📊 E8 Audit Export

Problem Statement

GetCimple serves two distinct needs:

• Boards: Need simple 8-strategy summaries for governance decisions (2-3 minutes)
• Auditors: Need detailed 152-control evidence for ACSC compliance verification

Challenge: How do we serve both without building a complex control management system in MVP?

Solution: Generate audit-ready reports from our simple 40-question assessments.

Feature Overview

The Bridge Concept

Instead of building a full 152-control management interface, we provide a one-button export that transforms our board-friendly assessment into an auditor-friendly artifact.

Board Experience (Input)          Audit Artifact (Output)
--------------------             ---------------------
8 strategies summary      -->    152 controls report
40 simple questions       -->    Detailed control status
2-3 minute decision       -->    Evidence per control

Key Capabilities

1. Generate ACSC Audit Report - Single button export
2. 152 Control Detail - Every ACSC control listed individually
3. Evidence Linking - Each control inherits evidence from its source question
4. Exception Documentation - Documented exceptions flow to relevant controls
5. Audit-Ready Format - Excel/CSV format auditors expect

Why This Approach?

Decision Rationale

We considered three options:

Approach	Effort	Value	Risk
Do nothing	0 days	Low	Medium (audit gap)
Full 152-control UI	1-2 cycles	High (future)	High (gold-plating)
Audit export	1-2 days	Medium (now)	Low (validates demand)

We chose the export approach because:

1. ✅ Serves the 5% use case (external audits) without over-engineering
2. ✅ Keeps the 95% use case simple (board decisions remain fast)
3. ✅ Validates demand first - see if customers actually use it
4. ✅ 3-person team feasible - 1-2 days vs 1-2 development cycles
5. ✅ Opportunity cost - frees time to build features for the 95% use case

What This Is NOT

• ❌ Not a GRC platform - We're not building Vanta/Drata
• ❌ Not control management - No workflows, assignments, or real-time tracking
• ❌ Not continuous monitoring - Point-in-time export only
• ❌ Not audit automation - Evidence collection still manual

We are: Providing the bridge between board governance and audit compliance.

Export Format

Output Structure

Format: Excel (.xlsx) or CSV Rows: 152 (one per ACSC control) Columns:

Column	Description	Source
control_id	ACSC control ID (e.g., ML2-RA-04)	Reference data
control_description	Full ACSC requirement text	Reference data
strategy	Which of 8 E8 strategies (e.g., Admin Privileges)	Reference data
maturity_level	ML1, ML2, or ML3	Reference data
status	not_implemented / partially_implemented / implemented / documented_exception	Inferred from question
source_question_id	Which of our 40 questions covers this	Mapping table
source_question_text	The actual question we asked	Question data
evidence_summary	Files, notes attached to question	Question evidence
exception_justification	If marked as exception, why	Question exception
last_assessed	When question was answered	Assessment metadata

Example Rows

control_id,control_description,strategy,maturity_level,status,source_question_id,source_question_text,evidence_summary,exception_justification,last_assessed
ML1-MF-01,"Multi-factor authentication is used to authenticate users to their organisation's online services...",Multi-factor Authentication,ML1,implemented,E8_MFA_001,"Is MFA mandatory for all admin accounts?","password-auth-policy.pdf; Kinde MFA enabled",null,2025-10-13
ML2-RA-04,"Privileged access to systems and applications is disabled after 45 days of inactivity",Restrict Admin Privileges,ML2,documented_exception,E8_AP_003,"Are admin accounts automatically disabled after inactivity?",null,"Legacy systems require manual review. Quarterly audit implemented as compensating control. Board approved 2025-09-15.",2025-10-13
ML3-AC-01,"Application control is implemented on non-internet-facing servers",Application Control,ML3,not_implemented,E8_AC_002,"Is software control applied to internet-facing servers?","Server hardening checklist",null,2025-10-13

Data Mapping

Question-to-Control Mapping

Our 40 questions map to 152 controls with varying coverage:

Strategy	Controls	Questions	Ratio
Application Control	27	5	5.4:1
Patch Applications	23	5	4.6:1
Office Macros	15	5	3.0:1
User Hardening	18	5	3.6:1
Admin Privileges	19	5	3.8:1
Patch OS	16	5	3.2:1
MFA	20	5	4.0:1
Regular Backups	14	5	2.8:1
Total	152	40	3.8:1

