Skip to main content

Skillber v1.0 is here!

Learn more

Compliance & Reporting

Checking access...

Compliance reporting is the output layer of identity governance — it provides the evidence that controls are operating effectively, access is appropriate, and regulatory requirements are met. Well-designed reporting transforms audit preparation from a frantic exercise into a continuous, predictable process.

The Cost of Non-Compliance

RegulationMaximum FineRecent Example
GDPR€20M or 4% of global annual revenueMeta: €1.2B (2023) for data transfer violations
HIPAA$1.5M per violation category per yearAnthem: $16M (2018) for data breach
PCI DSS$100K-$500K per month (by acquirers)Multiple: reputation damage exceeds fines
SOX$5M + 20 years imprisonmentEnron: corporate failure triggered regulation

Compliance Reporting Requirements by Framework

SOX Section 404

Internal controls over financial reporting — including access controls:

Required ReportFrequencyContent
User access review reportQuarterly or annualConfirmation that user access to financial systems has been reviewed
SoD violation reportQuarterlyCurrent SoD violations, remediation status, mitigating controls
Privileged access reportQuarterlyList of users with privileged access to financial systems
Provisioning/de-provisioning reportMonthlyUser accounts created, modified, terminated during period

PCI DSS v4.0

Required ReportFrequencyContent
Access control reportQuarterlyList of users with access to cardholder data environment
Access review documentationEvery 6 monthsEvidence of access review completion
MFA compliance reportMonthlyMFA enforcement status for administrative access
Audit trail reportMonthlyLog review evidence for user activities

GDPR

Required ReportFrequencyContent
Records of processing activities (Article 30)ContinuousWhat personal data is processed, who has access, retention periods
Access impact assessmentPer new processingRisk assessment for processing personal data
Data subject access request logContinuousRequests received, responses, timelines
Access control reportAnnualWho has access to personal data, under what conditions

Building a Compliance Reporting Program

Report Types

Report TypeAudienceFrequencyDelivery
Operational reportsIAM team, IT operationsDaily or weeklyAutomated email, dashboard
Management reportsIT management, CISOMonthlyDashboard, executive summary
Compliance reportsCompliance team, auditorsQuarterly or per auditFormal report, evidence package
Board reportsBoard of directorsAnnuallyExecutive summary, key metrics
Auditor evidenceExternal auditorsOn demandEvidence repository with search

Evidence Collection

Evidence is the documentation that proves a control is operating effectively:

ControlEvidenceCollection MethodRetention
Access certificationCampaign completion report, reviewer decisions, remediation actionsIGA platform exports7 years (SOX), life of audit cycle (other)
Provisioning/de-provisioningProvisioning logs, SCIM transaction recordsSIEM or IGA logs1-7 years depending on regulation
Access reviewsCertifications with reviewer decisions and timestampsIGA platform exports7 years
SoD monitoringSoD analysis reports, exception recordsIGA platform7 years
Authentication eventsLogin logs, MFA status, failed attemptsSIEM1 year (rolling)

Automated Compliance Dashboards

Real-time dashboards provide continuous visibility into compliance posture:

Executive Dashboard Example:

┌─────────────────────────────────────────────────────────┐
│ IAM COMPLIANCE DASHBOARD │
├─────────────────────────────────────────────────────────┤
│ COMPLIANCE SCORE: 87/100 Last Updated: [Date] │
│ │
│ SOX: ██████████ 95% (Target: 95% ✓) │
│ PCI: ████████░░ 82% (Target: 90% ✗) │
│ HIPAA: █████████ 89% (Target: 90% ✗) │
│ │
│ KEY METRICS: │
│ ┌─────────────────────┬──────────┬──────────┬──────────┐│
│ │ Metric │ Current │ Target │ Status ││
│ ├─────────────────────┼──────────┼──────────┼──────────┤│
│ │ Access Cert. Rate │ 94% │ 95% │ ✓ ││
│ │ SoD Violations │ 47 │ < 50 │ ✓ ││
│ │ Orphan Accounts │ 123 │ < 100 │ ✗ ││
│ │ MFA Coverage │ 88% │ 95% │ ✗ ││
│ │ Pass. Rotation │ 92% │ 90% │ ✓ ││
│ └─────────────────────┴──────────┴──────────┴──────────┘│
└─────────────────────────────────────────────────────────┘

Auditor Workflow

Audit Notification

Auditor notifies organisation of upcoming audit scope (which systems, which controls). IAM team identifies relevant evidence and prepares access for the auditor.

Evidence Collection

IAM team gathers evidence from IGA platform, SIEM, PAM, and other sources. Evidence is organised by control framework and control ID. Each evidence item includes: title, description, date, source system, and link to supporting data.

Evidence Review

Auditor reviews evidence for completeness, accuracy, and timeliness. Requests additional evidence if initial submission is insufficient. IAM team responds to evidence requests within agreed SLA.

Control Testing

Auditor tests controls by: reviewing evidence, interviewing process owners, observing processes, and re-performing control activities. For access controls, the auditor may request live demonstration of certification process or spot-check user access.

Findings and Remediation

Auditor reports findings: control deficiencies, observations, and recommendations. IAM team creates remediation plan with owners and deadlines. Remediation status tracked through to closure.

Report Issuance

Auditor issues final report. IAM team incorporates findings into continuous improvement plan. Evidence from the audit is archived for future reference.

Continuous Compliance

Moving from snapshot-based compliance (evidence collected at audit time) to continuous compliance (real-time monitoring and automated evidence collection):

ApproachSnapshot-BasedContinuous Compliance
Evidence collectionManual, collected before auditAutomated, collected continuously
Review frequencyAnnual or quarterlyReal-time or daily
Issues detectedAt audit time (months old)Within hours of occurrence
Remediation speedWeeks to monthsDays to weeks
Effort per audit2-4 weeks of intensive preparationMinimal — evidence is always ready
Auditor experienceAuditors find issues that may already be fixedAuditors validate continuous controls

Implementing Continuous Compliance

  1. Automate evidence collection — Schedule IGA and SIEM report generation at required frequencies
  2. Monitor control effectiveness — Define and track KPIs for each control
  3. Alert on deviations — Configure alerts when controls are not operating effectively (e.g., certification overdue, SoD violation not remediated)
  4. Maintain evidence repository — Store all evidence in a central, searchable repository with versioning
  5. Pre-certify evidence for auditors — Organise evidence by control framework for auditor self-service

Key Takeaways

  • Compliance reporting provides the evidence that controls are operating effectively — well-designed reporting transforms audit preparation from frantic to continuous
  • Each regulatory framework (SOX, PCI DSS, HIPAA, GDPR) requires specific reports at specific frequencies — design your reporting program to satisfy all applicable frameworks simultaneously
  • Evidence collection must be automated and continuous — manual evidence gathering is unsustainable and error-prone
  • Automated compliance dashboards provide real-time visibility into compliance posture across all frameworks — key metrics include certification rate, SoD violations, orphan accounts, and MFA coverage
  • Auditor workflow follows a defined sequence: notification → evidence collection → review → control testing → findings → remediation → report issuance
  • Moving from snapshot-based to continuous compliance reduces audit preparation effort, detects issues earlier, and improves auditor confidence