Quarterly Compliance Reporting Checklist

Export the active user list from Entra ID and the Okta admin console as of the first day of the control period. Include guests, service accounts, and break-glass accounts so they can be reconciled separately.

Match the IdP roster against the BambooHR / Workday active-employee export. Common findings: terminated employees still active in Okta, contractors past their end date, and shared mailbox owners reassigned to people who left. Record each mismatch in the access review tracker.

Disable each orphaned account in the IdP (do not delete — preserve for audit), revoke active sessions, and rotate any service-account credentials the user held. Capture screenshots of the disable action and the session-revoke confirmation as audit evidence.

Walk Domain Admins, Global Administrators, AWS root, and any Tier 0 groups. Standing membership should be near-zero with the rest behind PIM / just-in-time elevation. Flag any service account that has been Domain Admin for more than 90 days for rotation.

Confirm BitLocker / FileVault on endpoints via Intune or JAMF, and EBS / Azure Disk encryption on cloud volumes. Document any exceptions (test environments, legacy appliances) and confirm the recovery keys are escrowed.

Restore a sample VM and a sample file share from Veeam / Datto into the isolated DR environment — not production. Time the restore against the documented RTO. Backup-success metrics in the dashboard are not evidence the backup is usable; only a successful restore is.

Open a P1 ticket against the backup engineer with the restore log, the failed RPO/RTO, and the affected job name. Treat a failed restore drill as a control deficiency that needs root cause documented before next quarter's report.

Verify the 3-2-1 architecture: at least one copy is on object-locked S3 (or equivalent immutable target) in a separate cloud account or tenant. Backups writable from production are not ransomware-resilient.

Tenable / Qualys / Rapid7 with credentials — unauthenticated scans miss the majority of OS-level CVEs. Scope must include workstations, servers, network gear, and externally exposed assets.

Filter CVSS 9.0+ and 7.0+ findings, deduplicate against the prior quarter, and tag each with an owner and remediation SLA. CISA KEV-listed vulnerabilities take priority regardless of CVSS.

Pull the Intune / SCCM / Automox compliance report for last month's Patch Tuesday KBs. Check the test → pilot → production ring progression and any stalled devices. A 95% compliance floor at quarter-end is the SOC 2 evidence auditors typically expect.

Pick a scenario from the tabletop library — ransomware on a file server, business email compromise, AWS root key leak — and walk it with the on-call team, IT leadership, and a legal / comms representative. Time the playbook against the documented MTTR target.

Roll the tabletop findings and any real incidents from the quarter into the runbook. Version-control the change in Confluence / Hudu so the auditor can see the runbook evolves.

Walk the next 90 days of the rotation, escalation policy, and contact methods. Common gap: a former employee still listed as the secondary or as a backup contact for a critical service.

Pull the access review tracker, restore drill log, vulnerability triage spreadsheet, patch compliance report, tabletop notes, and the SIEM detection map. Name each artifact with the control reference (CC6.1, CC7.2, CC8.1) so the auditor's sample request maps cleanly.

Upload the consolidated package to the quarterly folder in IT Glue / Hudu / Confluence. Tag the page with the control period dates so retrieval at audit time is one search.