulation. Of every concept in this post, sequential updating is the one that changes the commercial shape of the platform most decisively, converting forensic project controls from a snapshot exercise into a continuous monitoring discipline.

Calibration Discipline

Two calibration disciplines beyond the sequential-update mechanic translate the framework into operating systems.

Cross-validation against known manipulation cases. A forensic system’s posteriors should be validated against historical projects with confirmed outcomes: projects that experienced material adverse audit findings, formal compliance interventions, or settled claims related to schedule and cost manipulation. Posterior calibration plots are predicted probability versus empirical frequency, binned across the posterior range, and are the operational measure of model fitness. A model is calibrated if, among predictions assigned probability pp, the empirical frequency of the predicted outcome is also pp. A 70% posterior of manipulation should mean that, across the population of projects assigned 70% posteriors, roughly 70% should actually be manipulated.

The Forensic Intelligence Engine implements the engineering substrate for this discipline as an automated evaluation pipeline that validates every model response against deterministic ground truth, catching hallucinated Activity IDs, invalid EIA-748 guideline citations, and EV-index drift before they reach a federal customer. This is the apparatus that makes calibration claims auditable rather than aspirational. Extending the same discipline to posterior calibration plots is the next layer.

Hyperparameter accountability. Every prior, likelihood specification, and loss function in the framework is a defensible quantitative claim. Federal program offices and contractor compliance teams have the right to audit these claims. The framework’s transparency is its operational advantage: every component is named, every parameter is documented, every decision threshold is traceable to its policy justification.

How This Composes With the Existing Compliance Framework

The Bayesian framework described here does not replace the existing compliance apparatus. It composes with it.

The DCMA 14-Point metrics, the EIA-748 guidelines, the AACE 29R-03 forensic methodology, and the GAO Best Practices each contribute observable features that enter the framework as evidence. The deterministic substrate FIE implements today — DCMA threshold counts, BEI with strict baseline traceability, NDIA earned-value indices, calendar-aware working-day calculations, EIA-748 guideline mapping, resource histogram flatness detection — produces the very features X1,X2,,XnX_1, X_2, \ldots, X_n that the Bayesian apparatus then composes into a posterior.

This composition matters for federal auditability. A posterior probability of manipulation that decomposes back to specific deterministic features, each of which traces to source data, is more auditable than either component alone. The Bayesian layer adds inference; the deterministic substrate provides the evidentiary chain. Together they produce a system where every posterior can be defended both probabilistically (the math is correct) and forensically (the underlying features trace to source).

The architectural rule that follows: deterministic features remain the unit of evidence. Bayesian inference is the unit of decision. Neither layer is sacrificed to the other.

The Larger Frame

Threshold-based compliance frameworks were the right technology for a project controls profession that did not yet have continuous independent verification capability. Each DCMA 14-Point test, each EIA-748 guideline check, each DOE Order 413.3B procedure encodes a piece of forensic knowledge as a binary rule. They are necessary but no longer sufficient.

The Bayesian framework’s contribution is the calculus for combining these features probabilistically, the apparatus for accounting for prior base rates, the structure for portfolio-level inference, and the decision theory for translating posteriors into action. Sequential updating across reporting periods is the mechanism that turns the calculus into continuous detection. Calibrated likelihood ratios grounded in real audit history are the moat that makes posteriors defensible rather than declarative.

The mathematics is not new. Bayes published the theorem in 1763. Hierarchical Bayesian models date to the 1970s. Bayesian networks were developed in the 1980s. Bayesian decision theory has been a mature framework since the 1950s. What is new is the software architecture to apply these methods continuously, on the data formats federal capital programs actually produce, grounded in the existing compliance framework rather than introducing a parallel evaluation regime.

This is the analytical direction the Forensic Intelligence Engine is being built around. The deterministic detection substrate is shipping today; the probabilistic layer composes on top. The posterior probability of manipulation, conditioned on the joint observation of all features, with explicit uncertainty quantification and decision-theoretic action selection, is what continuous federal capital project oversight actually requires.

The threshold-compliance era of project controls produced what its mathematics could support. The Bayesian era will produce something different.

About This Analysis

Peveka Solutions Inc. is a Santa Barbara-based project controls AI company building tools to compress federal capital project oversight from biennial audit cadence to continuous detection. The Forensic Intelligence Engine is grounded in the full federal compliance framework governing Earned Value Management on capital programs — including OMB Circular A-11, FAR Part 34, DOE Order 413.3B, the DOE 413.3 family of Performance Baseline and Integrated Project Management guides, the DoD EVMIG, the DCMA EVMS Metrics framework and Business Practices, the NDIA IPMD Intent Guide and Surveillance Guide, the GAO Cost Estimating Guide (GAO-20-195G) and Schedule Assessment Guide (GAO-16-89G), the NDIA Planning & Scheduling Excellence Guide (PASEG), the NDIA Predictive Measures Guide, the AACE 29R-03 Forensic Schedule Analysis standard, and the IPMDAR Implementation and Tailoring Guide.

If you lead capital project oversight at a federal program office or a contractor compliance organization and want to discuss how continuous probabilistic detection would integrate with your existing surveillance workflow, reach out at jwilliams@pevekasolutions.com.

Joshua Hopkins is the Co-Founder & Chief AI Officer of Peveka Solutions Inc. He leads the architecture of the Forensic Intelligence Engine — the deterministic pre-parsing layer that produces the zero-hallucination guarantee and the analytical substrate the Bayesian framework described in this post composes into.