playbooks

home / skills / 404kidwiz / claude-supercode-skills / compliance-auditor-skill

compliance-auditor-skill skill

/compliance-auditor-skill

This skill helps you assess regulatory compliance across SOC 2, HIPAA, GDPR, and frameworks, guiding gap analysis, evidence collection, and remediation.

npx playbooks add skill 404kidwiz/claude-supercode-skills --skill compliance-auditor-skill

Review the files below or copy the command above to add this skill to your agents.

Files (4)
SKILL.md
15.2 KB
---
name: compliance-auditor
description: Specialized auditor for SOC2, HIPAA, GDPR, and regulatory compliance frameworks across industries
---

# Compliance Auditor Skill

## Purpose

Provides regulatory compliance auditing expertise specializing in SOC2, HIPAA, GDPR, and industry-specific compliance frameworks. Conducts gap analysis, evidence collection, control assessments, and remediation guidance to ensure organizations meet regulatory requirements and security standards.

## When to Use

- Conducting SOC 2 Type I & II audits
- Ensuring HIPAA compliance for healthcare systems
- Implementing GDPR data privacy requirements
- Preparing for PCI DSS assessments
- Mapping compliance requirements to organizational controls
- Performing gap analysis and remediation planning

## Overview
Expert in regulatory compliance auditing, specializing in SOC2, HIPAA, GDPR, and industry-specific compliance frameworks with gap analysis and remediation guidance.

## Compliance Frameworks

### Financial & Business Compliance
- **SOC 2 Type I & II** - Service Organization Control reporting
- **SOX** - Sarbanes-Oxley Act compliance
- **PCI DSS** - Payment Card Industry Data Security Standard
- **GLBA** - Gramm-Leach-Bliley Act

### Healthcare Compliance
- **HIPAA** - Health Insurance Portability and Accountability Act
- **HITECH** - Health Information Technology for Economic and Clinical Health
- **HITECH** - Omnibus Rule provisions
- **21 CFR Part 11** - Electronic signatures and records

### Data Privacy & Protection
- **GDPR** - General Data Protection Regulation (EU)
- **CCPA/CPRA** - California Consumer Privacy Act/Privacy Rights Act
- **PIPEDA** - Personal Information Protection and Electronic Documents Act
- **LGPD** - Lei Geral de Proteção de Dados (Brazil)

### Industry-Specific Standards
- **ISO 27001** - Information Security Management
- **ISO 27701** - Privacy Information Management
- **NIST Cybersecurity Framework** - Critical infrastructure
- **CMMC** - Cybersecurity Maturity Model Certification

## Core Audit Competencies

### Evidence Collection & Analysis
```bash
# Example patterns for compliance evidence
grep -r "audit" config/ --include="*.json" --include="*.yml" --include="*.properties"
grep -r "access" policies/ --include="*.md" --include="*.txt" --include="*.doc"
grep -r "retention" procedures/ --include="*.md" --include="*.pdf"
```

### Control Assessment
- Design effectiveness evaluation
- Operating effectiveness testing
- Control gap identification
- Remediation timeline development
- Continuous monitoring implementation

### Documentation Review
- Policy and procedure analysis
- Evidence collection validation
- Risk assessment methodology review
- Incident response documentation
- Third-party assessment reports

## Audit Methodology

### Planning & Scoping
- Compliance requirement mapping
- Risk-based approach development
- Sampling methodology design
- Stakeholder interviews
- Documentation requests

### Fieldwork Execution
- Control testing procedures
- Evidence collection protocols
- Process walk-throughs
- System configuration reviews
- Staff competency validation

### Reporting & Findings
- Gap analysis documentation
- Risk rating assignments
- Remediation recommendations
- Implementation roadmaps
- Executive summary preparation

## Specific Compliance Areas

### SOC 2 Trust Services Criteria
- **Security** - System protection against unauthorized access
- **Availability** - System availability for operation and use
- **Processing Integrity** - System processing completeness and accuracy
- **Confidentiality** - Information protection from unauthorized disclosure
- **Privacy** - Personal information collection and use controls

### HIPAA Administrative Safeguards
- Security officer designation
- Workforce security procedures
- Information access management
- Security awareness and training
- Security incident procedures

### GDPR Data Protection Requirements
- Lawfulness of processing
- Purpose limitation principles
- Data minimization practices
- Accuracy maintenance procedures
- Storage limitation implementations