Status Inference Logic

Controls inherit status from their linked question:

function inferControlStatus(
  control: ACSCControl,
  questionAnswer: E8QuestionAnswer
): ControlStatus {
  // If question marked as exception, all child controls are exceptions
  if (questionAnswer.exception?.isException) {
    return 'documented_exception'
  }

  // Check if answer indicates this control is implemented
  const controlImplemented = control.maturityImpact[control.level]?.includes(
    questionAnswer.selectedOption
  )

  if (controlImplemented) {
    return 'implemented'
  } else if (questionAnswer.selectedOption === 'Partially') {
    return 'partially_implemented'
  } else {
    return 'not_implemented'
  }
}

Question-Level Evidence & Exceptions

Evidence Collection

To support meaningful audit exports, we collect evidence at the question level:

interface E8QuestionEvidence {
  files: AttachedFile[] // Policy docs, screenshots, configs
  notes: string // Free-text explanation
  lastUpdated: Date // Freshness tracking
  updatedBy: string // Attribution
}

interface AttachedFile {
  filename: string
  fileUrl: string
  fileType: string
  uploadedAt: Date
  uploadedBy: string
}

Example: When answering "Is MFA mandatory for all admin accounts?":

• Upload: password-authentication-policy.pdf
• Notes: "MFA enforced via Kinde Auth. All admin users required to enroll. Last audit: 2025-09-30."

This evidence automatically flows to ALL controls covered by that question (e.g., ML1-MF-01, ML2-MF-01).

Exception Documentation

Boards can document exceptions at the question level:

interface E8QuestionException {
  isException: boolean
  justification: string // Why this exception exists
  compensatingControls: string // What we do instead
  riskAcceptance: string // Who approved the risk
  reviewDate: Date // When to re-assess
  boardApprovalDate: Date // Governance trail
}

Example: Admin accounts on legacy systems:

• Exception: Yes
• Justification: "Legacy AS/400 systems cannot integrate with modern IAM"
• Compensating: "Quarterly manual access reviews + privileged session recording"
• Approved: Board meeting 2025-09-15
• Review: 2026-03-15

This exception flows to all related controls (e.g., ML2-RA-04, ML3-RA-05).

Implementation Approach

Reference Data

Store ACSC controls as read-only reference data:

CREATE TABLE e8_control_reference (
  id VARCHAR PRIMARY KEY,              -- ML2-RA-04
  strategy VARCHAR NOT NULL,           -- admin_privileges
  maturity_level VARCHAR NOT NULL,     -- ML1, ML2, ML3
  description TEXT NOT NULL,           -- Full ACSC requirement
  question_mapping VARCHAR NOT NULL,   -- E8_AP_003
  display_order INT NOT NULL
);

This table is populated once from ACSC documentation, never modified by users.

Question-Control Mapping

Extend existing question data with evidence and exceptions:

CREATE TABLE e8_question_answers (
  id UUID PRIMARY KEY,
  assessment_id UUID NOT NULL,
  question_id VARCHAR NOT NULL,        -- E8_AP_003
  selected_option TEXT,

  -- NEW: Evidence fields
  evidence_files JSONB,                -- Array of file metadata
  evidence_notes TEXT,
  evidence_updated_at TIMESTAMPTZ,

  -- NEW: Exception fields
  is_exception BOOLEAN DEFAULT FALSE,
  exception_justification TEXT,
  exception_compensating_controls TEXT,
  exception_review_date DATE,
  exception_board_approval_date DATE,
  exception_approved_by VARCHAR
);

Export Generation Logic

async function generateAuditExport(assessmentId: string): Promise<AuditReport> {
  // 1. Load assessment with all question answers
  const assessment = await db.e8_assessments.findById(assessmentId)
  const answers = await db.e8_question_answers.findByAssessment(assessmentId)

  // 2. Load all 152 ACSC controls from reference data
  const allControls = await db.e8_control_reference.findAll()

  // 3. Map each control to its source question and infer status
  const controlRows = allControls.map((control) => {
    const sourceAnswer = answers.find(
      (a) => a.question_id === control.question_mapping
    )

    return {
      control_id: control.id,
      control_description: control.description,
      strategy: control.strategy,
      maturity_level: control.maturity_level,
      status: inferControlStatus(control, sourceAnswer),
      source_question_id: control.question_mapping,
      source_question_text: getQuestionText(control.question_mapping),
      evidence_summary: formatEvidence(
        sourceAnswer?.evidence_files,
        sourceAnswer?.evidence_notes
      ),
      exception_justification: sourceAnswer?.exception_justification,
      last_assessed: assessment.completed_at,
    }
  })

