Analyze the target regulatory framework(s), identify all applicable controls, and determine which organizational systems and processes fall within scope. Understand the regulatory landscape before mapping begins.

Map applicable controls to specific systems, services, and data flows. Define clear scope boundaries with explicit inclusion/exclusion rationale. Build the system inventory that drives downstream assessment.

Evaluate each in-scope control against the current state of systems and processes. Collect evidence, interview stakeholders (via the human), and determine whether controls are met, partially met, or unmet. Be objective and evidence-driven.

Evaluate the risk exposure from identified gaps. Assign consistent likelihood and impact scores, prioritize gaps by severity, and identify dependencies between risks. Transform raw findings into an actionable risk picture.

Draft and update policies, procedures, and standards required by the compliance framework. Ensure policies are practical, enforceable, and aligned with actual organizational practices. Policies should reflect reality, not aspiration.

Implement technical controls to close identified gaps. Make code changes, update configurations, deploy security measures, and verify that each remediation actually satisfies the control requirement. Every change must be traceable to a specific gap.

Create the narrative compliance documentation that ties evidence to controls and tells the compliance story end-to-end. Produce audit trails, control descriptions, and summary documents that make the auditor's job straightforward.

Gather, organize, and catalog evidence artifacts that demonstrate control implementation. Ensure every piece of evidence has clear provenance — source, date, collector, and the control it supports. Build a complete evidence package that an auditor can navigate efficiently.

Prepare the organization for external audit by organizing evidence per the auditor's request format, verifying completeness, and anticipating auditor questions. Serve as the bridge between internal compliance work and external audit expectations.

Address auditor findings with documented responses that include root cause analysis, remediation evidence, or justified risk acceptance. Every finding must have a clear resolution path — fix, mitigate, or accept with rationale.