Audit & Compliance Framework Guide

Last Updated: 2026-01-17 Status: Implemented Plan Reference: 039-audit-compliance-framework.md, 058-audit-compliance-enhancement.md, 094-audit-compliance-improvement.md, 115-extended-audit-templates.md, 120-compliance-score-improvement.md

Overview

The Audit & Compliance Framework provides comprehensive tools for tracking, auditing, and ensuring regulatory compliance within the client portal. It includes audit trails, data retention policies, compliance reporting, GDPR/privacy features, automated compliance checks, and a monitoring dashboard supporting multiple frameworks (GDPR, SOC 2, HIPAA, PCI-DSS).

Accessing Compliance Features
Compliance Dashboard
Compliance Reports
Automated Compliance Checks
Findings Management
Audit Features
Data Retention
Privacy & GDPR
Technical Architecture
Related Features

Accessing Compliance Features

Access Point	Location	URL	Role
Compliance Dashboard	Admin sidebar	`/admin/compliance`	Admin
Compliance Reports	Compliance menu	`/admin/compliance/reports`	Admin
Findings	Compliance menu	`/admin/compliance/findings`	Admin
Check History	Compliance menu	`/admin/compliance/check-history`	Admin
Audit Timeline	Compliance menu	`/admin/compliance/audit-timeline`	Admin
Admin Audit Trail	Admin Tools	`/admin/audit-trail`	Admin
Activity Audit Log	Admin Tools	`/admin/audit`	Admin
Retention Policies	Admin sidebar	`/admin/retention`	Admin

Note: There are two separate audit systems: the Compliance Audit Timeline focuses on compliance-related activities, while the Admin Audit Trail provides a complete activity log for all system operations.

Permissions

Action	Admin	Client User
View compliance dashboard	✅	❌
Generate compliance reports	✅	❌
Run compliance checks	✅	❌
Manage findings	✅	❌
Configure retention	✅	❌
View own data audit	✅	✅
Request data export	✅	✅
Request data deletion	✅	✅

Compliance Dashboard

The compliance dashboard provides a centralized view of your organization's compliance posture.

Dashboard Metrics

Metric	Description
Compliance Score	Overall score calculated from check results
Framework Status	Status for GDPR, SOC 2, HIPAA, General
Open Findings	Number of unresolved compliance findings
Recent Checks	Latest compliance check runs and results
MFA Adoption	Percentage of users with MFA enabled
Inactive Accounts	Accounts inactive for 90+ days

Score Calculation

The compliance score is calculated based on:

MFA adoption rate (30% weight)
Inactive account rate (20% weight)
Security alerts count (20% weight)
Failed login attempts (15% weight)
Other security factors (15% weight)

Framework Status Levels

Level	Score Range	Description
Excellent	90-100%	Full compliance
Good	70-89%	Minor issues
Warning	50-69%	Significant issues
Critical	0-49%	Major compliance gaps

Compliance Reports

Available Report Templates

Template	Framework	Description
`gdpr_data_access`	GDPR	Article 15 data access log showing who accessed personal data, when, and what type
`gdpr_data_processing`	GDPR	Processing activities record for Article 30 compliance
`gdpr_consent_audit`	GDPR	Consent collection and revocation tracking
`soc2_access_control`	SOC 2	CC6.1 logical access controls including MFA, user reviews
`soc2_change_management`	SOC 2	CC8.1 system changes and approvals
`hipaa_access_log`	HIPAA	Protected Health Information (PHI) access audit
`pci_access_audit`	PCI-DSS	Cardholder data access tracking
`user_access_review`	General	Periodic user access certification
`data_retention`	General	Retention policy compliance status
`security_audit`	General	Overall security posture assessment

Generating Reports

Navigate to Admin → Compliance → Reports
Select a report template
Configure date range and parameters
Click Generate Report
View report details or export

Report Export Formats

Format	Extension	Best For
PDF	`.pdf`	Formal documentation, auditor submissions
HTML	`.html`	Web viewing, email attachments
CSV	`.csv`	Data analysis, spreadsheet import
JSON	`.json`	API integration, data processing

Report Data Structure

Each report includes:

Summary: Key metrics and totals
Details: Categorized data sections
Recommendations: Suggested improvements
Period: Date range covered

