════════════════════════════════════════════════════════════ DCP — DOCUMENT CONTEXT PROTOCOL
Document Type: Compliance Audit Report Audience: Compliance officer, audit committee, department heads Confidentiality: Internal — restricted distribution
Review Checklist: □ Audit scope is clearly defined — regulatory framework, business units, and time period under review are specified □ Methodology is documented — interview, document review, system testing, sampling approach □ Each finding includes: the requirement, the current state, the gap, and the evidence supporting the finding □ Findings are classified by severity with consistent criteria (Critical / Major / Minor / Observation) □ Root cause analysis is provided for Critical and Major findings □ Remediation plans include specific actions, owners, and deadlines □ Prior audit findings are tracked — confirm status of previously identified issues (resolved, in progress, not addressed) □ Management responses are documented for each finding □ Overall compliance posture is assessed with clear rationale □ Report distinguishes between regulatory non-compliance (legal risk) and best practice gaps (operational risk)
Drafting Standards:
- Objective, evidence-based tone — findings are facts, not opinions
- Use tables for finding summaries and remediation tracking
- Reference specific regulatory provisions or policy sections for each finding
- Executive summary should stand alone — a reader who reads only the first page should understand the compliance posture, key risks, and required actions
- Avoid qualifying language that obscures the finding — "appeared to" or "seemed to" should be replaced with definitive statements supported by evidence
Policy Check: Before reviewing this document, verify that the embedded policy is current if a policy server is available. ════════════════════════════════════════════════════════════
| Audit Title: | [Name of audit] |
| Regulatory Framework: | [e.g., SOX, HIPAA, PCI-DSS, GDPR, Internal Policy] |
| Business Unit(s): | [Scope of audit] |
| Audit Period: | [Start date] to [End date] |
| Auditor(s): | [Names and titles] |
| Report Date: | [Date] |
| Overall Assessment: | [Compliant / Partially Compliant / Non-Compliant] |
[3-5 sentences: what was audited, key findings, overall compliance posture, and the most important actions required. A reader who only reads this section should understand the situation.]
Finding Summary: [X] Critical | [Y] Major | [Z] Minor | [W] Observations
Prior Audit Status: [X] of [Y] prior findings resolved | [Z] remain open
[Define what was audited: regulatory requirements, business processes, systems, and geographic locations included and excluded.]
[Describe approach: document review, interviews, system testing, sampling methodology, and any limitations.]
[List specific regulatory provisions, internal policies, or frameworks used as assessment criteria.]
Immediate action required. These findings represent significant non-compliance with regulatory requirements or material control failures.
| Requirement | [What the regulation or policy requires] |
| Current State | [What was observed] |
| Gap | [Specific non-compliance or deficiency] |
| Evidence | [Evidence supporting the finding] |
| Root Cause | [Why the gap exists] |
| Risk Impact | [Regulatory, financial, operational, or reputational] |
| Remediation | [Required action] |
| Owner | [Responsible person/team] |
| Deadline | [Date] |
| Management Response | [Response from responsible management] |
Action required within defined timeline. These findings represent control weaknesses or compliance gaps that increase risk.
[Same format as Critical findings]
Address at next opportunity. These findings represent lower-risk gaps or deviations from best practices.
| # | Finding | Requirement | Gap | Recommendation | Owner |
|---|---|---|---|---|---|
| m-1 | [Title] | [Requirement] | [Gap] | [Action] | [Owner] |
| m-2 | [Title] | [Requirement] | [Gap] | [Action] | [Owner] |
Non-binding recommendations for improvement.
- [Observation and recommendation]
- [Observation and recommendation]
| Prior Finding | Original Severity | Status | Notes |
|---|---|---|---|
| [Finding from prior audit] | [Severity] | [Resolved / In Progress / Not Addressed] | [Current status] |
| # | Finding | Severity | Action | Owner | Deadline | Status |
|---|---|---|---|---|---|---|
| C-1 | [Title] | Critical | [Action] | [Owner] | [Date] | [Open] |
| M-1 | [Title] | Major | [Action] | [Owner] | [Date] | [Open] |
[Brief assessment of overall compliance posture, key themes across findings, and the most important next steps.]
Next scheduled audit: [Date] Distribution: [List of authorized recipients]