Workflow Templates for Systems Administration: Quarterly Compliance Reporting Checklist

Access Review & Identity Hygiene

Pull the Entra ID and Okta user roster

Export the active user list from Entra ID and the Okta admin console as of the first day of the control period. Include guests, service accounts, and break-glass accounts so they can be reconciled separately.

Reconcile the roster against the HR active list

Match the IdP roster against the BambooHR / Workday active-employee export. Common findings: terminated employees still active in Okta, contractors past their end date, and shared mailbox owners reassigned to people who left. Record each mismatch in the access review tracker.

Disable orphaned accounts and revoke sessions

Disable each orphaned account in the IdP (do not delete — preserve for audit), revoke active sessions, and rotate any service-account credentials the user held. Capture screenshots of the disable action and the session-revoke confirmation as audit evidence.

Audit privileged group membership

Walk Domain Admins, Global Administrators, AWS root, and any Tier 0 groups. Standing membership should be near-zero with the rest behind PIM / just-in-time elevation. Flag any service account that has been Domain Admin for more than 90 days for rotation.

Confirm MFA enrollment across the workforce

Run the Entra ID Authentication Methods report and Okta Factor Enrollment report. Confirm legacy basic-auth is blocked via Conditional Access — MFA on the front door does not help if IMAP/SMTP/POP still accept passwords.

Data Protection & Backup Verification

Verify encryption coverage on production volumes

Confirm BitLocker / FileVault on endpoints via Intune or JAMF, and EBS / Azure Disk encryption on cloud volumes. Document any exceptions (test environments, legacy appliances) and confirm the recovery keys are escrowed.

Run the quarterly backup restore drill

Restore a sample VM and a sample file share from Veeam / Datto into the isolated DR environment — not production. Time the restore against the documented RTO. Backup-success metrics in the dashboard are not evidence the backup is usable; only a successful restore is.

Escalate the restore failure to the backup engineer

Open a P1 ticket against the backup engineer with the restore log, the failed RPO/RTO, and the affected job name. Treat a failed restore drill as a control deficiency that needs root cause documented before next quarter's report.

Confirm the immutable offsite backup copy

Verify the 3-2-1 architecture: at least one copy is on object-locked S3 (or equivalent immutable target) in a separate cloud account or tenant. Backups writable from production are not ransomware-resilient.

Review data retention against the policy

Walk the M365 / Google Workspace retention labels, S3 lifecycle rules, and database archive jobs against the published retention policy. Over-retention is as much a finding as under-retention for GDPR / CCPA scope.

Vulnerability & Patch Compliance

Run an authenticated vulnerability scan

Tenable / Qualys / Rapid7 with credentials — unauthenticated scans miss the majority of OS-level CVEs. Scope must include workstations, servers, network gear, and externally exposed assets.

Triage critical and high CVEs

Filter CVSS 9.0+ and 7.0+ findings, deduplicate against the prior quarter, and tag each with an owner and remediation SLA. CISA KEV-listed vulnerabilities take priority regardless of CVSS.

Confirm prior-month patch ring rollout

Pull the Intune / SCCM / Automox compliance report for last month's Patch Tuesday KBs. Check the test → pilot → production ring progression and any stalled devices. A 95% compliance floor at quarter-end is the SOC 2 evidence auditors typically expect.

Document accepted exceptions with mitigations

For each unpatched system that cannot be remediated this quarter (vendor-locked appliance, legacy app, business hold), record the compensating control — network isolation, egress filter, host-based firewall — and the expiration date of the exception.

Incident Response Readiness

Run the quarterly IR tabletop exercise

Pick a scenario from the tabletop library — ransomware on a file server, business email compromise, AWS root key leak — and walk it with the on-call team, IT leadership, and a legal / comms representative. Time the playbook against the documented MTTR target.

Update the IR runbook from lessons learned

Roll the tabletop findings and any real incidents from the quarter into the runbook. Version-control the change in Confluence / Hudu so the auditor can see the runbook evolves.

Confirm the on-call rotation in PagerDuty

Walk the next 90 days of the rotation, escalation policy, and contact methods. Common gap: a former employee still listed as the secondary or as a backup contact for a critical service.

Verify SIEM detection rules cover SOC 2 controls

Map Sentinel / Splunk / Sumo Logic detections against the CC7-series SOC 2 criteria — failed privileged logins, MFA bypass, mass file access, anomalous admin role grant. Any control without an active detection rule is a finding.

Audit Evidence & Sign-Off

Compile the evidence package for the control period

Pull the access review tracker, restore drill log, vulnerability triage spreadsheet, patch compliance report, tabletop notes, and the SIEM detection map. Name each artifact with the control reference (CC6.1, CC7.2, CC8.1) so the auditor's sample request maps cleanly.

File evidence in the IT Glue compliance binder

Upload the consolidated package to the quarterly folder in IT Glue / Hudu / Confluence. Tag the page with the control period dates so retrieval at audit time is one search.

Sign off the quarterly compliance report

IT manager or vCIO reviews the package, records any control deficiencies that will need carry-forward remediation, and signs the attestation. The signature ties a named accountable owner to the control period — auditors look for that name.