Alex Soe — CPA, CGA · Director of Finance

Most software gets built from the normal case outward.

You define the happy path. You ship it. Then edge cases arrive — from users, from support tickets, from the moment a real business tries to use the tool and does something you didn't anticipate. You handle them reactively, one at a time, as they appear.

That's a reasonable way to build consumer software. It's a dangerous way to build financial software.

I spent most of April 15 writing down edge cases. Not building code. Not designing screens. Just documenting every situation I could name where the financial logic needs to behave differently from the standard case.

I expected maybe fifteen.

I got to 52.

And I know the list isn't complete. It's the 52 I could see from where I'm standing today, with the context I have from three years of building financial models at a professional services firm, from studying ASPE and Canadian payroll regulations, from watching how founder-led businesses actually run their finances versus how textbooks say they should.

Some of them are obvious once you name them. EC-1: hiring lead time. If a business plans to hire someone in June, they're probably recruiting in April. The cost of that hiring process — recruiter fees, interview time, onboarding — precedes the headcount event it produces. A model that only counts costs from the start date misses everything that happened to get there.

Some of them are jurisdiction-specific. EC-23: CDOR was discontinued in June 2024, replaced by CORRA as the Canadian overnight risk-free rate. Any model that has a floating rate debt line referencing CDOR is now referencing a defunct benchmark. The model needs to know this.

Some of them are about trust. EC-52: operational root cause not documented in the source system. A finance lead flags a variance. The model can show the number changed. It cannot tell you why unless someone recorded the reason somewhere. If a variance exceeds threshold and no operational note is attached, the output gets a pending flag. Finance Lead has to clear it before period close. A number without a reason is an unauditable number.

EC-51 was the one that surprised me.

Prompt injection schema validation. If you're letting users define assumption structures — what fields exist, what types they are, what the validation rules are — a sufficiently motivated bad actor could embed instructions in a field value that the system then executes. The gate is schema validation at the point of ingestion: every user-defined structure gets parsed and validated against a strict schema before it touches any downstream process. Instructions masquerading as data get rejected at the door.

I didn't expect to be thinking about adversarial inputs in a financial planning tool. But if you're building a product where non-technical users can define their own assumption structures and those structures feed financial calculations that affect real decisions — you're building an attack surface whether you intended to or not.

Here's what 52 edge cases means in practice: the product has to be designed generically enough to handle all of them through configuration, not through 52 separate code paths.

New business type → new module registered in the manifest. Module activation mid-year → configuration change in the assumption table, not a feature request. Headcount reallocation between verticals → a new row in the staffing assumption table, not a rebuild. The architecture handles the generic shape; the edge case is an instance of that shape with specific parameters.

A financial product that handles the normal case elegantly is useful. A financial product that handles the normal case and the 52 edge cases through the same structural mechanism — that's a platform.

The 52nd edge case got documented before a single line of product code exists.

That's intentional. The blueprint has to be more detailed than the territory before you start building. Not because you'll implement every edge case on day one — you won't. But because the architecture you choose on day one has to be capable of handling them when you get there.

Finding EC-53 after the walls are already up is expensive. Finding it now is just a line in a document.