Automated Compliance Checks

Available Checks

Check Key	Framework	Description
`mfa_enforcement`	SOC 2	Verifies MFA is enabled for all admin accounts
`password_policy`	General	Validates password complexity requirements
`inactive_accounts`	SOC 2	Identifies accounts inactive for 90+ days
`data_retention`	GDPR	Checks retention policy compliance
`audit_logging`	General	Verifies audit logging is enabled and functional
`session_timeout`	General	Validates session timeout configuration

Check Results

Each check returns:

Field	Description
`status`	passed, failed, error
`message`	Human-readable result
`details`	Specific data (counts, lists)
`recommendations`	Suggested remediation actions
`duration_ms`	Execution time

Running Checks

Manual Execution:

Navigate to Admin → Compliance → Checks
Click Run All Checks or select individual checks
View results and findings

Scheduled Execution:

// Runs daily via scheduler
$schedule->command('compliance:run-checks')->daily();

Check Severity Levels

When checks fail, findings are created with severity:

Severity	Description	SLA
Critical	Immediate security risk	24 hours
High	Significant compliance gap	7 days
Medium	Moderate risk	30 days
Low	Minor improvement needed	90 days
Info	Informational only	No SLA

Findings Management

Finding Lifecycle

Open → In Progress → Resolved
                  ↘ Deferred

Finding Fields

Field	Description
`check_key`	Source compliance check
`framework`	Compliance framework
`severity`	critical, high, medium, low, info
`title`	Brief description
`description`	Detailed explanation
`evidence`	Supporting data (JSON)
`remediation`	Suggested fix
`remediation_steps`	Step-by-step instructions
`status`	open, in_progress, deferred, resolved
`assigned_to`	Responsible user
`due_date`	Resolution deadline
`notes`	Additional context
`resolved_at`	Resolution timestamp
`resolution_notes`	How it was resolved

Managing Findings

Navigate to Admin → Compliance → Findings
Filter by status, severity, or framework
Click a finding to view details
Update status, assign user, add notes
Resolve with resolution notes

Audit Features

Audit Trail

Complete record of all system changes:

Event Type	Details Tracked
Data Creation	Who, what, when
Data Updates	Before/after values
Data Deletion	What was deleted
Access Events	Who viewed what
Authentication	Login/logout events
Authorization	Permission checks

Audit Report Types

Report	Content
User Activity	Actions by user
Data Access	Who accessed what
Change Log	All data modifications
Security Events	Auth and security
Compliance Summary	Overall status

Viewing Audit Trail

Navigate to Admin → Compliance → Audit Trail
Filter by:
- Date range
- User
- Entity type
- Event type
View detailed records
Export for external review

Data Retention

Retention Policies

Data Type	Default Retention	Configurable
Activity Logs	90 days	Yes
Session Data	30 days	Yes
Deleted Records	30 days	Yes
Email Logs	60 days	Yes
Audit Trail	1 year	Yes
Financial Records	7 years	Limited

Configuring Retention

Navigate to Admin → Compliance → Retention
Select data category
Set retention period
Configure auto-deletion or archival
Save policy

Retention Actions

Action	Description
Delete	Permanently remove
Archive	Move to cold storage
Anonymize	Remove PII, keep data
Flag for Review	Manual decision required

Retention Automation

// Scheduled task
$schedule->command('compliance:enforce-retention')->daily();

Privacy Features

Feature	Purpose
Consent Management	Track user consents
Data Portability	Export user data
Right to Erasure	Delete user data
Access Requests	Respond to inquiries
Cookie Consent	Cookie policy compliance

Data Subject Requests

Request Types:

Access Request (view my data)
Portability Request (export my data)
Erasure Request (delete my data)
Rectification Request (correct my data)

Processing Requests:

User submits request via profile or email
Request logged in system
Admin reviews and verifies
Action taken within deadline
User notified of completion

Data Export

Exportable Data:

Profile information
Activity history
Files uploaded
Communications
Preferences

Export Process:

User requests export
System compiles data
Package generated (JSON/ZIP)
Download link sent
Link expires after 7 days

Data Deletion

Deletion Scope:

User account
Personal information
Associated content
Activity history

Exceptions:

Legal hold data
Financial records
Audit trail entries

Technical Architecture

Central Configuration

Location: config/compliance.php

All compliance settings are centralized in this configuration file:

return [
    // Compliance Frameworks
    'frameworks' => [
        'gdpr' => [
            'name' => 'GDPR',
            'description' => 'General Data Protection Regulation',
            'enabled' => env('COMPLIANCE_GDPR_ENABLED', true),
            'data_retention_days' => env('GDPR_DATA_RETENTION_DAYS', 365),
        ],
        'soc2' => [
            'name' => 'SOC 2',
            'description' => 'Service Organization Control 2',
            'enabled' => env('COMPLIANCE_SOC2_ENABLED', true),
        ],
        'hipaa' => [
            'name' => 'HIPAA',
            'description' => 'Health Insurance Portability and Accountability Act',
            'enabled' => env('COMPLIANCE_HIPAA_ENABLED', false),
        ],
        'pci' => [
            'name' => 'PCI DSS',
            'description' => 'Payment Card Industry Data Security Standard',
            'enabled' => env('COMPLIANCE_PCI_ENABLED', false),
        ],
    ],

    // Compliance Checks Configuration
    'checks' => [
        'enabled' => env('COMPLIANCE_CHECKS_ENABLED', true),
        'schedule' => env('COMPLIANCE_CHECK_SCHEDULE', 'daily'),
        'notify_on_failure' => env('COMPLIANCE_NOTIFY_FAILURES', true),
        'password_policy' => [
            'min_length' => env('PASSWORD_MIN_LENGTH', 12),
            'require_uppercase' => true,
            'require_lowercase' => true,
            'require_numbers' => true,
            'require_symbols' => true,
            'max_age_days' => env('PASSWORD_MAX_AGE_DAYS', 90),
        ],
        'mfa_enforcement' => [
            'require_for_admins' => true,
            'require_for_clients' => env('MFA_REQUIRED_FOR_CLIENTS', false),
        ],
        'session_timeout' => [
            'max_lifetime_minutes' => env('SESSION_MAX_LIFETIME', 120),
            'idle_timeout_minutes' => env('SESSION_IDLE_TIMEOUT', 30),
        ],
        'inactive_accounts' => [
            'warning_days' => env('INACTIVE_ACCOUNT_WARNING_DAYS', 60),
            'lockout_days' => env('INACTIVE_ACCOUNT_LOCKOUT_DAYS', 90),
        ],
        'data_retention' => [
            'audit_log_days' => env('AUDIT_LOG_RETENTION_DAYS', 365),
            'soft_delete_days' => env('SOFT_DELETE_RETENTION_DAYS', 90),
            'auto_purge' => env('DATA_AUTO_PURGE', false),
        ],
    ],

    // Reports Configuration
    'reports' => [
        'storage_path' => env('COMPLIANCE_REPORTS_PATH', 'compliance-reports'),
        'retention_days' => env('COMPLIANCE_REPORTS_RETENTION', 365),
        'formats' => ['pdf', 'html', 'json', 'csv'],
        'default_format' => 'pdf',
        'include_evidence' => true,
    ],

    // Evidence Collection
    'evidence' => [
        'enabled' => env('COMPLIANCE_EVIDENCE_ENABLED', true),
        'storage_path' => env('COMPLIANCE_EVIDENCE_PATH', 'compliance-evidence'),
        'auto_collect' => true,
        'types' => ['screenshot', 'log_export', 'config_snapshot', 'policy_document', 'attestation'],
    ],

    // Findings Management
    'findings' => [
        'severity_levels' => ['critical', 'high', 'medium', 'low', 'info'],
        'statuses' => ['open', 'in_progress', 'resolved', 'accepted', 'deferred'],
        'auto_assign' => env('COMPLIANCE_AUTO_ASSIGN', false),
        'default_assignee' => env('COMPLIANCE_DEFAULT_ASSIGNEE'),
        'sla_days' => [
            'critical' => 1,
            'high' => 7,
            'medium' => 30,
            'low' => 90,
        ],
    ],

    // Notifications
    'notifications' => [
        'check_failure' => ['enabled' => true, 'channels' => ['mail', 'database']],
        'finding_created' => ['enabled' => true, 'channels' => ['mail', 'database']],
        'report_generated' => ['enabled' => true, 'channels' => ['database']],
    ],

    // Dashboard Settings
    'dashboard' => [
        'score_thresholds' => ['good' => 90, 'warning' => 70, 'critical' => 0],
        'show_trends' => true,
        'trend_days' => 30,
        'cache_ttl' => 300,
    ],
];

