# Compliance Audit Agent

### What it does

The Compliance Audit Agent runs automated compliance assessments against SOC2, HIPAA, PCI-DSS, ISO 27001, and GDPR—generating audit-ready reports with specific remediation steps.

Think of it as your automated compliance officer that checks your security posture against regulatory frameworks.

**You'll get:**

* Overall compliance score across all frameworks
* Detailed findings for every failing control
* Prioritized remediation roadmap (6-week plan)
* Audit-ready documentation checklist
* Exportable HTML reports for stakeholders

⏱️ **Audit time:** 5-10 minutes depending on scope

## Sample Prompts

{% hint style="success" %}
**Examples**

#### **annual‑hipaa‑review**

**Prompt:** “Perform our yearly HIPAA compliance audit across both infrastructure and applications.”

#### **pre‑product‑launch‑soc2**

**Prompt:** “Run a full SOC 2 assessment before we ship the new SaaS offering.”

#### **quick‑pci‑check**

**Prompt:** “Just check the payment‑processing components for PCI‑DSS gaps.”

#### **infra‑iso27001**

**Prompt:** “Audit only the cloud/network infrastructure against ISO 27001 controls.”

#### **mfa‑gap‑analysis**

**Prompt:** “Assess known gaps around multi‑factor authentication for all user‑facing services.”
{% endhint %}

### Why use it

**Instead of:**

* Spending months preparing for compliance audits
* Hiring expensive external consultants for initial assessment
* Manually collecting evidence across systems
* Guessing which controls to fix first

**You get:**

* Automated gap analysis in minutes
* Clear compliance scores per framework
* Prioritized remediation timeline
* Evidence collection without exposing sensitive data
* Continuous compliance monitoring

**Impact:**

* Audit preparation from months → weeks
* 78% average compliance score achievable in 90 days
* Zero overlooked controls (automated checks)

***

### Supported frameworks

The agent assesses against these regulatory standards:

| Framework     | Focus                                                    | Common For                      |
| ------------- | -------------------------------------------------------- | ------------------------------- |
| **SOC2**      | Trust Service Criteria (Security, Availability, Privacy) | SaaS companies, cloud providers |
| **HIPAA**     | Healthcare data protection                               | Healthcare, health tech         |
| **PCI-DSS**   | Payment card data security                               | E-commerce, payment processors  |
| **ISO 27001** | Information security management                          | Enterprise, global compliance   |
| **GDPR**      | Data privacy and protection                              | EU operations, user data        |

You can audit one framework or run "All of the above" for comprehensive coverage.

***

### How to use it

#### Basic audit

Run a comprehensive compliance audit:

```bash
/mcp.opsera.compliance-audit
```

or in natural language:

```
"Run a SOC2 compliance audit"
```

***

#### Specific frameworks

**SOC2 only:**

```
"Run a SOC2 compliance audit"
```

**HIPAA assessment:**

```
"Prepare for HIPAA assessment"
```

**Multiple frameworks:**

```
"Run compliance audit for SOC2 and ISO 27001"
```

**Gap analysis:**

```
"Perform a compliance gap analysis for all frameworks"
```

***

#### Scope options

During setup, you'll choose your assessment scope:

**1. Infrastructure Only**

* Servers, cloud resources, network
* Access controls, encryption
* Best for: DevOps/SRE teams

**2. Application Only**

* Code, APIs, databases
* Application-level security
* Best for: Development teams

**3. Full Assessment**

* Infrastructure + Application + Policies
* Complete compliance posture
* Best for: Formal audits, certifications

***

### What you'll see

#### During the audit

```bash
🔍 Compliance Audit Agent Starting...

Phase 1/6: Setup
✓ Frameworks: SOC2, HIPAA, ISO 27001
✓ Scope: Full Assessment

Phase 2/6: Scope definition
✓ Infrastructure scan enabled
✓ Application scan enabled
✓ Policy review enabled

Phase 3/6: Evidence collection (silent)
✓ Analyzing access controls...
✓ Checking encryption at rest...
✓ Reviewing audit logs...
✓ Validating vulnerability management...

Phase 4/6: Control assessment
✓ SOC2: 78% (82/105 controls)
✓ HIPAA: 65% (45/69 controls)
✓ ISO 27001: 71% (66/93 controls)

Phase 5/6: Detailed findings
Found 38 non-compliant controls
  🔴 High severity: 8
  🟠 Medium severity: 15
  🟡 Low severity: 15

Phase 6/6: Generating roadmap
✓ Created 6-week remediation plan
✓ Report saved: compliance-audit-report.html
```

***

### What you get

#### 1. Compliance Dashboard

```
Compliance Audit Results
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Overall Score: 78% (189/243 controls passing)

Control Status:
  ✅ Passing: 189
  ⚠️ Partial: 32
  ❌ Failing: 22

Framework Breakdown:
  SOC2:       78% (82/105 controls)
  HIPAA:      65% (45/69 controls)
  PCI-DSS:    81% (29/36 controls)
  ISO 27001:  71% (66/93 controls)
  GDPR:       73% (44/60 controls)

SOC2 Trust Service Criteria:
  Security:              85%
  Availability:          92%
  Processing Integrity:  78%
  Confidentiality:       68%
  Privacy:               75%
```

***

#### 2. Detailed Findings

For every failing control, you get:

**Example:**

```
Control: CC6.1 - Logical Access Controls
Status: ❌ FAILING
Severity: HIGH

Evidence Summary:
- 3 users without MFA enabled
- 5 inactive accounts still active (>90 days)
- 2 service accounts with human-level permissions

Remediation Steps:
1. Enable MFA for all users: [User1, User2, User3]
2. Disable inactive accounts in IAM console
3. Create dedicated service accounts with minimal permissions
4. Review access logs for unauthorized attempts

Estimated Effort: 2-3 days
```

***

#### 3. Remediation Roadmap

**6-Week Prioritized Plan:**

```
WEEKS 1-2 (Critical & High Priority)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
□ Enable MFA for all users (CC6.1)           [2 days]
□ Encrypt data at rest (CC6.6)               [3 days]
□ Implement audit logging (CC7.2)            [2 days]
□ Remove inactive accounts (CC6.1)           [1 day]

WEEKS 3-4 (Medium Priority)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
□ Configure log retention (CC7.3)            [1 day]
□ Update incident response plan (CC7.4)      [3 days]
□ Implement vulnerability scanning (CC7.1)   [2 days]

WEEKS 5-6 (Low Priority & Documentation)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
□ Document change management process         [2 days]
□ Create network diagrams                    [1 day]
□ Update security policies                   [2 days]
```

***

#### 4. Audit Readiness Checklist

**Required Documentation Status:**

```
Policies & Plans:
  ✅ Information Security Policy          [Current]
  ✅ Business Continuity Plan             [Current]
  ❌ Incident Response Plan               [Missing]
  ⚠️ Data Classification Policy           [Expired - 2023]

Technical Documentation:
  ✅ Network Diagrams                     [Current]
  ❌ Data Flow Diagrams                   [Missing]
  ✅ System Inventory                     [Current]

Evidence & Testing:
  ✅ Penetration Test Results             [2024-02-15]
  ⚠️ Vulnerability Scan Results           [Outdated - 2024-01]
  ✅ Access Control Logs                  [Current]
  ✅ Training Records                     [Current]
```

***

#### 5. HTML Report

A professional, shareable report is generated:

```bash
compliance-audit-2024-03-06.html
```

**Includes:**

* Executive summary with compliance scores
* Detailed findings per framework
* Visual pass/fail indicators (color-coded)
* Complete remediation roadmap
* Ready to share with auditors or stakeholders

***

### Quality benchmarks

Use these targets to measure compliance readiness:

| Metric                 | Target   | Purpose               |
| ---------------------- | -------- | --------------------- |
| **Overall Score**      | > 80%    | Audit-ready threshold |
| **Critical Findings**  | 0        | No high-risk gaps     |
| **Framework Coverage** | 100%     | All controls assessed |
| **Documentation**      | Complete | All policies current  |

**Compliance levels:**

* ✅ **Audit Ready:** > 80%, 0 critical findings
* ⚠️ **Needs Work:** 60-80%, < 5 critical findings
* ❌ **Not Ready:** < 60% or > 5 critical findings

***

### After the audit

#### 1. Address critical findings immediately

**Priority order:**

1. **HIGH severity** - MFA, encryption, access controls
2. **MEDIUM severity** - Logging, monitoring, policies
3. **LOW severity** - Documentation, training records

***

#### 2. Follow the 6-week roadmap

Use the prioritized timeline:

* Weeks 1-2: Critical security fixes
* Weeks 3-4: Medium priority items
* Weeks 5-6: Documentation and policies

Track progress with checkboxes in the roadmap.

***

#### 3. Update missing documentation

Review the audit readiness checklist:

* Create missing policies
* Update expired documents
* Gather required evidence (logs, test results)
* Schedule training sessions

***

#### 4. Re-audit to verify improvements

After completing fixes:

```bash
/mcp.opsera.compliance-audit
```

Your compliance score should improve significantly.

***

### Security & privacy

The agent follows strict security guardrails:

**✅ The agent WILL:**

* Show compliance status and scores
* Provide control IDs and remediation steps
* Summarize evidence (e.g., "3 users without MFA")
* Generate audit-ready reports

**❌ The agent WILL NOT:**

* Expose raw config files or logs
* Show internal file paths
* Reveal evidence collection commands
* Display sensitive credentials or keys

All evidence collection happens silently—only sanitized summaries are shown.

***

### Common issues

**Audit taking too long?**

* Choose specific framework instead of "All"
* Select "Infrastructure Only" or "Application Only"
* Larger environments may take 10-15 minutes

**Low compliance score?**

* This is normal for first audit
* Focus on critical findings first
* Use the 6-week roadmap to improve systematically

**Missing evidence errors?**

* Ensure proper access to infrastructure
* Check cloud provider permissions
* Verify logging is enabled

**Documentation marked as missing?**

* Create required policies from templates
* Update expired documents
* Add to version control for tracking

***

### Examples

**Quick SOC2 check:**

```
"Run a SOC2 compliance audit and show me critical gaps"
```

**Full assessment for certification:**

```
"Run a comprehensive compliance audit for all frameworks with full scope"
```

**Focus on specific framework:**

```
"What do we need to fix for HIPAA compliance?"
```

**Gap analysis:**

```
"Perform a compliance gap analysis and prioritize fixes"
```

**Re-audit after fixes:**

```
"Run another compliance audit to verify our improvements"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.agents.opsera.ai/devsecops-agents/compliance-audit-agent.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.