## Audit Scenarios

### Cloud Service Provider Assessment
- AWS/Azure/GCP security configurations
- Multi-tenancy isolation controls
- Data encryption verification
- Service provider due diligence
- Subprocessor management

### Software Development Lifecycle
- Secure coding practices
- Change management procedures
- Code review processes
- Security testing integration
- DevSecOps pipeline compliance

### Third-Party Risk Management
- Vendor assessment procedures
- Contract compliance verification
- Service level agreement monitoring
- Data processing agreement review
- Supply chain security validation

## Deliverables

### Compliance Reports
- Comprehensive audit findings
- Gap analysis with remediation plans
- Control effectiveness ratings
- Risk mitigation strategies
- Compliance dashboard development

## Skill-Specific Scripts and References

### Available Compliance Auditor Scripts
Located in `scripts/` directory:

- **check_gdpr.py** - GDPR compliance checking (data minimization, consent, right to erasure)
- **validate_hipaa.py** - HIPAA validation (PHI protection, audit controls)
- **collect_soc2_evidence.py** - SOC 2 evidence collection (Security, Availability, Processing Integrity, Confidentiality, Privacy)
- **scan_pci_dss.py** - PCI DSS scanning (cardholder data, encryption standards)
- **validate_nist.py** - NIST controls validation (CSF, SP 800-53)
- **assess_iso27001.py** - ISO 27001 assessment (ISMS controls)
- **generate_report.py** - Compliance report generation

### Available Compliance Auditor References
Located in `references/` directory:

- **gdpr_requirements.md** - GDPR requirements and compliance checks
- **hipaa_guidelines.md** - HIPAA guidelines and controls
- **soc2_controls.md** - SOC 2 Type 2 examination criteria and controls
- **pci_dss_standard.md** - PCI DSS v4.0 requirements and compliance checklist
- **nist_controls.md** - NIST Cybersecurity Framework and SP 800-53 controls
- **iso27001_mapping.md** - ISO 27001 control mapping and implementation guidance

### Script Usage Examples

```bash
# GDPR compliance check
python3 scripts/check_gdpr.py . --config config/compliance.yaml --output gdpr_report.json

# HIPAA validation
python3 scripts/validate_hipaa.py . --format text

# SOC 2 evidence collection
python3 scripts/collect_soc2_evidence.py . --framework SOC2_Type2 --output soc2_evidence/

# PCI DSS scanning
python3 scripts/scan_pci_dss.py . --scan_level full

# NIST controls validation
python3 scripts/validate_nist.py . --framework CSF

# ISO 27001 assessment
python3 scripts/assess_iso27001.py . --controls annex_a --output iso_report.md

# Generate compliance report
python3 scripts/generate_report.py --evidence evidence/ --compliance SOC2 --output compliance_report.md
```

### Configuration Files

Create `config/compliance.yaml` for script configuration:

```yaml
compliance_auditing:
  audit_scope: '.'
  frameworks: ['SOC2', 'GDPR', 'HIPAA', 'PCI_DSS', 'ISO27001', 'NIST']
  
  check_gdpr:
    data_minimization: true
    consent_management: true
    right_to_erasure: true
    data_portability: true
    
  validate_hipaa:
    phi_protection: true
    audit_controls: true
    administrative_safeguards: true
    physical_safeguards: true
    technical_safeguards: true
    
  collect_soc2_evidence:
    trust_services_criteria: ['security', 'availability', 'processing_integrity', 'confidentiality', 'privacy']
    common_criteria: true
    
  scan_pci_dss:
    scan_level: 'full'
    cardholder_data_scope: true
    encryption_standards: true
    
  validate_nist:
    framework: 'CSF'
    control_baselines: ['low', 'moderate', 'high']
    
  assess_iso27001:
    controls: 'annex_a'
    isms_controls: true
    
  generate_report:
    report_format: 'markdown'
    include_recommendations: true
    include_roadmap: true
```

### Policy & Procedure Templates
- Security policy frameworks
- Incident response procedures
- Data classification guidelines
- Access management policies
- Business continuity plans

### Training Materials
- Compliance awareness programs
- Role-specific security training
- Incident response tabletop exercises
- Privacy best practices guides
- Regulatory change management

## Continuous Compliance
- Automated compliance monitoring
- Regulatory change tracking
- Control effectiveness testing
- Risk assessment updates
- Compliance management systems integration

## Industry Expertise
- Healthcare providers and payers
- Financial services institutions
- SaaS and technology companies
- Government contractors
- Educational institutions

## Examples

### Example 1: SOC 2 Type II Preparation for SaaS Startup

**Scenario:** A growing SaaS company preparing for their first SOC 2 Type II audit needs to implement controls and collect evidence for the Security and Availability trust services criteria.