Environment Variables:

Variable	Default	Description
`COMPLIANCE_GDPR_ENABLED`	`true`	Enable GDPR framework
`COMPLIANCE_SOC2_ENABLED`	`true`	Enable SOC 2 framework
`COMPLIANCE_HIPAA_ENABLED`	`false`	Enable HIPAA framework
`COMPLIANCE_PCI_ENABLED`	`false`	Enable PCI DSS framework
`COMPLIANCE_CHECKS_ENABLED`	`true`	Enable automated checks
`COMPLIANCE_CHECK_SCHEDULE`	`daily`	Check frequency
`PASSWORD_MIN_LENGTH`	`12`	Minimum password length
`PASSWORD_MAX_AGE_DAYS`	`90`	Password expiration days
`MFA_REQUIRED_FOR_CLIENTS`	`false`	Require MFA for clients
`SESSION_MAX_LIFETIME`	`120`	Session max lifetime (minutes)
`SESSION_IDLE_TIMEOUT`	`30`	Idle timeout (minutes)

Models

Location: app/Models/

Model	Purpose
`ComplianceReport`	Generated compliance reports
`ComplianceCheck`	Compliance check definitions
`ComplianceCheckRun`	Check execution records
`ComplianceFinding`	Compliance issues/findings
`ComplianceReportSchedule`	Scheduled report configuration
`AuditLog`	Audit trail entries

ComplianceReport Model:

class ComplianceReport extends Model
{
    protected $fillable = [
        'generated_by', 'report_type', 'template', 'framework',
        'title', 'period_start', 'period_end', 'parameters',
        'data', 'summary', 'file_path', 'status', 'completed_at',
    ];

    protected $casts = [
        'period_start' => 'date',
        'period_end' => 'date',
        'parameters' => 'array',
        'data' => 'array',
        'summary' => 'array',
        'completed_at' => 'datetime',
    ];
}

ComplianceFinding Model:

class ComplianceFinding extends Model
{
    public const STATUS_OPEN = 'open';
    public const STATUS_IN_PROGRESS = 'in_progress';
    public const STATUS_DEFERRED = 'deferred';
    public const STATUS_RESOLVED = 'resolved';

    public const SEVERITY_CRITICAL = 'critical';
    public const SEVERITY_HIGH = 'high';
    public const SEVERITY_MEDIUM = 'medium';
    public const SEVERITY_LOW = 'low';
    public const SEVERITY_INFO = 'info';

    protected $fillable = [
        'check_key', 'check_run_id', 'framework', 'severity',
        'title', 'description', 'evidence', 'affected_resources',
        'remediation', 'remediation_steps', 'status', 'assigned_to',
        'due_date', 'notes', 'resolved_at', 'resolved_by', 'resolution_notes',
    ];
}

Services

Location: app/Services/Compliance/

Service	Purpose
`ComplianceReportService`	Report generation and templates
`ComplianceCheckService`	Automated check execution
`ReportExportService`	Multi-format report export

ComplianceReportService:

class ComplianceReportService
{
    private array $templates = [
        'gdpr_data_access' => GdprDataAccessReport::class,
        'gdpr_data_processing' => GdprDataProcessingReport::class,
        'gdpr_consent_audit' => GdprConsentAuditReport::class,
        'soc2_access_control' => Soc2AccessControlReport::class,
        'soc2_change_management' => Soc2ChangeManagementReport::class,
        'hipaa_access_log' => HipaaAccessLogReport::class,
        'pci_access_audit' => PciAccessAuditReport::class,
        'user_access_review' => UserAccessReviewReport::class,
        'data_retention' => DataRetentionReport::class,
        'security_audit' => SecurityAuditReport::class,
    ];

    public function generate(string $template, array $params): ComplianceReport;
    public function getTemplates(): array;
    public function hasTemplate(string $template): bool;
    public function getTemplatesByFramework(): array;
}

ComplianceCheckService:

class ComplianceCheckService
{
    private array $checks = [
        'mfa_enforcement' => MfaEnforcementCheck::class,
        'password_policy' => PasswordPolicyCheck::class,
        'inactive_accounts' => InactiveAccountsCheck::class,
        'data_retention' => DataRetentionCheck::class,
        'audit_logging' => AuditLoggingCheck::class,
        'session_timeout' => SessionTimeoutCheck::class,
    ];

    public function runAll(?int $triggeredBy = null): ComplianceCheckRun;
    public function runCheck(string $key): array;
    public function getAvailableChecks(): array;
}

