Compliance Audit Generator
Run internal compliance audits against major frameworks without hiring a consultant.
What It Does
Generates a structured compliance audit for your organization against any of these frameworks:
- SOC 2 (Type I & II) — Trust Services Criteria
- ISO 27001 — Information Security Management
- GDPR — Data Protection (EU/UK)
- HIPAA — Healthcare Data (US)
- PCI DSS — Payment Card Security
- SOX — Financial Controls (US public companies)
- CCPA/CPRA — California Consumer Privacy
How to Use
Tell the agent which framework you need audited. Provide context about your organization:
- Industry and size
- Current security controls
- Data types you handle
- Existing certifications
- Known gaps or concerns
Example Prompts
- "Run a SOC 2 readiness audit for our 40-person SaaS company"
- "Check our GDPR compliance — we process EU customer data and use AWS"
- "Generate an ISO 27001 gap analysis for our fintech startup"
- "Audit our HIPAA controls — we're a healthtech handling PHI"
Output Format
The agent produces:
1. Executive Summary
- Overall readiness score (0-100%)
- Critical gaps count
- Estimated remediation timeline
2. Control-by-Control Assessment
For each control domain:
- Status: Compliant / Partial / Non-Compliant / Not Assessed
- Evidence Required: What auditors will ask for
- Current Gap: What's missing
- Remediation Steps: Specific actions to close the gap
- Priority: Critical / High / Medium / Low
- Effort: Hours/days estimate
3. Remediation Roadmap
- Phase 1 (0-30 days): Critical fixes
- Phase 2 (30-90 days): High priority items
- Phase 3 (90-180 days): Full compliance
4. Evidence Checklist
- Document inventory needed for audit
- Policy templates to create
- Technical configurations to verify
Agent Instructions
When the user requests a compliance audit:
- Ask which framework(s) they need assessed
- Gather context about their organization (industry, size, tech stack, data types)
- Generate the full audit report following the output format above
- For each control area, be specific — don't give generic advice. Reference the actual control numbers (e.g., SOC 2 CC6.1, ISO 27001 A.8.2)
- Prioritize findings by business risk, not alphabetical order
- Include cost estimates where possible (e.g., "penetration test: $5,000-$15,000")
- Flag any controls that require third-party tools or services
Be direct. No filler. Every finding should have a clear "do this" action attached.