audit

Audit Skill

Collect evidence and verify audit trails for compliance.

When to Use

• Preparing for external audit
• Collecting evidence for compliance certification
• Verifying audit trail completeness
• Generating audit reports
• User says "audit", "evidence", "audit trail", "control testing"

Commands

/wicked-garden:platform:audit [--controls] [--trail] [--report]

Audit Process

1. Define Scope

Identify audit targets:

• Code components
• Data flows
• Access controls
• Infrastructure
• Processes

2. Collect Evidence

Code Evidence:

• Access control implementation
• Encryption usage
• Input validation
• Error handling
• Logging statements

Configuration Evidence:

• TLS/SSL settings
• Database encryption
• Key management
• Network policies
• IAM roles

Documentation Evidence:

• Architecture diagrams
• Data flow diagrams
• Security policies
• Incident response plans

Operational Evidence:

• Access logs
• Audit logs
• Security events
• Change logs

See refs/checklists-soc2-hipaa.md, refs/checklists-gdpr-pci-evidence.md, and refs/checklists-evidence-operations.md for comprehensive evidence checklists.

3. Verify Controls

Test each control:

# Check encryption
grep -r "encrypt\|cipher\|AES\|TLS" {target}

# Check access controls
grep -r "authorize\|authenticate\|require.*auth" {target}

# Check audit logging
grep -r "log\|audit\|event" {target}

See refs/frameworks-soc2-hipaa.md and refs/frameworks-gdpr-pci.md for framework-specific control testing procedures.

4. Document Gaps

Identify:

• Controls without evidence
• Incomplete audit trails
• Missing documentation
• Configuration gaps

5. Generate Report

Create report with:

• Controls tested
• Evidence collected
• Gaps identified
• Recommendations
• Risk assessment

Evidence Types

Type	Description	Examples
Design	Architecture	Diagrams, specs, policies
Implementation	Code	Functions, configs, tests
Operational	Runtime	Logs, metrics, incidents
Process	Procedural	Approvals, reviews, training

Integration

With native tasks

Attach audit evidence by appending to the task description (reference file paths checked into the repo):

TaskUpdate(
  taskId="{task_id}",
  description="{previous}\n\n## Audit Evidence: {control_id}\nEvidence file: {evidence_path}"
)

With wicked-garden:search

Find related evidence:

/wicked-garden:search:code "audit|logging|encrypt" --path {target}

Output Format

## Audit Report: {Framework}

**Status**: {READY|NEEDS WORK|NOT READY}
**Controls Tested**: {count} | **Gaps**: {count}

### Controls Tested
| ID | Status | Evidence |
|----|--------|----------|
| CC6.1 | PASS | auth.py:15 |
| CC7.2 | FAIL | Missing |

### Evidence
- Design: docs/arch.md
- Code: src/auth.py, src/crypto.py
- Operational: /var/log/audit.log

### Critical Gaps (P0)
1. Missing admin audit trail
2. No TLS for PII endpoints

### Recommendations
1. Fix P0 gaps before certification
2. Schedule follow-up audit

Quality Standards

Good audit evidence:

• Specific file/line references
• Clear control mapping
• Complete artifact trails
• Risk-prioritized gaps

Bad audit evidence:

• Generic statements
• No source references
• Missing artifacts