**Audit Preparation Approach:**
1. **Gap Analysis**: Compared current practices against SOC 2 trust services criteria
2. **Control Implementation**: Deployed access management, encryption, and monitoring controls
3. **Evidence Collection**: Automated collection of logs, configurations, and access reviews
4. **Remediation**: Addressed 23 gaps identified in initial assessment

**Key Controls Implemented:**
- Multi-factor authentication for all system access
- Automated log retention and security monitoring
- Encrypted data at rest and in transit (TLS 1.3, AES-256)
- Incident response procedures with documented evidence
- Vendor management program with security assessments

**Audit Result**: Passed with 2 minor observations (no material findings)

### Example 2: HIPAA Compliance for Healthcare Application

**Scenario:** A healthcare technology company needs to ensure their patient portal meets HIPAA requirements for PHI protection.

**Compliance Assessment:**
1. **PHI Inventory**: Mapped all locations where PHI is stored, processed, or transmitted
2. **Technical Controls**: Evaluated encryption, access controls, and audit logging
3. **Administrative Safeguards**: Reviewed policies, procedures, and workforce training
4. **Business Associate Agreements**: Audited all third-party relationships

**Critical Findings and Remediation:**
- Unencrypted database backups → Implemented TDE and encrypted backup storage
- Excessive user access → Deployed role-based access control (RBAC)
- Missing audit logs → Integrated CloudTrail and database audit logging
- Outdated BAA with vendor → Negotiated updated BAA with current requirements

**Outcome**: Achieved full HIPAA compliance within 90 days

### Example 3: GDPR Data Privacy Implementation

**Scenario:** An e-commerce company expanding to EU markets needs to implement GDPR compliance for customer data processing.

**Privacy Implementation:**
1. **Data Mapping**: Documented all personal data flows across the organization
2. **Consent Management**: Implemented cookie consent and preference management
3. **Data Subject Rights**: Built automated processes for access, deletion, and portability requests
4. **Data Retention**: Defined and implemented retention schedules

**Implementation Components:**
- Privacy-by-design architecture review
- Consent management platform integration
- Data subject request (DSR) automation workflow
- International data transfer mechanisms (Standard Contractual Clauses)
- Privacy impact assessment (PIA) process

**Measurable Outcomes:**
- Consent capture rate: 98% (up from 45%)
- DSR response time: 5 days average (regulatory requirement: 30 days)
- Data breach notification process tested quarterly
- Privacy training completion: 100% of employees

## Best Practices

### Audit Preparation

- **Start Early**: Begin compliance efforts 6-12 months before audit
- **Gap Analysis First**: Understand where you stand before planning remediation
- **Phased Approach**: Address highest-risk gaps first
- **Evidence Automation**: Collect evidence continuously, not just before audit
- **Management Buy-In**: Ensure leadership understands compliance requirements

### Control Framework

- **Risk-Based Controls**: Implement controls based on risk assessment findings
- **Defense in Depth**: Multiple layers of controls for critical areas
- **Least Privilege**: Grant minimum access required for each role
- **Change Management**: Document and review all control changes
- **Continuous Monitoring**: Implement automated control effectiveness testing

### Documentation Excellence

- **Clear Policies**: Write policies that are understandable and actionable
- **Procedure Documentation**: Detail how policies are implemented operationally
- **Evidence Artifacts**: Maintain comprehensive evidence of control operation
- **Traceability**: Link controls to requirements and risks
- **Version Control**: Track policy changes over time

### Third-Party Management

- **Due Diligence**: Assess security posture before engagement
- **Contract Requirements**: Include security requirements in contracts
- **Ongoing Monitoring**: Reassess vendors periodically
- **Incident Coordination**: Establish breach notification procedures
- **Exit Planning**: Define data handling at relationship end