  // 4. Generate Excel/CSV
  return exportToExcel(controlRows)
}

UI Integration

Location: E8 Assessment results page

Button: "Download Audit Report" (secondary action)

Tooltip: "Generate detailed ACSC control report for external audits (152 controls)"

Flow:

1. User completes 40-question assessment
2. Board sees 8-strategy summary (primary view)
3. Compliance team clicks "Download Audit Report"
4. System generates Excel with 152 controls
5. File downloaded: {org-name}-e8-audit-report-{date}.xlsx

Use Cases

1. External Audit

Scenario: Company engaging ACSC-certified auditor for ML2 assessment

Process:

1. IT Manager completes GetCimple E8 assessment (15 minutes)
2. Board reviews and approves target ML2 (3 minutes)
3. IT Manager downloads audit report
4. Sends to auditor with evidence files
5. Auditor uses GetCimple export as baseline, validates controls

Value: Provides auditor with structured starting point instead of blank spreadsheet.

2. Government Tender Response

Scenario: Company bidding for government contract requiring "ML2 compliance"

Process:

1. Tender requires proof of E8 compliance
2. Company exports audit report from GetCimple
3. Attaches as evidence to tender submission
4. Shows all 152 controls with status and evidence

Value: Demonstrates systematic approach to E8 compliance.

3. Cyber Insurance Application

Scenario: Insurance renewal requires updated E8 assessment

Process:

1. Update GetCimple assessment quarterly
2. Export audit report
3. Submit to insurance broker/underwriter
4. Shows control-level implementation progress

Value: More detailed than summary, shows continuous improvement.

4. Board Risk Committee

Scenario: Board Risk Committee wants deeper dive than 8 strategies

Process:

1. Board sees strategy summary in GetCimple
2. Asks: "What specific controls are we missing for ML2?"
3. CISO exports audit report, filters to "partially_implemented"
4. Presents 5 specific controls needing investment

Value: Bridges board summary with technical detail for informed decisions.

Success Metrics

Usage Tracking

• Export frequency: How often customers generate reports
• Time-to-export: Seconds from click to download
• Export completion rate: Downloads that finish vs start

Customer Feedback

Monitor for these signals:

• ✅ "This export saved us hours preparing for audit"
• ✅ "Auditor accepted this as baseline documentation"
• ⚠️ "Can we edit the report before exporting?" (scope creep signal)
• ⚠️ "Wish we could track this live instead of export" (Phase 3 demand signal)

Demand Validation Triggers

Move to Phase 3 (Full Control Management) when:

• > 50% of active customers use export monthly
• > 3 customers request "manage this live in GetCimple"
• Paying customers willing to upgrade for control management
• Export becomes primary workflow (not secondary)

Future Evolution: Phase 3 (Post-MVP)

Only if demand validated, build full control management:

Potential Phase 3 Features

• ✨ In-platform 152-control UI with status tracking
• ✨ Per-control evidence management
• ✨ Control implementation workflow (assign, track, complete)
• ✨ Real-time control status (not point-in-time)
• ✨ Control-level notifications and reminders
• ✨ Integration with vulnerability scanners for auto-status
• ✨ Control testing and validation workflows

Decision Criteria for Phase 3

Build it when:

1. Customer feedback: "We need to manage controls in GetCimple, not export"
2. Usage data: Export feature heavily used and valued
3. Revenue: Paying customers + willingness to pay for upgrade
4. Team capacity: Beyond 3 people, can afford 1-2 cycle investment
5. Competitive need: Required to win deals or retain customers

Don't build it if:

• Export satisfies the need
• Customers happy with external audit workflow
• No demand for real-time control management
• Would compete with specialized GRC tools customers already use

Related Documentation

• Essential Eight MVP - Core 40-question assessment
• E8-UQB Integration - Pre-fill and routing architecture
• E8 Testing Results - Validation of 40-question approach
• Decision Log - Why we chose export over full UI

Summary

The E8 Audit Export feature is a pragmatic bridge between:

• Board-friendly simplicity (our core value prop)
• Audit-ready artifacts (compliance team needs)

By choosing export over UI complexity, we:

• Serve the audit use case in 1-2 days of work
• Validate demand before major investment
• Keep focus on the 95% use case (board decisions)
• Maintain our "calm productivity" and "no gold-plating" principles

This is exactly the kind of scrappy, customer-focused solution a 3-person startup should build.