ReportExportService:

class ReportExportService
{
    public function export(ComplianceReport $report, string $format): mixed;
    public function supports(string $format): bool;
    // Supports: pdf, html, csv, json
}

Report Templates

Location: app/Services/Compliance/Reports/

Each report implements ComplianceReportInterface:

interface ComplianceReportInterface
{
    public static function getName(): string;
    public static function getDescription(): string;
    public static function getFramework(): string;
    public static function getParameters(): array;
    public function generate(): array;
}

Compliance Checks

Location: app/Services/Compliance/Checks/

Each check implements ComplianceCheckInterface:

interface ComplianceCheckInterface
{
    public static function getName(): string;
    public static function getDescription(): string;
    public static function getFramework(): string;
    public function run(): array;
}

Controllers

Location: app/Http/Controllers/Admin/

Controller	Purpose
`ComplianceDashboardController`	Main dashboard and check execution

Key Methods:

class ComplianceDashboardController extends Controller
{
    public function index(): View;              // Dashboard
    public function reports(): View;            // Reports list
    public function generateReport(Request);    // Create report
    public function showReport(Report);         // View report
    public function exportReport(Report, fmt);  // Export report
    public function checks(): View;             // Checks list
    public function runChecks(Request);         // Execute checks
    public function findings(): View;           // Findings list
    public function updateFinding(Request, Finding);  // Update finding
    public function resolveFinding(Request, Finding); // Resolve finding
}

Routes

Route::prefix('admin/compliance')->middleware(['auth', 'admin'])->group(function () {
    // Dashboard
    Route::get('/', [ComplianceDashboardController::class, 'index'])
        ->name('admin.compliance.dashboard');

    // Reports
    Route::get('/reports', [ComplianceDashboardController::class, 'reports'])
        ->name('admin.compliance.reports');
    Route::post('/reports/generate', [ComplianceDashboardController::class, 'generateReport'])
        ->name('admin.compliance.generate-report');
    Route::get('/reports/{report}', [ComplianceDashboardController::class, 'showReport'])
        ->name('admin.compliance.report.show');
    Route::get('/reports/{report}/export/{format}', [ComplianceDashboardController::class, 'exportReport'])
        ->name('admin.compliance.report.export');

    // Checks
    Route::get('/checks', [ComplianceDashboardController::class, 'checks'])
        ->name('admin.compliance.checks');
    Route::post('/checks/run', [ComplianceDashboardController::class, 'runChecks'])
        ->name('admin.compliance.run-checks');
    Route::get('/checks/{run}', [ComplianceDashboardController::class, 'showCheckRun'])
        ->name('admin.compliance.check-run.show');

    // Findings
    Route::get('/findings', [ComplianceDashboardController::class, 'findings'])
        ->name('admin.compliance.findings');
    Route::put('/findings/{finding}', [ComplianceDashboardController::class, 'updateFinding'])
        ->name('admin.compliance.finding.update');
    Route::post('/findings/{finding}/resolve', [ComplianceDashboardController::class, 'resolveFinding'])
        ->name('admin.compliance.finding.resolve');
});

Commands

# Run all compliance checks
php artisan compliance:run-checks

# Enforce retention policies
php artisan compliance:enforce-retention

# Generate compliance report
php artisan compliance:report --type=gdpr

# Process privacy requests
php artisan compliance:process-requests

# Manage inactive accounts (SOC 2 compliance)
php artisan compliance:inactive-accounts --list           # List inactive accounts
php artisan compliance:inactive-accounts --deactivate    # Deactivate inactive non-admins
php artisan compliance:inactive-accounts --days=60       # Custom inactivity threshold

# Enforce MFA for admins (SOC 2 compliance)
php artisan compliance:enforce-mfa --list                # List admin MFA status
php artisan compliance:enforce-mfa --notify              # Send MFA setup reminders

Scheduled Tasks

// app/Console/Kernel.php
$schedule->command('compliance:run-checks')->daily();
$schedule->command('compliance:enforce-retention')->daily();
$schedule->command('compliance:process-requests')->hourly();

