Compliance Audit Checklist

Lock the framework list before evidence collection starts. SOC 2 Type II, HIPAA, PCI DSS, and CMMC each pull a different evidence set — running an audit against the wrong control catalog burns a week of the engineer's time.

Pull the system inventory from the CMDB or RMM (ConnectWise, NinjaOne, Datto). Flag systems that store PHI, cardholder data, or CUI — those carry stricter evidence requirements. Flat networks that haven't been segmented usually expand PCI scope; note it now rather than at fieldwork.

Pull active users from Entra ID (or Okta / JumpCloud) and reconcile against the HRIS active-employee list. Names that appear in IdP but not HRIS are the orphaned-account finding auditors look for first.

Confirm Conditional Access enforces MFA for all users, including admins, and that legacy basic-auth (IMAP, POP, SMTP, ActiveSync basic) is blocked org-wide. MFA-enabled-but-legacy-allowed is the most common finding that gets a SOC 2 control marked exception.

Send role-based access listings to each system owner for attestation. SOX, SOC 2, and HIPAA all require evidence that managers reviewed and approved each user's access — a signed attestation or ticket close-out is the artifact.

List every Domain Admin, Global Admin, root, and service account. Confirm each has a documented owner, a rotation schedule, and a business justification. "Temporary" service accounts running as Domain Admin for 6 years are the textbook pass-the-hash finding.

Sample 10–15% of terminations and walk the offboarding ticket end to end: Entra ID disabled, sessions revoked, mailbox forwarding cleared, SaaS apps deactivated, device returned. Mailbox-forwarded-to-personal-Gmail is the exfiltration finding auditors flag.

Pull BitLocker / FileVault compliance from Intune or JAMF and confirm 100% of in-scope endpoints are encrypted with recovery keys escrowed. For servers, verify volume encryption (BitLocker, LUKS) and that the cloud-stored copies use KMS-managed keys.

Run SSL Labs (or internal equivalent) against every internet-facing service. PCI DSS requires TLS 1.2 minimum; weak ciphers and expired certs are common findings. Confirm ACME automation is renewing certs before the 30-day mark.

Pick a representative system (file server, database, or M365 mailbox) and restore into an isolated environment from Veeam, Datto, or the cloud backup service. "Backups green for 18 months, restore fails" is the canonical finding — the drill is the only evidence backups are actually usable.

Verify the 3-2-1 chain: at least one copy is immutable (object lock, hardened repository, write-once tape) and isolated from production credentials. Backups writable from production are the ransomware-day finding nobody recovers from.

Export the running config from FortiGate, Palo Alto, or Meraki. Flag any-any rules, expired temporary rules, and rules with no hits in 90 days. Document the business justification or remove.

Tenable, Qualys, or Rapid7 against the in-scope network with credentialed scanning enabled. Unauthenticated scans miss most of what auditors care about. PCI DSS also requires a clean ASV external scan from an approved vendor.

Pull patch compliance from Intune, SCCM, or Automox. Confirm critical CVEs are remediated within the SLA defined in policy (commonly 30 days for criticals). Flag servers excluded from auto-patching with no documented exception.

Test that the cardholder-data VLAN cannot reach corporate user VLANs and vice versa. PCI DSS scope reduction depends on this; segmentation failures pull the entire corporate network back into PCI scope.

Walk the IR plan against reality: PagerDuty rotation, on-call escalation, MDR vendor contact, cyber insurance hotline, legal counsel. Plans referencing tools the team replaced two years ago are a common SOC 2 finding.

Pick a scenario likely for this org — ransomware on a file server, BEC on a finance lead, or vendor-supply-chain compromise. Document who said what, where the playbook broke down, and the action items. SOC 2 expects an exercise per audit period.

Pull every P1/P2 ticket from ServiceNow, Jira Service Management, or the PSA. Confirm root cause, containment time, and post-incident review for each. Auditors trace incidents end-to-end; missing post-mortems are a soft finding that hardens fast.

Each policy — acceptable use, access control, change management, incident response, BCP/DR, vendor management — needs a review date within the last 12 months and an approver of record. Policies dated 2019 are an automatic finding.

Pull KnowBe4 / Hoxhunt / Proofpoint completion reports. Confirm 100% completion for in-scope staff and that repeat phishing-simulation clickers had remediation training. Auditors sample names from the HR roster against the training report.

One row per finding: control reference, severity, owner, target remediation date, evidence link. Auditors expect this register at fieldwork — having it ready signals a mature control environment.

If critical or high findings cannot be remediated before the assessor arrives, escalate now. A documented compensating control with an executive sign-off lands far better than a finding discovered during fieldwork.

Brief the CIO / CISO and the audit committee on residual risk, compensating controls, and target remediation dates. Capture written acknowledgement so the finding has documented executive ownership.