Defining Audit Scope - Compliance Management Audit Program

Compliance Management Kit Security and Compliance Audits are Mandated - scope definition is key to success

There are dozens of security and compliance mandates that enterprises of all sizes need to address. The scope and content of each audit requirement needs to be well understood. In addition, it is not productive to create unique audit programs for each mandate. Rather it is more cost effective to include each mandate in an overall Compliance Management Audit Program. Below listed are the scope and content of such a process. It defines the scope of the Annual, Semi-Annual, Quarterly, Monthly, Daily, common elements of each audit program.


Order Compliance Management Kit  Download Selected Pages


Annual Audit Scope

  • Active Directory Terms vs. Systems Terms - Conduct an annual audit/comparison of terminations in Active Directory vs. terminations in all systems

  • Verify Accounts with Administrative Privileges Audits - Core Systems Run audits listing all users who have administrative privileges to core systems. Administrative privileges will be validated via an enterprise's role-based access matrix.

Semi-Annual Audit Scope

  • Disaster Recovery Plan Test / Audit - Local the enterprise's data center - Conduct a tabletop test of the local enterprise's disaster recovery/business continuity plan and update as required for change management.

Quarterly Audit Scope

  • Change of Status Workforce Audits - Create reports of workforce members to confirm the user’s access based on job code.  Make changes when necessary based on the feedback from the workforce, and coordinate any access termination with the covered entity facilities department.  

  • Cybersecurity Tactical Simulations - Conduct Cybersecurity tactical simulations (tabletop) to cover the latest known cyber threats against the enterprise's policies and plans and make updates accordingly.

  • Day of Week / Time of Day Audit - Create a detailed report of random user access to core based on the user's normal work hours.  For example, if a user normally works on the weekend, the audit should check to see if the user id and password were used during the week, and visa versa.  If a user normally works during the day, the audit should check to see if the user id and password were used during the night, and visa versa.  Exceptions could indicate that a user-id is being shared or used in an unauthorized manner.

  • Departmental Downtime Procedures - Mock Test Audits - Conduct periodic mock tests of departmental downtime procedures.  The enterprises should randomly pick departments to meet with to review their downtime procedures in a tabletop test and document the meetings and audit findings.

  • Disabled AD Accounts Deletion Audits - Conduct audits of all disabled Active Directory accounts and delete all accounts that have been disabled for over 30 days.

  • Random Audits - Randomly pick a procedural requirement from a mandated requirement, policy, and audit operational compliance.

  • Intrusion Vulnerability Audit - Create a quarterly report that contains exceptions when comparing current server OS security patches vs. the patch list.  The report should be reviewed by operational staff and mitigation action items will be assigned accordingly.

  • PCI Data in Transit Audit - Conduct an audit of the enterprise's PCI data in transit on to confirm that it is encrypted and conforms with all the enterprise's standards.

  • Random Facility Walk Through Audits - Randomly audit work areas throughout the organization. The intent of the audit is to protect the enterprise’s information and improve staff awareness.  Immediate feedback of exceptions should be provided to staff on-site, documented, and reported to the Compliance / Privacy Officer.  The Compliance / Privacy Officer can take part in any random audits upon request.  Audits can be conducted during or after normal business hours.

  • Terminated Workforce Audits - Create reports of workforce members to confirm that users are still active.  Make deletions when necessary based on the feedback from the workforce, and coordinate any facility access termination with the covered entity facilities department.

  • Verify Accounts with Administrative Privileges Audits - Active Directory Run audits listing all users who have administrative privileges to the active directory.  Administrative privileges will be validated via the enterprise's role-based access matrix.

  • Virus Detection Alerts - Conduct a random review of the email alerts along with a random check of PC workstations and remote access devices to confirm the integrity of the virus protection software.   

Monthly Audit Scope

  • Audit physical access logs to the enterprise's secure locations - including the enterprise's data center and network closets.

  • Change of the enterprise's workforce job status audits - core systems - Create daily reports for workforce members (also including temporary and voluntary employees)  that have changed their job status and will distribute the reports to the system administrator. The the enterprise's will conduct a random audit of 10% and confirm with the system administrators and facility managers that all system (on-site and remote) and facility access is still appropriate.   

  • Change of status workforce Audits for covered users - Create reports of users with active sign-on user ids to core systems and provide the report to the covered entity staff for confirmation.  Make changes when necessary based on the feedback from the office, and coordinate any facility access termination with the covered entity facilities department.  

  • Employee as a client (Peer access audit) - Create reports for audits of up to three clients who are employees. The report should include user access to core clinical information.  Randomly select users for further review and send the report to the user’s manager.  The user’s manager should conduct a detailed review and identify exceptions and / or sign off.   

  • Same last name - Filter the audit log to check for records where the client and the employee both have the same last name.

  • Same street  - Filter the audit log to check for records where the client and the employee live on the same street.

  • Terminated Workforce Audits - Core systems - Create reports of terminated workforce members (also including temporary and voluntary employees) to confirm that all system (on site and remote) and facility access has been terminated.   

  • Terminated the enterprise's Workforce Audits - Active Directory - Create reports of terminated workforce members (also including temporary and voluntary employees) to confirm that all system (on site and remote) and facility access has been terminated.    Unauthorized or inappropriate access audits Create a report of 5 random users from various departments over a reasonable time-frame (e.g. two (2) week period).  The report will include what data and functions the users accessed, and will be sent to the user’s manager for review and sign off. 

  • Unauthorized or inappropriate record access - Create a report for random users and locations that includes user remote access to core over a reasonable time frame (e.g. two (2) week period).  The report should include what data and functions the users accessed, and should be sent to the office Privacy Officer who should conduct a detailed review and identify exceptions and / or sign off.

  • Failed Login Attempts to Network Audits - Conduct Audit based on Enterprises’ Guidance for Security.

  • Post Department Moves Audits - Conduct audits of user attempts to access inappropriate Internet sites, including 100% of user attempts to blocked sites. 

Daily Audit Scope

  • Login Fails Audits - Conduct audits of user log-in attempts from the covered entity domain to include 100% of failed user login attempts that are greater than fifteen (15). 

Addition to Each Audits Scope

  • Audit of all wireless devices - Conduct audits of covered entity department moves to confirm Send controls, both physical and technical. 

  • Enterprises’ Guidance for Security - Audit access to sensational user visits.  A sensational user visit is defined as a visit directly connected to high-security data, users, media events, matters of public record, or a high-profile user figure (i.e., CEO), and other VIPs.  The audit may be triggered by notification by Public Relations, Senior Administration, or the media.  The audit will include 100% of user attempts to confidential data, personal identifying information and/or demographic data. 

  • Internet Audits - Review the inventory of laptops / BOYDs / tablets


2022 Edition of Compliance Management Tool Kit Released

Compliance Management KitRecent ransomware attack shave focused many C-Level executives on asset security and compliance as more business is conducted on the Internet. In addition, not meeting compliance mandates exposes enterprises to damaged reputations and fines. The Compliance Management Kit provides tools that properly implemented minimizes those risks. The Compliance Management Kit is the must-have tool to meet mandated governmental and industry compliance objectives. 

The 2022 Edition is now available for immediate download and comes with a full 30 day "no questions asked" return policy.

Read On  Order Compliance Management Kit  Download TOC