IT Regulatory Compliance Review

Pull a BitLocker (Windows) and FileVault (macOS) compliance report from Intune or JAMF. Flag devices reporting unencrypted volumes or missing recovery keys in escrow — both fail SOC 2 CC6.7 and HIPAA §164.312(a)(2)(iv) evidence.

Scan internal web apps, file shares, and admin consoles for TLS 1.0/1.1 listeners and expired or self-signed certificates. Note any service still using SMBv1 or unencrypted LDAP — those need a documented remediation date, not a pass.

Export membership of privileged roles (Global Admin, Privileged Role Admin, Exchange Admin) and high-impact security groups. Look for the classic gotcha: stale members from prior projects, and "Domain Users" granted access to sensitive file shares.

Confirm DLP rules for PII, PHI, and cardholder data are in enforce mode (not test mode) across Exchange Online, SharePoint, OneDrive, and Teams. Pull the last 90 days of policy match reports for the audit binder.

Spot-check Confidential and Highly Confidential sensitivity labels on the top file repositories. Mislabeled or unlabeled folders containing regulated data are the most common audit finding here.

Verify the Entra ID conditional access policy requires MFA for all users including admins, and that legacy authentication (IMAP, POP, SMTP basic auth, ActiveSync basic) is blocked org-wide. Password-spray attacks against the legacy endpoint are the #1 way MFA gets bypassed in the wild.

Build the Block Legacy Auth conditional access policy in report-only mode first. Run sign-in logs for 48 hours to identify any legitimate service or shared mailbox still on basic auth, migrate them to modern auth or app passwords, then flip the policy to enforce.

Reconcile CyberArk, BeyondTrust, or Delinea vault contents against the current admin roster. Rotate any credential past its policy age, and flag service accounts that have been "temporary" for more than two quarters — the classic six-year-old domain admin service account lives here.

Schedule reviewers (managers + system owners) on Entra ID Access Reviews for privileged roles, app assignments, and group memberships. Decisions auto-apply at review close — unreviewed users get removed by default, which catches offboarding gaps.

Cross-check the Okta or Entra ID app catalog against finance's SaaS spend report. Apps paying a per-seat license but not federated are shadow IT — inventory them with a remediation owner and target date.

Confirm Splunk, Sentinel, or Sumo Logic is receiving events from domain controllers, firewalls, EDR, and M365 unified audit log within the last 24 hours. Silent log sources are a SOC 2 CC7.2 finding and a real blind spot during incident response.

Run Tenable or Qualys with credentialed scans against servers and endpoints. Unauthenticated scans miss most patch-level findings. Tag the scan as the quarterly evidence run for the audit binder.

Open an emergency RFC in ConnectWise PSA or Jira Service Management, attach the CVSS scores and affected hosts, and route to the CAB lead for expedited approval. Document a tested rollback plan — emergency does not mean unreviewed.

Triage open detections in CrowdStrike Falcon, SentinelOne, or Defender for Endpoint that are older than 7 days. Each one needs a closure reason — false positive, contained, or escalated to IR — not just a stale queue.

Walk IT, security, leadership, and legal through a scenario where production file shares are encrypted and the Veeam repository is also hit. The exercise should surface whether the immutable backup tier (object lock, air-gapped tape, or separate cloud account) is actually isolated from the production attack path.

Pull the patch compliance dashboard from NinjaOne, Datto RMM, or Intune. Target is at least 95% of endpoints within 30 days of the last patch Tuesday. Investigate any device offline more than 14 days — those are usually shipped-out laptops or decommissioned-but-not-retired assets.

Attach this quarter's screenshots, exports, and reports to each SOC 2 / HIPAA / PCI control entry. Auditors look for evidence dated within the audit period — last quarter's screenshot reused does not pass sampling.

Reconcile Microsoft, VMware, Adobe, and Veeam license counts against deployed instances from the RMM and vCenter inventories. A surprise vendor audit on an 80-VM overage is a six-figure problem; a quarterly reconciliation is a 30-minute one.

The internal auditor (or vCIO for MSP engagements) samples 10–15 controls and re-tests them independent of the IT team's evidence. Document any deviations with owner, root cause, and remediation date — that exception log is what the external auditor will ask for first.

Push the next KnowBe4, Hoxhunt, or Proofpoint module and a fresh phishing simulation. Pull the repeat-clicker list and route to managers for targeted remediation — generic org-wide reminders do not move that number.

The IT Manager or vCIO signs the quarterly attestation summarizing controls tested, exceptions, and remediation status. This is the artifact leadership and the external auditor see — the work upstream only counts if it's reflected here accurately.