compliance-audit

What this skill does

# Regulatory Compliance Audit

## Overview

Executes a two-phase compliance analysis — detection scan followed by framework-by-framework
evaluation — across 7 regulatory frameworks. Produces a compliance scorecard with letter
grades (A-F) per framework, identifies specific gaps, and generates a prioritized
remediation roadmap with effort estimates and timelines.

This skill reads and analyzes existing assets. It does not generate legal documents or
modify any files. The output is an audit report documenting findings and recommendations.

> **Legal Disclaimer:** This skill generates AI-assisted compliance analysis for
> informational purposes only. It does not constitute legal advice, certification, or
> attestation of compliance. Regulatory requirements are complex and jurisdiction-specific.
> All findings should be reviewed by qualified legal counsel and/or certified compliance
> professionals. No attorney-client relationship is created by using this tool.

## Prerequisites

- A live website URL or local codebase to analyze
- Access to any existing privacy policy, terms of service, or compliance documentation
- Knowledge of the business type, target audience, and geographic reach

## Instructions

### Phase 1: Detection Scan

1. **Scan the website.** Use WebFetch on the target URL to collect:
   - HTML source (meta tags, structured data, accessibility attributes)
   - Cookie and tracking behavior (Set-Cookie headers, JavaScript trackers)
   - Form elements (input types, required fields, consent checkboxes)
   - Payment indicators (payment form fields, processor scripts)
   - Third-party scripts and embeds (analytics, advertising, social)
   - SSL/TLS certificate presence
   - Content targeting indicators (age-related content, children's themes)

2. **Scan the codebase (if available).** Use Glob and Grep to find:
   - Privacy policy and terms of service files
   - Cookie consent implementation code
   - Authentication and access control patterns
   - Data encryption at rest and in transit
   - Logging and audit trail implementations
   - Age verification or gate mechanisms
   - Email sending code and unsubscribe handling
   - Payment processing integrations
   - Accessibility attributes (aria-*, alt text, semantic HTML)

3. **Build the detection inventory.** Create a structured map of findings:

   | Category | Signals Found | Frameworks Triggered |
   |----------|---------------|---------------------|
   | Data Collection | Forms, cookies, analytics | GDPR, CCPA |
   | Payments | Stripe, PayPal, card fields | PCI-DSS |
   | Accessibility | Missing alt text, no skip nav | ADA/WCAG |
   | Email Marketing | Newsletter signup, email sends | CAN-SPAM |
   | User Demographics | Age gates, child-oriented content | COPPA |
   | Security Controls | Auth, encryption, logging | SOC 2 |

### Phase 2: Framework-by-Framework Evaluation

1. **Evaluate each applicable framework.** Score against these criteria:

   **GDPR (General Data Protection Regulation)**
   - [ ] Privacy policy published and accessible
   - [ ] Legal basis documented for each processing activity
   - [ ] Cookie consent with granular opt-in (not just notice)
   - [ ] Data subject rights mechanism (access, erasure, portability)
   - [ ] Data Processing Agreement with third-party processors
   - [ ] Data breach notification procedure documented
   - [ ] Data Protection Impact Assessment for high-risk processing
   - [ ] Records of processing activities maintained
   - [ ] International transfer safeguards (SCCs, adequacy decisions)
   - [ ] DPO appointed (if required by Article 37)

   **CCPA/CPRA (California Consumer Privacy Act)**
   - [ ] "Do Not Sell or Share My Personal Information" link visible
   - [ ] Privacy policy discloses categories of personal information collected
   - [ ] Consumer request mechanism (access, delete, correct, opt-out)
   - [ ] Service provider agreements with data sharing restrictions
   - [ ] Financial incentive disclosures (if offering loyalty programs)
   - [ ] Sensitive personal information opt-out mechanism
   - [ ] Annual privacy policy update
   - [ ] Employee/applicant privacy notices (if applicable)

