Audit Preparation
The One Compliance streamlines audit preparation with readiness scoring, auditor access, evidence packaging, and pre-audit checklists for each supported framework.
Readiness Score
The readiness score is a real-time calculation of how prepared your organization is for an audit:
- Overall Score — Percentage of all controls in Compliant status
- Evidence Coverage — Percentage of required evidence items that are uploaded and current
- Policy Coverage — Percentage of required policies that are published and acknowledged
- Category Breakdown — Readiness score per framework category (e.g., SOC 2 Trust Services categories, HIPAA safeguard types)
View the readiness score from Compliance → Audit Prep → Readiness.
Auditor Portal
The auditor portal provides read-only access for external auditors to review your compliance posture without granting them access to the full platform.
Setting Up Auditor Access
- Navigate to Compliance → Audit Prep → Auditor Portal
- Click Invite Auditor
- Enter the auditor's email address
- Select the frameworks they should have access to
- Set an access expiration date
- Click Send Invitation
The auditor receives an email with a unique link to the portal. They can:
- View all controls and their status for the selected frameworks
- Download evidence artifacts
- View policy documents
- Export the full evidence package
Auditors cannot modify any data. Their access is logged in the audit trail.
Revoking Auditor Access
Navigate to Audit Prep → Auditor Portal → Active Sessions and click Revoke next to the auditor's entry.
Evidence Packages
An evidence package is a bundled export of all evidence for a specific framework, ready to hand to an auditor:
- Navigate to Compliance → Audit Prep → Evidence Packages
- Click Generate Package
- Select the framework
- Choose the date range for evidence
- Click Generate
The package includes:
- A table of contents mapping controls to evidence files
- All evidence artifacts organized by control category
- Policy documents with version history
- Employee acknowledgment records
- Auto-collection timestamps and source product details
Packages are generated as a ZIP file containing PDFs and the original artifacts.
Pre-Audit Checklists
Each framework includes a pre-audit checklist tailored to its specific requirements:
SOC 2 Checklist
- All Trust Services Criteria controls have current evidence
- Management assertion letter is drafted
- System description document is complete
- Subservice organization controls are documented (if applicable)
- Complementary user entity controls are identified
HIPAA Checklist
- Risk assessment completed within the last 12 months
- Business Associate Agreements on file for all vendors
- Workforce training records are current
- Breach notification procedures are documented and tested
- Physical safeguard evidence (facility access logs) is uploaded
NIST CSF Checklist
- Current and target profile are defined
- All five core functions have coverage
- Risk assessment aligns with the Identify function
- Incident response plan is documented and tested
- Recovery procedures are documented with RTO/RPO targets
PCI DSS Checklist
- Cardholder data environment (CDE) scope is documented
- Network segmentation evidence is current
- Quarterly vulnerability scans by ASV are on file
- Annual penetration test results are uploaded
- Encryption key management procedures are documented
CIS Controls Checklist
- Implementation Group scope is defined (IG1, IG2, or IG3)
- Asset inventory (hardware and software) is current
- Access control evidence covers all control families
- Audit log configuration evidence is uploaded
- Incident response procedures are documented
CMMC Checklist
- System Security Plan (SSP) is current
- Plan of Action and Milestones (POA&M) is documented
- CUI boundary is defined and documented
- FIPS-validated encryption evidence is provided
- Multi-factor authentication is documented for all CUI access
Access checklists from Compliance → Audit Prep → Checklists.