Appearance
From Zero to Audit-Ready
A complete end-to-end tutorial for achieving audit readiness with Modulos — from first scope to exportable audit artifacts.
In Modulos, audit readiness is not a last-minute document chase. It’s a continuous workflow: you establish a baseline, link the proof, and keep it current as the system evolves.
Not legal advice
This guide explains platform workflows. Your compliance obligations depend on your organization, jurisdiction, and framework interpretation.
Quickstart5 min
Complete one control end-to-end
Core Concepts10 min
Learn the platform model and terms
Guided Paths
Role- and lifecycle-based workflows
The operating model
Continuous governance
Audit readiness as an operating model
Scope and map
Define the system, frameworks, and applicability
Implement and evidence
Controls, narratives, and audit-ready proof
Verify and review
Testing results, approvals, and snapshots
Improve and repeat
Treat risks and update with every material change
This loop is driven by reality: a new model release, a vendor change, an incident, a data shift, or a framework update should trigger a refresh of scope, controls, evidence, and approvals.
What “audit-ready” means in practice
An audit-ready project typically has:
- a clearly defined scope (what system, what boundaries, what is not included)
- one or more frameworks applied, with applicability decisions recorded
- requirements mapped to controls (so you can show traceability)
- controls in a final state with review approvals (audit trail)
- evidence attached that is specific, attributable, and time-bounded
- key risks recorded with treatment decisions
- optional but powerful: testing sources and results linked to relevant controls
1) Scope the system and the audit objective
Start by writing down the minimum scope statement you can defend:
- System: what is the AI system/product/use case?
- Boundaries: environments, regions, business units, integrations, models, and data flows in scope
- Stakeholders: owners, implementers, reviewers, and an “audit liaison”
- Objective: certification, regulatory readiness, procurement diligence, or internal governance
Best practice
Treat scope as a governance artifact. A well-scoped project reduces control churn and makes “out of scope” defensible.
2) Choose the compliance lens: frameworks shape the work
Frameworks aren’t interchangeable. They define:
- what the unit of compliance is (system vs organization)
- what “good evidence” looks like
- what kind of review/certification you are preparing for
Learn more:
- EU AI Act: product safety regime with conformity assessment and post-market monitoring
- ISO 42001 and ISO 27001: organization-level management systems with recurring audits and certification
- NIST AI RMF: a pragmatic risk management framework spanning org and system concerns
How these frameworks differ and why it matters
| Framework | Typical “unit” | What you’ll spend time proving | How to structure work in Modulos |
|---|---|---|---|
| EU AI Act | AI system / use case | Technical documentation, risk management, traceability, post‑market monitoring, and operational controls | One project per AI system/use case; link controls to system-specific evidence and monitoring |
| ISO 42001 / ISO 27001 | Organization | Management system: policies, roles, training, internal audits, continual improvement | An organization-level project for the management system, plus (optionally) system-level projects for high-risk AI |
| NIST AI RMF | Both | Governance + measurement + management; demonstrates a functioning risk process | Use it as a “spine” to connect system controls, risks, and ongoing measurements |
Other frameworks and customer requirements vary widely in how they treat certification, audits, and evidence. The goal is to be explicit about your interpretation and prove it with traceable artifacts.
3) Build the baseline: Requirements → Controls
Once frameworks are applied, work from requirements down:
- Triage applicability: mark requirements that do not apply as out of scope, with rationale.
- Map to controls: connect each applicable requirement to one or more controls that operationalize it.
- Assign ownership: set owners for controls (implementation) and requirements (final accountability).
Controls vs requirements: different statuses
Controls track execution (for example Not executed → Executed). Requirements track fulfillment (for example Not fulfilled → Fulfilled) and typically become fulfillable once the linked controls are in a final state.
4) Connect context: Sources vs Connectors
At “zero”, most teams already have the evidence — it’s just scattered across tools. Modulos accelerates the first pass by letting you connect context and then use Scout to find and summarize it — across docs, tickets, repositories, and operational artifacts (including logs and monitoring outputs) when connected.
Connectors and sources are intentionally different:
- Sources are project-level service accounts attached to a project. They power Testing (metrics → tests → results) for that specific project.
- Connectors are user-level accounts connected to individual users (typically via OAuth). They are used to bring external context into Scout and follow user permissions.
Keep permissions tight
Treat integrations as compliance-relevant. Use least privilege, document access scope, and review connected accounts periodically.
5) Create audit-ready evidence that is fast and defensible
The fastest path to “audit-ready” is to produce a first baseline that is:
- consistent (same claim structure across controls)
- attributable (who approved, when, and why)
- time-bounded (what period the evidence covers)
- reproducible (stable exports and versioned documents)
Use Scout to accelerate the first baseline
If Scout is enabled for your organization, use it to speed up drafting and gap discovery. Scout can reference your project context (controls, requirements, evidence) and can use connected connectors and sources when available.
Example prompts:
- “For this control, draft a first-pass report for our project and list the evidence we should attach.”
- “Search our connected tools for candidate evidence for this control. Return the top 10 artifacts and why they matter.”
- “What’s missing for this requirement to be fulfilled, and which controls/evidence should we create next?”
Capture the rationale, not just the artifact
Auditors often care about decision logic: why you chose an approach, who approved it, and how you verify it over time.
6) Review, approve, and lock the audit trail
Audit readiness depends on approvals. For each control (and then for each requirement), run the review workflow:
- Request the status change (for example, moving a control to Executed).
- Ensure a reviewer/owner approves the change.
- Record any “out of scope” or compensating control rationale in the report.
This creates a defensible audit trail and reduces rework when scope or frameworks change.
7) Export an audit snapshot and stay continuously ready
When you need to share your posture internally or with auditors, generate a project snapshot/report export.
Then make audit readiness continuous:
| Cadence | What to review | Typical output |
|---|---|---|
| Weekly | Key system changes, new vendors, new models/data, incidents | New risks, updated control narratives |
| Monthly | Evidence freshness, access reviews for connectors/sources | Refreshed evidence pack |
| Quarterly | Framework mapping and “out of scope” rationale | Re-validated scope and applicability decisions |
| Pre-audit | Final review pass + export | Audit snapshot aligned to the audit period |
Optional, high leverage: quantify key risks in money
Risk quantification is only useful if it produces monetary impact, so you can prioritize treatment and investment.
QUALITATIVE RISK
"We might have model bias incidents in production"
€850K/YEAR EXPECTED
"Expected annual loss from bias-related incidents"
Why Modulos is designed as a system of action
Many governance programs fail because they treat compliance as a document repository problem. Modulos is designed to keep compliance and risk management operational:
- Workflows: owners, reviews, and status changes create a living audit trail
- Traceability: requirements ↔ controls ↔ evidence ↔ risks ↔ tests connect intent to proof and outcomes
- Agents: Scout and specialized agents help you draft reports, find candidate evidence across connected systems, and surface gaps; owners approve changes via human-in-the-loop workflows
- Continuity: the same project becomes your ongoing operating model, not a one-off deliverable
Agents are most valuable in two places:
- From zero: turn scattered artifacts into structured, audit-ready narratives and evidence packs faster.
- Over time: when the system changes, identify what needs to be updated and propose the next best actions.
Learn more: Scout, Evidence Agent, Control Assessment Agent, Human in the Loop