Compliance Audit Checklist

Lock the framework list before evidence collection starts. SOC 2 Type II, HIPAA, PCI DSS, and CMMC each pull a different evidence set — running an audit against the wrong control catalog burns a week of the engineer's time.

Pull the system inventory from the CMDB or RMM (ConnectWise, NinjaOne, Datto). Flag systems that store PHI, cardholder data, or CUI — those carry stricter evidence requirements. Flat networks that haven't been segmented usually expand PCI scope; note it now rather than at fieldwork.

Send the evidence-request matrix to identity, network, endpoint, and backup owners with deadlines. Most evidence gaps trace back to a control owner who didn't see the request — confirm receipt in writing.

Pull active users from Entra ID (or Okta / JumpCloud) and reconcile against the HRIS active-employee list. Names that appear in IdP but not HRIS are the orphaned-account finding auditors look for first.

Confirm Conditional Access enforces MFA for all users, including admins, and that legacy basic-auth (IMAP, POP, SMTP, ActiveSync basic) is blocked org-wide. MFA-enabled-but-legacy-allowed is the most common finding that gets a SOC 2 control marked exception.

Send role-based access listings to each system owner for attestation. SOX, SOC 2, and HIPAA all require evidence that managers reviewed and approved each user's access — a signed attestation or ticket close-out is the artifact.

List every Domain Admin, Global Admin, root, and service account. Confirm each has a documented owner, a rotation schedule, and a business justification. "Temporary" service accounts running as Domain Admin for 6 years are the textbook pass-the-hash finding.

Sample 10–15% of terminations and walk the offboarding ticket end to end: Entra ID disabled, sessions revoked, mailbox forwarding cleared, SaaS apps deactivated, device returned. Mailbox-forwarded-to-personal-Gmail is the exfiltration finding auditors flag.

Disable orphaned accounts, force MFA on exceptions, revoke residual mailbox forwarding, and rotate service account credentials. Document each fix in the ticket so the auditor sees remediation trail, not just the original finding.

Pull BitLocker / FileVault compliance from Intune or JAMF and confirm 100% of in-scope endpoints are encrypted with recovery keys escrowed. For servers, verify volume encryption (BitLocker, LUKS) and that the cloud-stored copies use KMS-managed keys.

Run SSL Labs (or internal equivalent) against every internet-facing service. PCI DSS requires TLS 1.2 minimum; weak ciphers and expired certs are common findings. Confirm ACME automation is renewing certs before the 30-day mark.

Pick a representative system (file server, database, or M365 mailbox) and restore into an isolated environment from Veeam, Datto, or the cloud backup service. "Backups green for 18 months, restore fails" is the canonical finding — the drill is the only evidence backups are actually usable.

Verify the 3-2-1 chain: at least one copy is immutable (object lock, hardened repository, write-once tape) and isolated from production credentials. Backups writable from production are the ransomware-day finding nobody recovers from.

Pull DLP hits from Defender / Purview (or third-party DLP) for the audit period and confirm each was triaged. Verify retention policies actually purge data on schedule — auditors check that deletion happens, not just that policy exists.

Export the running config from FortiGate, Palo Alto, or Meraki. Flag any-any rules, expired temporary rules, and rules with no hits in 90 days. Document the business justification or remove.

Tenable, Qualys, or Rapid7 against the in-scope network with credentialed scanning enabled. Unauthenticated scans miss most of what auditors care about. PCI DSS also requires a clean ASV external scan from an approved vendor.

Pull patch compliance from Intune, SCCM, or Automox. Confirm critical CVEs are remediated within the SLA defined in policy (commonly 30 days for criticals). Flag servers excluded from auto-patching with no documented exception.

Test that the cardholder-data VLAN cannot reach corporate user VLANs and vice versa. PCI DSS scope reduction depends on this; segmentation failures pull the entire corporate network back into PCI scope.

Confirm Sentinel, Splunk, or QRadar is ingesting logs from every in-scope source — domain controllers, firewalls, EDR, M365, cloud control plane. Missing log sources show up as control gaps; tuned-out alerts show up as detection failures.

Walk the IR plan against reality: PagerDuty rotation, on-call escalation, MDR vendor contact, cyber insurance hotline, legal counsel. Plans referencing tools the team replaced two years ago are a common SOC 2 finding.

Pick a scenario likely for this org — ransomware on a file server, BEC on a finance lead, or vendor-supply-chain compromise. Document who said what, where the playbook broke down, and the action items. SOC 2 expects an exercise per audit period.

Pull every P1/P2 ticket from ServiceNow, Jira Service Management, or the PSA. Confirm root cause, containment time, and post-incident review for each. Auditors trace incidents end-to-end; missing post-mortems are a soft finding that hardens fast.

HIPAA gives 60 days, GDPR 72 hours, several state laws faster. Confirm the IR plan names the timeline applicable to this org's data, the legal owner of the call, and the customer-notification template.

Each policy — acceptable use, access control, change management, incident response, BCP/DR, vendor management — needs a review date within the last 12 months and an approver of record. Policies dated 2019 are an automatic finding.

Pull KnowBe4 / Hoxhunt / Proofpoint completion reports. Confirm 100% completion for in-scope staff and that repeat phishing-simulation clickers had remediation training. Auditors sample names from the HR roster against the training report.

For each in-scope vendor (M365, AWS, backup, MDR, PSA), confirm a current SOC 2 Type II or equivalent attestation is on file. Healthcare clients also need BAAs; PCI clients need an AOC. Missing reports are the easiest control gap to close before fieldwork.

One row per finding: control reference, severity, owner, target remediation date, evidence link. Auditors expect this register at fieldwork — having it ready signals a mature control environment.

If critical or high findings cannot be remediated before the assessor arrives, escalate now. A documented compensating control with an executive sign-off lands far better than a finding discovered during fieldwork.

Brief the CIO / CISO and the audit committee on residual risk, compensating controls, and target remediation dates. Capture written acknowledgement so the finding has documented executive ownership.

Final review: evidence pack assembled, findings register complete, remediation tickets linked. The IT/Security lead signs to release the package to the external assessor.