Troubleshooting AI Control Checks
      Back to home
      1. Trustero Support
      2. Phase 4: Leverage Trustero AI
      3. Troubleshooting AI Control Checks

      Trustero AI Control Assurance FAQs

      Extra details on Audit Scan and related features: Compliance Roadmap and Continuous Compliance Monitoring

      Contents

      1. The Basics
      2. Security
      3. Advanced
      4. Pricing, Payments and Value

      The Basics

      Q: What are Audit Scan and Compliance Roadmap?

      A: See the original product announcement: Audit Scan & Compliance Roadmap

       

      Q: When should I start using Audit Scan?

      A: Trustero strongly recommends running Audit Scan before entering your audit examination period. The Audit Scan is very thorough. It finds things that human auditors don’t notice. You are best served by running Audit Scan ahead of an audit so you can correct any items it finds then, before you enter the audit period. 


      Q: How does an Audit Scan evaluate a control?

      A: Audit Scan conducts three different control checks:


      1. Control matches policy: is the control’s language consistent with its parent policy? This checks if the meaning of the control objective is covered in the policy. The language can be identical or it can be restated. As long as there are no material differences (differences in meaning), it will pass. For example if the policy says something should be done weekly, but the control says it should be done monthly, that's a material difference and this check will fail. 
      2. Completeness: is there enough evidence to evaluate whether a control is working as intended? This checks to see that there is a piece of evidence for each of the items specified in the Required Evidence field on the control. 
      3. Spot check: of the evidence that’s present, does it all support that the control is working as intended as demonstrated by running all of the control's test procedures? This relies on the Test Procedures field. 

      Each control check will give you a pass/fail result, reasoning and corrective actions if any are required. For more details on the Required Evidence and Test Procedures fields and how they impact control checks, see: Required Evidence and Test Procedures.

       

      Q: How long does it take to run an Audit Scan?

      A: It takes a few seconds to a few minutes to run a single control test. Running a complete audit scan on a SOC 2 audit typically takes 45 - 90 minutes.

       

      Q: Which compliance frameworks are supported by Audit Scan and Compliance Roadmap?

      A: All frameworks are supported. While initially limited to SOC 2, Audit Scan can now evaluate any control from any framework and compliance roadmap works for audits for any compliance framework. 

       

      Q: Can I do Audit Scans and use the Compliance Roadmap in Continuous Compliance mode? 

      A: Yes. Audit Scan and Compliance roadmap used to only be available from within an audit. It now works in Continuous Compliance mode too.

       

      Q: What are the different ways to run Audit Scans?

      A:

      1. From the Compliance Roadmap. This is the way we recommend customers run audit scans as they are working their way towards audit readiness. It allows for running scans little by little as work is being done. Compliance Roadmap does scans at two separate times:
        1. Prepare Content stage: Control Matches Policy test for all controls
        2. Audit Readiness stage: Completeness and Spot Check tests for all controls
      2. From the Control show page - useful for when an organization wants to work on a single control. Select the new "Audit Scan" tab, then push the "Scan with AI Copilot" button.
      3. From the audit scan page - this is best when you want to see results for your entire audit at once. This is most useful when you have already achieved compliance and want to make sure you aren’t back sliding.

       

      Q: What does it mean if a control check is out of date?

      A: Where audit scan control check results are displayed you may notice it sometimes says a control is out of date. This means that the result of the control check is no longer valid because something about the control has changed that could impact the result since it was last checked.

      Examples of these material changes:

      1. Policy text change
      2. Control objective change
      3. New automated evidence that is different than the previous evidence (new evidence, if it's identical to what was there before will not make a control check result be out of date).
      4. New manual evidence
      5. Required evidence change
      6. Test procedures change

      To get an up-to-date result, just run the control check again.

       

      Security

      Q: What does Trustero do to secure data that is used by Audit Scan?

      A: See these for details:

      1. How does Trustero ensure receptors are secure?
      2. How does Trustero ensure data used in AI-powered features is secure?

      Advanced

      Q: What if the Required Evidence or Test Procedures on a control don't make sense for my organization?

      A: You should change them. See details: Required Evidence and Test Procedures.

       

      Q: What limitations are there on control checks?


      A: In short, Audit Scan is best thought of as a pre-audit check, rather than a complete audit.

