Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Compliance & Readiness

Audit packages

What audit packages are, package types, export requirements including MFA and PIM, what packages include, and how to share with external auditors.

Last updated: June 2026

What audit packages are

An audit package is a structured export of your compliance program's state — controls, evidence, policies, risks, and exceptions — organized for review by an external auditor. Rather than gathering documentation manually from multiple systems, Nuxari compiles the package from your compliance workspace automatically.

Audit packages do not constitute a formal audit report. They are the organized documentation you provide to your auditor. The auditor then reviews this material and conducts their own testing to form an opinion.

Package types

SOC 2 Type I readiness package

A point-in-time snapshot of all controls, their current statuses, accepted evidence, and approved policies. Intended to give external auditors a structured starting point for a Type I engagement.

SOC 2 Type II readiness package

An observation-period package covering a defined date range. Includes all evidence collected, access reviews completed, and control operating history during the period. Requires evidence to span the entire observation window.

ISO 27001 readiness package

An ISMS readiness package including controls mapped to Annex A, the risk register, vendor register status, policy approval history, and key operational evidence.

Custom package

A scoped package for specific controls, evidence types, or date ranges. Useful for responding to specific auditor requests or for partial audits.

What packages include

  • Control library with current statuses and blockers
  • Accepted evidence mapped to each control
  • Approved policy documents with approval history
  • Risk register with treatment plans and acceptance records
  • Vendor register with review dates and DPA status
  • Access review completion records
  • Audit log export for the observation period
  • Exception records for controls that are not yet ready

Export requirements

Audit packages contain sensitive compliance data. Nuxari enforces access controls on package exports:

  • Role required. Only Client Owners and Client Security Admins can generate and export audit packages.
  • MFA required. An active MFA-verified session is required to initiate a package export.
  • PIM required for sensitive packages. If your organization has configured PIM for Client Owner or Client Security Admin, the role must be activated before exporting packages that include access review details or the full audit log.
  • Export is audited. Every package export generates an audit event recording who exported, when, and which package type.
If your export is blocked, confirm you have an active MFA session and that your PIM role is activated (if applicable). See the compliance troubleshooting guide for resolution steps.

Sharing with external auditors

Audit packages are exported as structured files. Share the exported package directly with your auditor through a secure channel agreed with your audit firm. Do not share package files through public file sharing services or unencrypted email.

If your auditor needs direct access to Nuxari during the audit, consider assigning them the Client Compliance Auditor role which provides read-only access to all compliance data without allowing any modifications.

Related docs

Evidence collection

Evidence in packages

Control library

Control statuses in packages

Compliance roles

Who can export packages

Compliance troubleshooting

Fix export failures

Was this page helpful?