title: Compliance Reporting category: Compliance Frameworks tags: compliance, reporting, evidence, audit, export priority: Normal
Compliance Reporting
IdentityCenter provides comprehensive reporting capabilities designed to satisfy both internal governance needs and external audit requirements. This article covers the available report types, export options, automated scheduling, and best practices for audit preparation.
Report Types
IdentityCenter includes five primary compliance report types, each serving a distinct audience and purpose:
Framework Compliance Summary
Provides a high-level view of your compliance posture across one or more active frameworks.
| Report Field | Description |
|---|---|
| Framework Name | The compliance framework being evaluated |
| Compliance Score | Percentage of controls with zero violations |
| Total Controls | Number of controls defined in the framework |
| Passing Controls | Controls with no active violations |
| Failing Controls | Controls with one or more active violations |
| Trend | Score change compared to previous reporting period |
This report is ideal for executive stakeholders and board-level reporting where a summary view of compliance status is needed.
Policy Violation Report
Lists all active violations across selected policies, with filtering and grouping options.
| Report Field | Description |
|---|---|
| Policy Name | The policy that generated the violation |
| Violation ID | Unique identifier for the violation |
| Object | The identity or account in violation |
| Severity | Critical, High, Medium, Low, or Info |
| Detected Date | When the violation was first identified |
| Age | Number of days the violation has been open |
| Assigned To | The person responsible for remediation |
| Status | New, Active, Remediated, Excepted, Closed |
Filters allow you to narrow results by framework, severity, status, date range, organizational unit, or specific policy.
Remediation Status Report
Tracks the progress of violation remediation efforts across your organization.
| Report Field | Description |
|---|---|
| Total Violations | All violations in the reporting period |
| Remediated | Violations that have been resolved |
| Open | Violations still awaiting remediation |
| Excepted | Violations with approved exceptions |
| Remediation Rate | Percentage of violations resolved |
| Mean Time to Remediate | Average days from detection to resolution |
| Overdue | Violations past their expected resolution date |
This report is critical for demonstrating to auditors that your organization actively addresses compliance gaps.
Access Review Completion Report
Summarizes the status and outcomes of access review campaigns tied to compliance requirements.
| Report Field | Description |
|---|---|
| Campaign Name | The access review campaign |
| Framework | Associated compliance framework |
| Total Reviews | Number of access decisions required |
| Completed | Reviews that have been decided |
| Pending | Reviews awaiting reviewer action |
| Approved | Access confirmed as appropriate |
| Revoked | Access removed during review |
| Completion Rate | Percentage of reviews completed |
| Deadline | Campaign due date |
Access review reports are frequently required for SOX, HIPAA, and PCI-DSS audits to demonstrate periodic access certification.
Control Effectiveness Report
Evaluates how well each control is performing over time, helping you identify areas that need attention.
| Report Field | Description |
|---|---|
| Control ID | Framework control identifier |
| Control Name | Human-readable control name |
| Policy Count | Number of policies implementing this control |
| Violation Count | Total violations generated |
| Recurrence Rate | How often violations reappear after remediation |
| Average Resolution Time | Mean days to resolve violations |
| Effectiveness Rating | Calculated rating based on violation trends |
A high recurrence rate indicates a systemic issue that may require process changes rather than individual remediation.
Exporting Reports
All reports can be exported in multiple formats:
| Format | Best For | Features |
|---|---|---|
| CSV | Data analysis, spreadsheet manipulation | Raw data, easy to filter and pivot |
| Excel (.xlsx) | Formatted reports with multiple sheets | Styled headers, auto-width columns, charts |
| Formal distribution, archival | Page headers/footers, branding, signatures |
To export a report:
- Navigate to the report in the Compliance Center or Reports section
- Configure your filters (date range, framework, severity, etc.)
- Click the Export button in the toolbar
- Select the desired format
- Choose whether to include charts and summary sections (Excel and PDF only)
- The file downloads to your browser
Tip: For recurring audit needs, save your filter configuration as a report template. This ensures consistent reporting across audit periods.
Scheduling Automated Reports
IdentityCenter can generate compliance reports on a schedule and deliver them automatically via email.
Configuring a Scheduled Report
- Navigate to Administration > Reports or the Compliance Center
- Select the report type you want to schedule
- Configure filters and parameters
- Click Schedule Report
- Set the schedule:
| Schedule Option | Description |
|---|---|
| Daily | Generate every day at a specified time |
| Weekly | Generate on a chosen day of the week |
| Monthly | Generate on a specific day of the month |
| Quarterly | Generate at the end of each quarter |
| Custom | Cron-based schedule for advanced needs |
- Configure delivery recipients (email addresses)
- Select the export format (CSV, Excel, or PDF)
- Save the schedule
Scheduled reports are processed by the background job scheduler and delivered as email attachments.