      1. Latest evidence only: similar to a pre-audit check conducted by a compliance professional, Spot Check only examines the latest type of each evidence; it will not go back and examine older evidence. For example, it only checks the latest user list or laptop inventory rather than looking back at older versions. 
      2. Examines only one piece of evidence at a time: Spot Check does not correlate across multiple pieces of evidence. For example, it will not look at an employee list and compare it to a user list from primary infrastructure. For best results you might consider combining disparate pieces of evidence into a single table. 
      3. Samples: by default, Audit Scan will examine an entire piece of evidence. However, if a piece of evidence is too large, it will only look at samples. In all cases Audit Scan will sample more than a human auditor is required to examine in an audit. Details: 
        1. Written documents: rather than examining an entire document, it will just examine the most relevant excerpts. For example, in a 20 page document, it may only closely examine a few paragraphs that are most relevant to the control.
        2. Tabular data: if a table (e.g., spreadsheet, CSV file or automated evidence) is very long, it will only examine 250 rows of that table. In many cases it will actually examine more than 250 rows. 
      4. Doesn't follow links: currently audit scan can only evaluate information that is stored in the platform. If you store your policies or evidence somewhere else that you link to, audit scan will not be able to evaluate them.  

      Trustero is working to remove these limitations. 


      In the future we may also offer Audit Scan in a mode that does a deeper, more thorough examination. 


      Q: What else should I know about the control checks?


      A:

      1. The checks will give best results when information is complete – policy documents are in the platform, evidence is provided and complete. 
      2. The Compliance Roadmap shows which control checks are current and which need to be run again
      3. The results of the control checks that rely on evidence (completeness and spot check) will depend on the context in which they are run and results from one context won't show up in another. The context is either an audit or continuous compliance mode. For example, if one control is present in both a SOC 2 audit and an ISO 27001 audit, audit scans will have to be conducted in both of those contexts if you want to see audit scan results in both audits. 
      4. The Date Limit is important in Continuous Compliance mode. More info: What is the Date Limit and how should I use it?

      Pricing, Payments and Value

      Q: How am I charged for Audit Scan?

      A: Trustero charges for each control test (e.g., each Control Matches Policy, Completeness and Spot Check costs one credit). 

       

      Q: How much does Audit Scan cost?

      A: See How do I purchase more AI usage?

       

      Q: Why are audit scans a great value?

      A: Four complete pre-audit checks would take a human compliance expert 40+ hours to conduct and would need to be scheduled. Compliance expert hours typically cost $200+/hour, so this would cost $8000. Audit Scans, by contrast, take just a fraction of the time and will run on demand.

       

      Q: What happens if I use up all of my Audit Scan credits?

      A: 

      1. If you begin an audit scan that will take you below zero credits, you will still be allowed to do audit scans, but you will get a warning message when beginning them. If you proceed when going below zero credits, you will be charged for an additional 600 credits.
      2. If you begin an audit scan that will take you more than 300 credits below zero, you will not be allowed to proceed with an audit scan until you buy more credits.

       

      Q: How can I see my audit scan credit balance?

      A: You can see your credit balance by clicking on the profile link in the lower left corner of the Trustero app.

       

      Q: How do I purchase more Audit Scan usage?

      A: See "How do I purchase more AI usage?" FAQ.

       

      Q: What’s the most efficient way to run Audit Scans?

      A: use the Compliance Roadmap. It will introduce targeted audit scans in the most efficient order and encourage you to run scans only when they are out of date.

       

      Q: How quickly does Continuous Controls Monitoring consume AI Audit Scan usage?

      A: Continuous Controls Monitoring will only perform checks when the results are outdated. These checks become outdated as you make changes to your compliance content (policies and controls), add new evidence or do activities that will result in different automated evidence being collected (e.g., changing your cloud environment, or adding new employees). More details: Out of date control check results.

      If you've opted in to do scheduled, automated audit scans, then control check usage will happen automatically. The more frequently you scan, the more potential control checks will run, but the amount of new items per scan will be lower than if you wait between scans. 

      Below are some factors that will drive usage.

      Higher control check usage:

      1. More activity (e.g., infrastructure changes, new employees) in your organization, resulting in new, changed evidence between scans.
      2. Higher frequency scans (multiple times per day).
      3. More automated evidence and less manual evidence.

      Lower control check usage:

      1. Less activity in your organization, resulting in automated evidence not changing very often
      2. Lower frequency scans (less than once a week).
      3. Less automated evidence and more manual evidence