What Kind of Compliance Documentation Is Required for a Security Audit?

Eric Seward September 28, 2021

    Compliance audits require a significant amount of documentation. Whether you’re working toward a SOC report, a HITRUST certification, a PCI Report on Compliance, or any other security initiative, you will need to provide your auditor with formal evidence that your policies and processes are designed in accordance with relevant requirements.

    The documents you will need to provide will depend on the type of audit you are completing. Compliance documentation for a SOC 1 Type 1 examination, for instance, will involve controls over financial reporting, while the documentation for a HIPAA compliance assessment will focus on the IT controls you have in place to protect PHI. Similarly, HITRUST requires documentation for every system in scope for your Validated Assessment.

    The scope of your audit will also impact your documentation requirements. For a SOC 2 report (either Type 1 or Type 2), you can choose to include any combination of AICPA Trust Services Criteria. If your scope only includes Security, you will have a much smaller document request list than you would if your scope were to cover Security, Availability, Processing Integrity, Confidentiality, and Privacy.

    Some compliance efforts, such as HITRUST and PCI, are more prescriptive in the items they require. However, other efforts, such as SOC examinations and HIPAA assessments, are more flexible. Your auditor can work with your internal compliance team to determine what types of evidence are acceptable for each control group.

    Examples of Compliance Documentation

    Based on the factors above, your document request list may include:

    Operational Documentation

    • Data flow diagrams
    • A physical diagram of your office
    • Your corporate governance manual
    • Your code of conduct and ethics
    • Your risk management plan
    • Your compliance program budget
    • Business associate and vendor agreements
    • Business continuity and incident response plans and testing logs

    IT Documentation

    • A physical inventory of all devices on your network
    • Equipment maintenance records
    • Your information security plan, including:
      • System configurations
      • Data retention and destruction policies
      • Policies for outsourced software development
      • Acceptable Use policies
      • Encryption policies
      • Implementation requirements
      • Password requirements
    • Access logs
    • System backup logs
    • System update logs and patch records

    HR Documentation

    • Your organizational chart
    • A list of roles and responsibilities for each of your compliance-related positions
    • Your employee handbook
    • Access levels for each of your employees
    • Onboarding documentation (e.g., evidence of background checks for new employees)
    • Termination process documentation (e.g., termination checklist, evidence of timely removal of physical and system access for terminated employees)
    • Security awareness training logs
    • Disciplinary action plans for violations of company policy

    Privacy Documentation

    • Your notice of privacy practices
    • Data use agreements
    • Unsubscribe and opt-out policies
    • Confidentiality agreements

    Results of Other Compliance Audits

    • Prior compliance assessment reports
    • Previous risk assessments
    • Self-assessment questionnaires, if applicable
    • Corrective Action Plans, if applicable
    • Penetration testing and/or vulnerability scan results

    Additionally, there may be some situations where you have chosen not to address certain control groups (i.e., in the case of addressable HIPAA requirements). In these cases, you will need to provide documentation to explain why you chose not to implement the specification.

    When Does Documentation Need to be Submitted?

    The more documentation you can provide before the start of testing, the higher your chances of completing your audit on time. (This also allows your auditor to conduct a more efficient process walkthrough. When they have a better understanding of your systems up front, they can ask more pointed, intelligent questions during testing.)

    While you can continue to submit documents during the testing phase, an appropriate goal may be 75 to 80 percent completion by the beginning of fieldwork.

    This goal can be more easily achieved if your compliance documentation is already collected and accessible before the start of your assessment. Consider creating a standard reporting format (if one is not already in place) that clearly outlines the reason a policy was created; the department responsible for approval and implementation; any impacted documents, systems, or applications; the approval date; the implementation date; and the department or committee that approved the policy. As you make changes to your compliance program, document the updates and store the records in a central archive where they are easily accessible for future assessments.

    Using the Same Documentation to Meet Multiple Audit Requirements

    For some businesses, one audit is enough to meet customer requirements. However, privacy and security expectations are continually changing; multiple assessments are now the norm for larger enterprises and companies that process several types of personally identifiable information.

    If you’ve been asked to meet more than one standard, an integrated assessment can reduce the amount of compliance documentation that you need to collect and submit. Even though each audit has its own set of requirements, there can be significant overlap; for instance, if you have a SOC report that has been completed within the past 12 months, we would be able to leverage this report in lieu of providing implementation evidence for any controls that map to your HITRUST requirement statements. Instead of processing several document request lists for different auditors, you can document once, then apply your evidence to several requirements.

    The same is also true of on-site testing. Instead of hosting multiple auditors for fieldwork, you can coordinate one on-site session for a faster (and more cost-efficient) process. However, you will still need to confirm that all of your documentation supports the actual implementation methods that your auditors will inspect during testing; this is critical for a successful outcome, no matter the type of assessment.

    Learn More About the Compliance Audit Process

    As a cybersecurity and compliance firm, 360 Advanced has completed a number of audits – from SOC examinations to HITRUST validated assessments – for clients in a variety of industries. Our integrated approach can help you reduce the burden of a complex security program; by leveraging the same compliance documentation across multiple initiatives, you can spend less time on reporting and more time actively improving your security posture.

    To find out how we can help you streamline your next compliance audit, contact us today.