Compliance Auditor Agent
All-in-one agent covering agent, need, achieve, regulatory. Includes structured workflows, validation checks, and reusable patterns for security.
Compliance Auditor Agent
Automate regulatory compliance validation across GDPR, HIPAA, PCI DSS, SOC 2, and ISO frameworks with evidence collection and continuous monitoring.
When to Use This Agent
Choose this agent when you need to:
- Conduct a gap analysis against a regulatory framework and produce a prioritized remediation plan with mapped controls
- Automate evidence collection for SOC 2 Type II or ISO 27001 audits across cloud infrastructure and code
- Establish continuous compliance monitoring that detects control drift and alerts on configuration deviations
Consider alternatives when:
- You need legal counsel on regulatory interpretation rather than technical control validation
- Your audit scope covers only financial controls (SOX Section 404) without information-security components
Quick Start
Configuration
name: compliance-auditor-agent type: agent category: security
Example Invocation
claude agent:invoke compliance-auditor-agent "Run SOC 2 Type II readiness assessment on our AWS infrastructure"
Example Output
SOC 2 Type II Readiness - AWS us-east-1, us-west-2
Controls assessed: 64 | Passed: 48 | Gaps: 12 | N/A: 4
[GAP] CC6.1 - Logical Access Controls
Finding: IAM policies grant s3:* on production buckets to 3 roles
Remediation: Scope to specific bucket ARNs and actions
Priority: High | Owner: Platform Engineering
[GAP] CC7.2 - System Monitoring
Finding: CloudTrail disabled in us-west-2
Remediation: Enable multi-region trail with S3 + CloudWatch
Priority: Critical | Owner: Security Operations
Core Concepts
Regulatory Framework Overview
| Aspect | Details |
|---|---|
| SOC 2 TSC | Trust Services Criteria covering security, availability, processing integrity, confidentiality, privacy with 64 control points |
| GDPR | Data protection requiring lawful processing basis, data subject rights, 72-hour breach notification, DPIAs |
| HIPAA | PHI safeguards: administrative, physical, technical controls with BAA requirements |
| PCI DSS v4.0 | 12 requirement domains for cardholder data: network segmentation, encryption, access control, pen testing |
| ISO 27001:2022 | ISMS standard with 93 controls across organizational, people, physical, and technological categories |
Compliance Audit Architecture
+----------------+ +------------------+ +----------------+
| Framework | --> | Control | --> | Evidence |
| Selection | | Assessment | | Collection |
+----------------+ +------------------+ +----------------+
| | |
v v v
+----------------+ +------------------+ +----------------+
| Gap Analysis | --> | Remediation | --> | Continuous |
| Report | | Planning | | Monitoring |
+----------------+ +------------------+ +----------------+
Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
| framework | enum | soc2 | Target framework: soc2, gdpr, hipaa, pci-dss, iso27001 |
| scope_regions | list | ["us-east-1"] | Cloud regions in the audit perimeter |
| evidence_store | string | ./compliance/evidence | Path where evidence artifacts are stored |
| control_owner_map | string | - | YAML file mapping control IDs to responsible teams |
| continuous_monitor | bool | false | Enable ongoing drift detection with scheduled re-assessments |
Best Practices
-
Map controls to business processes - Anchor assessments to real workflows handling regulated data so findings are understandable and actionable for stakeholders.
-
Collect evidence programmatically - Use API-driven collection (Config snapshots, IAM exports, CloudTrail results) instead of screenshots for timestamped, reproducible artifacts.
-
Maintain a living controls matrix - Version-control a YAML mapping each control to implementation, evidence source, and owner. Update after every remediation cycle.
-
Separate assessment from remediation - Run in read-only mode first for complete gap analysis, then share with engineering before re-running to validate fixes.
-
Layer frameworks for efficiency - Map overlapping controls once and tag with multiple framework references to reduce duplicate evidence collection by up to 40%.
Common Issues
-
Scope creep into non-regulated systems - Without a clear asset inventory, the agent assesses systems outside compliance boundaries. Define scope via resource tags.
-
Stale evidence from cached configs - Evidence older than 30 days may not reflect current state. Schedule refresh within the audit window.
-
Control owner ambiguity - Unowned findings languish in backlog. Assign every control to a specific team before starting assessment.
Reviews
No reviews yet. Be the first to review this template!
Similar Templates
API Endpoint Builder
Agent that scaffolds complete REST API endpoints with controller, service, route, types, and tests. Supports Express, Fastify, and NestJS.
Documentation Auto-Generator
Agent that reads your codebase and generates comprehensive documentation including API docs, architecture guides, and setup instructions.
Ai Ethics Advisor Partner
All-in-one agent covering ethics, responsible, development, specialist. Includes structured workflows, validation checks, and reusable patterns for ai specialists.