Evidence Collection for Auditors
When preparing for an external audit, you need to provide evidence that your controls are operating effectively. IdentityCenter simplifies this process by consolidating identity governance data into auditor-friendly formats.
What Auditors Typically Request
| Audit Requirement | IdentityCenter Evidence |
|---|---|
| Access review completion | Access Review Completion Report showing 100% completion rate |
| Segregation of duties enforcement | Policy Violation Report filtered to SoD policies with zero open violations |
| Timely deprovisioning | Remediation Status Report showing terminated accounts disabled within SLA |
| Periodic access certification | Campaign history with reviewer decisions and timestamps |
| Privileged access monitoring | Policy Violation Report filtered to privileged access policies |
| Exception documentation | Exception register with justifications and expiration dates |
| Change audit trail | Change Audit Log export showing all identity modifications |
Building an Audit Evidence Package
To assemble a complete evidence package:
- Define the audit period - Set your report date range to match the audit window (e.g., fiscal year)
- Generate framework summary - Export the Framework Compliance Summary for each relevant framework
- Export violation history - Include both open and resolved violations to show remediation activity
- Include access review results - Export all campaigns completed during the audit period
- Document exceptions - Export the exception register with business justifications
- Attach policy definitions - Export your policy configurations to show what rules are being enforced
- Include trend data - Show compliance score improvement over the audit period
Mapping IdentityCenter Data to Audit Requirements
Different frameworks emphasize different aspects of identity governance. Use the following mapping to ensure your reports address the right requirements:
| Framework | Key Report | Critical Data Points |
|---|---|---|
| SOX | Access Review Completion, Policy Violations | SoD violations, review completion rate, remediation timeliness |
| HIPAA | Policy Violations, Control Effectiveness | PHI access controls, minimum necessary enforcement, breach indicators |
| GDPR | Remediation Status, Framework Summary | Data access scope, consent tracking, right-to-access fulfillment |
| PCI-DSS | Policy Violations, Access Review Completion | Unique user IDs, cardholder data access, quarterly reviews |
| ISO 27001 | Framework Summary, Control Effectiveness | Control maturity, continuous improvement evidence, risk treatment |
| NIST | Framework Summary, Remediation Status | Risk assessment results, control implementation, incident response |
Dashboard Metrics
The Compliance Center dashboard provides real-time metrics that summarize your compliance posture:
| Metric | Description | Target |
|---|---|---|
| Compliance Score | Percentage of passing controls across all frameworks | > 90% |
| Open Violations | Total active violations across all policies | Trending downward |
| Remediation Rate | Percentage of violations resolved within SLA | > 85% |
| Mean Time to Remediate | Average days from detection to resolution | < 14 days |
| Exception Count | Number of active policy exceptions | Minimize, review quarterly |
| Access Review Completion | Percentage of reviews completed on time | 100% |
These metrics can be viewed for a specific framework or aggregated across all active frameworks.
Best Practices for Audit Preparation
Generate reports consistently - Run the same reports monthly so you have continuous evidence, not just point-in-time snapshots at audit time.
Archive historical data - Export and store compliance reports at the end of each reporting period. Auditors may request data spanning multiple years.
Automate wherever possible - Use scheduled reports to reduce the manual effort required during audit preparation.
Validate data accuracy - Before submitting reports to auditors, verify that the data matches your expectations. Cross-reference a sample of violations with the actual directory state.
Prepare a narrative - Reports alone do not tell the full story. Prepare a brief narrative explaining your compliance program, how IdentityCenter supports it, and how you handle exceptions.
Track remediation diligently - Auditors focus heavily on how you respond to findings. Demonstrate that violations are acknowledged, assigned, and resolved within defined timeframes.
Review exception register - Ensure all active exceptions have current justifications and have not expired. Expired exceptions with open violations are audit findings.
Next Steps
- Compliance Frameworks Overview - Understand the frameworks available in IdentityCenter
- Activating Compliance Frameworks - Activate and configure frameworks
- Policies Overview - Learn about the policy engine that drives compliance
- Access Reviews Overview - Conduct access review campaigns for compliance evidence
- Dashboard & Reporting - Explore the broader reporting capabilities