   **ADA/WCAG 2.1 (Accessibility)**
   - [ ] Alt text on all images
   - [ ] Keyboard navigation support
   - [ ] Color contrast ratios (4.5:1 minimum for text)
   - [ ] Form labels and error messages
   - [ ] Skip navigation links
   - [ ] ARIA landmarks and roles
   - [ ] Video captions and audio descriptions
   - [ ] Responsive design / mobile accessibility

   **PCI-DSS (Payment Card Industry)**
   - [ ] No card data stored in plaintext
   - [ ] Payment processing via certified processor (Stripe, Braintree)
   - [ ] HTTPS enforced on all payment pages
   - [ ] No card numbers in URLs, logs, or error messages
   - [ ] SAQ (Self-Assessment Questionnaire) type determined
   - [ ] Quarterly vulnerability scans (if applicable)

   **CAN-SPAM (Commercial Email)**
   - [ ] Physical mailing address in marketing emails
   - [ ] Functional unsubscribe mechanism
   - [ ] Unsubscribe honored within 10 business days
   - [ ] Accurate "From" and "Subject" headers
   - [ ] Commercial content clearly identified
   - [ ] No harvested or purchased email lists

   **COPPA (Children's Online Privacy Protection)**
   - [ ] Age screening mechanism (if content may attract children under 13)
   - [ ] Verifiable parental consent before collecting children's data
   - [ ] Direct notice to parents about data practices
   - [ ] Parental review and deletion rights
   - [ ] Data minimization for children's data
   - [ ] No behavioral advertising to children

   **SOC 2 (Trust Services Criteria)**
   - [ ] Access controls and authentication (Security)
   - [ ] System monitoring and alerting (Availability)
   - [ ] Data encryption and integrity checks (Processing Integrity)
   - [ ] Privacy policy aligned with commitments (Privacy)
   - [ ] Data handling and retention policies (Confidentiality)
   - [ ] Incident response plan documented
   - [ ] Vendor management program
   - [ ] Change management procedures

2. **Calculate compliance scores.** For each framework:
   - Count the criteria met vs. total applicable criteria
   - Calculate a percentage score
   - Assign a letter grade:

   | Grade | Score | Meaning |
   |-------|-------|---------|
   | A | 90-100% | Substantially compliant |
   | B | 75-89% | Minor gaps, low risk |
   | C | 60-74% | Moderate gaps, action needed |
   | D | 40-59% | Significant gaps, priority remediation |
   | F | 0-39% | Non-compliant, immediate action required |

3. **Generate remediation roadmap.** For each gap, provide:
   - Description of the gap
   - Regulatory risk (fine amounts, enforcement precedents)
   - Remediation action with specific steps
   - Effort estimate (hours: 1-4, 4-16, 16-40, 40+)
   - Priority tier: P0 (immediate), P1 (30 days), P2 (90 days), P3 (6 months)
   - Suggested responsible party (legal, engineering, marketing, ops)

4. **Compile the audit report** using the output format below.

## Output

Generate a single Markdown file named `COMPLIANCE-AUDIT-{company}-{YYYY-MM-DD}.md`:

```
# Regulatory Compliance Audit
**{Company Name}** — {URL or codebase path}

**Audit Date:** {date}
**Auditor:** AI Compliance Scan (Legal Assistant Plugin)
**Scope:** {frameworks evaluated}

---

## Executive Summary
{3-5 sentence overview of compliance posture, highest-risk areas, and top recommendation}

## Compliance Scorecard

| Framework | Score | Grade | Status |
|-----------|-------|-------|--------|
| GDPR | {%} | {A-F} | {Compliant / Gaps Found / Non-Compliant} |
| CCPA/CPRA | {%} | {A-F} | {status} |
| ADA/WCAG 2.1 | {%} | {A-F} | {status} |
| PCI-DSS | {%} | {A-F} | {status} |
| CAN-SPAM | {%} | {A-F} | {status} |
| COPPA | {%} | {A-F} | {status} |
| SOC 2 | {%} | {A-F} | {status} |
| **Overall** | **{%}** | **{grade}** | |

## Detection Inventory
{table of all signals detected during Phase 1}

## Detailed Findings

### GDPR
{criteria-by-crit