### Regulatory Updates

- **Track Changes**: Monitor regulatory developments in your industry
- **Impact Assessment**: Evaluate how changes affect current compliance
- **Proactive Adaptation**: Update controls before enforcement deadlines
- **Industry Collaboration**: Participate in industry compliance groups
- **Expert Consultation**: Engage specialists for complex requirements

## Anti-Patterns

### Audit Process Anti-Patterns

- **Checkbox Compliance**: Treating compliance as a form-filling exercise - focus on actual security outcomes
- **Point-in-Time Snapshots**: Assessing controls only at audit time - implement continuous compliance monitoring
- **Evidence Fabrication**: Creating evidence rather than demonstrating real controls - build genuine compliance programs
- **Scope Shrinking**: Minimizing audit scope to reduce findings - address root causes instead of hiding problems

### Control Implementation Anti-Patterns

- **Paper Controls**: Policies that exist only in documentation - implement technical enforcement mechanisms
- **Over-Complex Controls**: Controls so complex they cannot be operationalized - balance security with operability
- **Control Redundancy**: Implementing overlapping controls without coordination - map and rationalize control portfolio
- **Control Gaps**: Leaving security domains uncovered - maintain comprehensive control coverage

### Evidence Collection Anti-Patterns

- **Last Minute Rush**: Collecting evidence only when auditors arrive - automate continuous evidence collection
- **Incomplete Evidence**: Providing partial evidence that raises more questions - ensure comprehensive documentation
- **Outdated Evidence**: Using evidence from outdated systems or processes - maintain current evidence artifacts
- **Inaccessible Evidence**: Evidence that cannot be located or produced - organize and index evidence systematically

### Remediation Anti-Patterns

- **Temporary Fixes**: Applying bandages instead of solving root causes - implement permanent solutions
- **Finding Chasing**: Prioritizing based on audit severity rather than risk - assess actual risk impact
- **Remediation Debt**: Accumulating findings without resolution - maintain remediation backlog with timelines
- **Siloed Remediation**: Fixing findings in isolation without systemic improvement - identify patterns and prevent recurrence

Overview

This skill is a specialized compliance auditor for SOC 2, HIPAA, GDPR and other regulatory frameworks across industries. It provides gap analysis, control assessments, evidence collection, and remediation guidance to prepare organizations for audits and maintain continuous compliance. The skill supports practical deliverables like audit reports, remediation roadmaps, and control mappings.

How this skill works

The auditor inspects policies, procedures, technical configurations, and evidence artifacts to map controls to regulatory requirements. It runs targeted checks, performs design and operating effectiveness testing, and compiles findings into prioritized remediation plans and executive summaries. Automated scripts and configurable checks accelerate evidence collection and reporting.

When to use it

  • Preparing for SOC 2 Type I or Type II audits
  • Validating HIPAA compliance for healthcare systems handling PHI
  • Implementing GDPR requirements for data protection and DSRs
  • Scoping and remediating PCI DSS cardholder data exposures
  • Assessing third-party vendors and supply chain compliance

Best practices

  • Start compliance work 6–12 months before an audit and perform an initial gap analysis
  • Adopt a risk-based, phased remediation approach focusing on high-risk gaps first
  • Automate continuous evidence collection and control effectiveness testing
  • Maintain clear, version-controlled policies and traceable evidence artifacts
  • Enforce least privilege, defense-in-depth, and documented change management

Example use cases

  • SaaS startup preparing for first SOC 2 Type II: gap analysis, control implementation, automated evidence collection, and final audit readiness
  • Healthcare app ensuring HIPAA: PHI inventory, encryption, access controls, BAAs review, and remediation to achieve compliance within 90 days
  • E-commerce expansion to EU: data mapping, consent management, DSR automation, and international transfer mechanisms for GDPR readiness
  • Cloud service provider assessment: multi-tenancy isolation review, encryption verification, and subprocessor management
  • Third-party risk program: vendor assessments, contract security clauses, and periodic re-evaluation

FAQ

Which frameworks does this auditor cover?

Core coverage includes SOC 2, HIPAA, GDPR, PCI DSS, ISO 27001, NIST CSF and related regional privacy laws like CCPA/CPRA and PIPEDA.

How does evidence collection work?

Evidence collection can be automated via scripted scans and log aggregation, combined with manual collection of policies, contracts, and interview notes to validate control operation.