Database Tables

compliance_reports

Column	Type	Description
`id`	bigint	Primary key
`generated_by`	bigint	User who generated
`report_type`	string	Report type key
`template`	string	Template key
`framework`	string	Compliance framework
`title`	string	Report title
`period_start`	date	Reporting period start
`period_end`	date	Reporting period end
`parameters`	json	Generation parameters
`data`	json	Report data
`summary`	json	Summary metrics
`file_path`	string	Exported file path
`status`	string	completed, pending
`completed_at`	timestamp	Completion time

compliance_checks

Column	Type	Description
`id`	bigint	Primary key
`key`	string	Unique check identifier
`name`	string	Display name
`description`	text	Check description
`framework`	string	Compliance framework
`severity`	string	Default severity
`schedule`	string	daily, weekly, monthly
`is_active`	boolean	Enabled status
`status`	string	pending, passed, failed, error
`last_result`	json	Last execution result
`last_run_at`	timestamp	Last execution time

compliance_check_runs

Column	Type	Description
`id`	bigint	Primary key
`triggered_by`	bigint	User who triggered
`results`	json	All check results
`passed_count`	integer	Passed checks
`failed_count`	integer	Failed checks
`error_count`	integer	Error checks
`overall_status`	string	passed, failed, error
`duration_ms`	integer	Total execution time

compliance_findings

Column	Type	Description
`id`	bigint	Primary key
`check_key`	string	Source check key
`check_run_id`	bigint	Associated run
`framework`	string	Compliance framework
`severity`	string	critical, high, medium, low, info
`title`	string	Finding title
`description`	text	Detailed description
`evidence`	json	Supporting data
`affected_resources`	json	Affected items
`remediation`	text	Fix suggestion
`remediation_steps`	json	Step-by-step fix
`status`	string	open, in_progress, deferred, resolved
`assigned_to`	bigint	Assigned user
`due_date`	timestamp	Resolution deadline
`notes`	text	Additional notes
`resolved_at`	timestamp	Resolution time
`resolved_by`	bigint	Resolving user
`resolution_notes`	text	How resolved

compliance_report_schedules

Column	Type	Description
`id`	bigint	Primary key
`name`	string	Schedule name
`template`	string	Report template
`parameters`	json	Report parameters
`frequency`	string	daily, weekly, monthly
`frequency_config`	json	Frequency details
`format`	string	Export format
`recipients`	json	Email recipients
`is_active`	boolean	Enabled status
`last_run_at`	timestamp	Last execution
`next_run_at`	timestamp	Next scheduled run

Dependencies

Feature	Relationship
Activity Logging	Primary data source
Authentication	User identification
Authorization	Access control

Complementary Features

Feature	Description
Reports	Report framework
Admin Tools	Data management
Security	Security measures

Improving Compliance Score

If your compliance score is low or 0%, here's how to fix each check:

1. Password Policy Compliance (SOC 2)

Requirements:

password_changed_at column must exist on users table
95%+ of users must have passwords changed within 90 days

Fix:

php artisan migrate  # Ensure migration is run

The system tracks password changes automatically via the password_changed_at field.

2. MFA Enforcement (SOC 2)

Requirements:

100% of admin accounts must have MFA enabled
80%+ overall MFA adoption

Fix:

php artisan compliance:enforce-mfa --list    # See which admins need MFA
php artisan compliance:enforce-mfa --notify  # Send reminders

Admins must enable MFA via Account Settings > Security > Two-Factor Authentication.

3. Inactive Accounts Review (SOC 2)

Requirements:

No inactive admin accounts (90+ days without login)
Less than 5% inactive users overall

Fix:

php artisan compliance:inactive-accounts --list        # Review inactive accounts
php artisan compliance:inactive-accounts --deactivate  # Deactivate non-admin accounts

Requirements:

config('audit.retention_days') must be configured
No audit logs older than 7 years

Fix: Add to .env:

AUDIT_LOGGING_ENABLED=true
AUDIT_LOG_RETENTION_DAYS=365

5. Audit Logging Coverage (General)

Requirements:

At least 1 audit log in the last 24 hours
Must capture: login, logout, create, update, delete events
All logs must have integrity signatures

Fix:

Ensure audit logging is enabled (AUDIT_LOGGING_ENABLED=true)
Generate activity by logging in/out and performing CRUD operations
The system automatically captures these events when the Auditable trait is used

