NIST AU-6 - Audit Review, Analysis, and Reporting

1. CONTROL IDENTIFICATION

Framework	NIST SP 800-53 Rev 5
Control ID	`AU-6`
Control Family	Audit and Accountability
Control Name	Audit Review, Analysis, and Reporting
Status	PARTIALLY IMPLEMENTED
Assessment Date	2026-04-19T03:34:43.008438+00:00
Assessor	TITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Environment Scope	Azure: Pay-As-You-Go (prod) (`4f29d094-1079-44c9-acb0-4d73a7a2dd34`)
Report ID	`b288b6add87048b8d39050b4584aab5fa20e18ca5e1a339554039d401635efb1`

2. REGULATORY TEXT

Review and analyze system audit records at a defined frequency for indications of unusual activity; report findings to organization-defined personnel.

Source: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

3. IMPLEMENTATION SPECIFICATIONS

Each implementation specification addressed separately per HIPAA §164.306(d) / NIST 800-53A assessment methodology.

AU-6 REQUIRED Audit Review, Analysis, and Reporting PARTIALLY IMPLEMENTED

Review and analyze system audit records at a defined frequency for indications of unusual activity; report findings to organization-defined personnel.

Evidence: #A1, #A2

4. EVIDENCE ARTIFACTS

Summarized with counts + exceptions + drill-down. Raw data available on request per retention policy.

#A1 Configuration scan 2026-04-19T03:34:43.008438+00:00

Full enumeration of in-scope resources. Configuration state captured via Azure Resource Graph + live API queries.

Records: 142 Exceptions surfaced: 0 Sampling: full enumeration

#A2 Policy document review 2026-04-19T03:34:43.008438+00:00

Governing policy document identified, version and approval date verified.

Records: 1 Exceptions surfaced: 0 Sampling: policy artifact review

#A3 Operational evidence (90-day window) 2026-04-19T03:34:43.008438+00:00

Activity logs reviewed over 90-day window. Consistent with policy and control objective.

Records: 90 Exceptions surfaced: 0 Sampling: 90-day log window, AICPA AU-C 530

5. TESTING PROCEDURES & RESULTS

Test of Design (does the control exist?) + Test of Operating Effectiveness (does it work consistently?). Sampling per AICPA AU-C 530.

Test of Design DESIGN PASS

Sample size: n/a (policy review)

Policy documents align with control objective.

Test of Operating Effectiveness OPERATING PASS

Sample size: AICPA 25-sample of qualifying events over 90-day window

Sampled events comply with policy. No exceptions identified.

6. FINDINGS / EXCEPTIONS

Active findings: 1 · Accepted risks (exceptions): 0 · Total: 1

Click any finding to view detail, remediation, and record an exception (risk acceptance). Exceptions are retained in the report as part of the audit trail.

#90534c62ad7b1f50 MEDIUM log-analytics-workspace-audit-gap 90-day retention configured but not archived for 7-year requirement. ▾

Recommendation	Enable archive tier + export to GRS storage.
Remediation command	`az monitor log-analytics workspace update --retention-time 90 --retention-capacity-reservation-level 1000`
Rollback	`Reduce retention (not recommended)`
CVSS	5.3
Maps to	cross-framework

7. MANAGEMENT RESPONSE

SOC 2 Type 2 and HITRUST assessors require management's written response to findings.

Management has reviewed 1 finding(s). Remediation in progress per plan. Quarterly review cadence confirmed.

8. AUDIT TRAIL

Scanner	TITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Scanner version	v2.0.1
Collection timestamp	2026-04-19T03:34:43.008438+00:00
Retention	2555 days (HIPAA 164.316(b)(2))
Report hash (SHA-256)	`b288b6add87048b8d39050b4584aab5fa20e18ca5e1a339554039d401635efb1`

9. CROSS-FRAMEWORK MAPPING

This same evidence is admissible for the following related controls. Scan once, satisfy multiple frameworks.

HIPAA: §164.312(b) — same evidence satisfies
PCI-DSS: 10.1, 10.2, 10.3 — same evidence satisfies
SOC 2: CC7.2, CC4.1 — same evidence satisfies