Recurring monthly procedure for the firm's ADMIN (or compliance officer) to review the firm's compliance posture — audit log activity, security events, control health, DSR queue. Builds the evidence trail required for SOC 2 attestation, GDPR audits, HIPAA reviews, and internal governance.

- Recurring monthly (typically end-of-month or first business day) - Annual SOC 2 prep (intensified review weekly leading into Type I attestation) - Quarterly partner-level compliance review - Triggered by an incident requiring forensic review

- Primary owner: Firm ADMIN or designated Compliance Officer - Engagement Partner: reviews compliance dashboard quarterly - All staff: indirectly affected (their actions populate the audit log) - Platform support (ProDeskCPA): handles platform-side controls outside firm responsibility

- AuditLog actively populating (M-004) — verify every write op logging firmId / userId / action / entityType / entityId / diff / ipAddress - Compliance Dashboard accessible (Settings → Compliance OR Admin → Compliance — M-037) - DSR queue accessible (Settings → Privacy & GDPR — M-037) - Security Monitor accessible (Settings → Security) - Annual penetration test plan (firm-side responsibility — engage CREST-certified firm)

1. Open Compliance Dashboard (M-037) — see overall Compliance Score (% of pass controls; thresholds 70/90 for amber/green) 2. Filter by SOC 2 — review 14 Common Criteria controls: 12 should be ✓ pass, 2 are firm-prep responsibilities (warn): - CC7.3 Pen Test (annual — confirm scheduled or completed in last 12 months) - CC6.8 Server-side Malware Scanning (platform-side — verify status with ProDeskCPA team) 3. For each control, click → see implementation note + evidence link; verify evidence current 4. Review Audit Log — Settings → Security & Audit → filter by date range (current month) → review: - Total write events (sanity check vs prior month — ±20% expected; spike suggests data import / migration; drop suggests staff away or system issue) - Failed login attempts (CC6.6 — auto-lockout after 5 failures from same IP; review repeated attempts) - Sensitive operations: user role changes, credential updates, integration connects, data exports 5. Export Security Log to CSV monthly → store in firm's compliance folder for SOC 2 evidence (best practice: 24+ months retention, system enforces 2-year) 6. Review Login Events table — risk-level badges (low/medium/high); investigate any "high" entries 7. Review GDPR controls: Data Export ✓ / Data Deletion ✓ / Audit Trail ✓ / Data Minimization ✓ / Cookie Consent (warn — pending public site work) / Privacy Policy (warn) / DPA Template (warn — engage legal) 8. Process DSR queue (Settings → Privacy & GDPR): - Right of access requests: verify identity → run export → mark fulfilled (30-day SLA per GDPR) - Erasure requests: verify identity → run delete endpoint → mark fulfilled - Portability: same as access but JSON format - Correction: verify identity → make correction → mark fulfilled 9. Review Incident Log: any P1/P2 incidents in the period → verify post-incident review documented 10. Review Active Sessions list → revoke any stale sessions for departed staff (should be zero if SOP-009 deactivation worked) 11. Verify Vanta / Drata sync (if connected) — automated evidence collection running; if not connected, manual evidence export step is essential 12. Review HIPAA control state (for healthcare-CPA firms): AES-256 encryption ✓ / Access controls ✓ / Audit logs ✓ / BAA template (warn — must execute per firm + per AI provider) 13. Document monthly review in firm's compliance folder; sign-off by Compliance Officer or ADMIN

- If Compliance Score drops below 80%: escalate to OWNER + partner; document root cause + remediation plan - If pen test is overdue (>12 months): IMMEDIATELY engage CREST-certified firm (Synack / Bishop Fox / Cobalt.io — typical $5-15K, 4-6 weeks) - If DSR fulfillment approaches 30-day SLA: prioritize; missed SLA = GDPR violation risk - If audit log shows unauthorized access patterns: trigger Incident Response (6-phase framework: Preparation / Detection & Analysis / Containment / Eradication / Recovery / Post-Incident) - If Anthropic / AI provider BAA expired (HIPAA tier): coordinate renewal before continuing PHI-related AI processing

- Active Bug A4: Compliance page line 21-22 makes false claim about pd_session.secure flag — flag for fix; doesn't invalidate other compliance posture - Active Bug A5: AuditLog userId / firmId default to "system" because not yet wired from createContext via AsyncLocalStorage — 47 REST routes lack request context; impacts evidence completeness; flag for fix - Audit log retention 2 years (system-enforced); if firm-internal policy requires longer (e.g. 7 years for tax practice), export to long-term storage - HIPAA technology compliance ≠ HIPAA full compliance: BAA + workforce training + policies are firm responsibilities; confirm in-scope before claiming HIPAA to clients - HIPAA BAA: execute with both ProDeskCPA AND each AI provider used for PHI processing — multiple BAAs needed - RPO 24h means up to 24 hours of data may be lost in disaster recovery — daily backup window — communicate to clients in BAAs - GDPR Cookie Consent banner: pending public site work — flag if firm targets EU clients

- Compliance Score ≥ 90% sustained month-over-month (green) - Audit log export completed every month (no gaps in evidence trail) - DSR queue empty at end of month (or all in-progress within 30-day SLA) - High-risk login events: zero unresolved at end of month - Pen test scheduled for current calendar year: 100% of years (not lapsed) - Incident Response tabletop exercise: completed annually

- Modules: M-037 Compliance · M-004 AuditLog · M-001 Auth · M-003 RBAC · M-027 Vault · M-038 API Keys · M-039 Firm Health · M-036 Settings - SOPs: SOP-009 (staff onboarding — must be working for AuditLog attribution) · SOP-010 (integration setup — credential encryption) · SOP-011 (branding — Privacy Policy + Cookie Consent banner)

- AICPA SOC 2 Common Criteria reference: CC6 (Logical & Physical Access), CC7 (System Operations) — canonical control framework - Recommended SOC 2 prep path: Pen Test → Malware Scanning → Vanta/Drata signup → A-LIGN/Schellman Type I attestation ($25-35K, 8-12 weeks) → Type II 6-12 months later - HIPAA Security Rule references: 45 CFR §§ 164.302-318 - GDPR references: Art. 15 (access), Art. 17 (erasure), Art. 20 (portability), Art. 16 (correction) - AnthropicAI BAA — verify status with ProDeskCPA team if firm processes PHI through AI