6. Session Timeout Configuration (General)

Requirements:

Session lifetime ≤ 120 minutes
HttpOnly cookies enabled
Secure cookies enabled (production)
SameSite not set to "none"

Fix: Add to .env:

SESSION_LIFETIME=120
SESSION_SECURE_COOKIE=true  # Required for production

Production Environment Variables

For a compliant production environment, ensure these are set in .env:

# Audit & Compliance
AUDIT_LOGGING_ENABLED=true
AUDIT_LOG_RETENTION_DAYS=365
AUDIT_AUTO_PURGE=false

# Session Security
SESSION_LIFETIME=120
SESSION_SECURE_COOKIE=true

# Compliance Checks
COMPLIANCE_CHECKS_ENABLED=true
COMPLIANCE_CHECK_SCHEDULE=daily

Best Practices

For Compliance

Run automated checks regularly - Schedule daily checks
Address findings promptly - Prioritize by severity
Document all decisions in audit trail
Generate reports before audits - Have documentation ready
Train staff on compliance procedures

For Security

Encrypt sensitive data at rest and in transit
Limit access to compliance tools
Audit access to compliance data
Backup audit trails separately

For Reporting

Use appropriate templates for your framework
Set date ranges carefully for accurate data
Review reports before sharing with auditors
Keep historical reports for trend analysis

Troubleshooting

Issue	Solution
Missing audit entries	Check logging trait usage
Check always fails	Verify configuration settings
Export timeout	Increase timeout, reduce date range
Report empty	Verify data exists for period
Finding not resolved	Ensure resolution notes provided

Testing

Test Files

Test File	Coverage
`tests/Unit/ComplianceConfigTest.php`	Configuration validation
`tests/Unit/ComplianceCheckServiceTest.php`	Check service functionality

Configuration Tests

Location: tests/Unit/ComplianceConfigTest.php

Tests verify:

Framework configuration structure (GDPR, SOC 2, HIPAA, PCI)
Check configuration with password policy, MFA enforcement
Report configuration including formats and paths
Evidence collection configuration
Findings management with severity levels and SLAs
Notification configuration
Dashboard settings with score thresholds

Service Tests

Location: tests/Unit/ComplianceCheckServiceTest.php

Tests verify:

Available checks are returned with proper structure
Checks are grouped by framework correctly
Single check execution returns proper result format
All checks run successfully with results
Compliance score calculation
Zero score returned with no check runs
Exception thrown for unknown checks
MFA check fails when admins lack MFA
Session timeout check execution

Running Tests

# Run all compliance tests
php artisan test tests/Unit/ComplianceConfigTest.php tests/Unit/ComplianceCheckServiceTest.php

# Run specific test method
php artisan test --filter=it_runs_all_checks

Audit & Compliance Framework Guide

Overview

Table of Contents

Accessing Compliance Features

Navigation

Permissions

Compliance Dashboard

Dashboard Metrics

Score Calculation

Framework Status Levels

Compliance Reports

Available Report Templates

Generating Reports

Report Export Formats

Report Data Structure

Automated Compliance Checks

Available Checks

Check Results

Running Checks

Check Severity Levels

Findings Management

Finding Lifecycle

Finding Fields

Managing Findings

Audit Features

Audit Trail

Audit Report Types

Viewing Audit Trail

Data Retention

Retention Policies

Configuring Retention

Retention Actions

Retention Automation

Privacy & GDPR

Privacy Features

Data Subject Requests

Data Export

Data Deletion

Technical Architecture

Central Configuration

Models

Services

Report Templates

Compliance Checks

Controllers

Routes

Commands

Scheduled Tasks

Database Tables

compliance_reports

compliance_checks

compliance_check_runs

compliance_findings

compliance_report_schedules

Related Features

Dependencies

Complementary Features

Improving Compliance Score

1. Password Policy Compliance (SOC 2)

2. MFA Enforcement (SOC 2)

3. Inactive Accounts Review (SOC 2)

4. Data Retention Policy (GDPR)

5. Audit Logging Coverage (General)

6. Session Timeout Configuration (General)

Production Environment Variables

Best Practices

For Compliance

For Security

For Reporting

Troubleshooting

Testing

Test Files

Configuration Tests

Service Tests

Running Tests

See Also