NSAuditor AI EE 0.9.3: SOC 2 Type II Audit Evidence Deepened with Manual Procedures and WORM Validation

MobNS

Nsasoft has released NSAuditor AI Enterprise Edition 0.9.3, a focused EE-only patch that closes four evidence-sufficiency gaps in SOC 2 Type II audit support. The improvements target the transition from automated point-in-time scanning to sustained Type II engagements — where the quality and completeness of evidence shapes the outcome of the audit.

AT-C 320 Manual Procedures Now Embedded in Partial Controls

Four SOC 2 controls that the engine classifies as PARTIAL — CC6.3, CC8.1, A1.2, and PI1.5 — now carry a manualProcedure field in the compliance artifact. Each field specifies the sampling unit, recommended sample size, and the scope of the manual procedure required alongside automated evidence.

This directly addresses a common audit friction point: when a control is partially automated, auditors need to know exactly what the human side looks like to design their AT-C 320 testing. That guidance is now part of the artifact itself, not a separate discussion.

WORM Gate Prevents Mutable Artifact Writes

The SOC 2 artifact renderer now includes an opts.requireTypeIIWormClaim validation gate. When enabled, the renderer checks that Object Lock COMPLIANCE mode is active and that the retention period meets the assertion before writing any artifact to storage.

If the check fails, the write is blocked with a EWORM_RENDERER_CLAIM_INVALID error. Successful writes stamp result.wormClaim on the result object — a machine-readable immutability attestation that accompanies the artifact through the evidence chain.

Supplemental Evidence Stream Surfaced for Type II Sampling

The SLA Compliance Summary now includes an explicit disclosure identifying the operator-supplemental evidence required for AT-C 320 Pattern A/B sampling: CloudTrail logs, Azure Activity logs, GCP Audit logs, and change-management ticket records. Auditors see this disclosure directly in the compliance output rather than discovering the evidence gap during fieldwork.

Framework Label Corrected

The phrase “with 2022 points of focus” has been removed from the SOC 2 frameworkLabel. The NSAuditor AI engine does not model Points of Focus granularity within AICPA TSC 2017, and the phrase has been removed from both the engine metadata and the SOC 2 coverage documentation.

Coverage Unchanged — Pure Evidence-Sufficiency Uplift

The 0.9.3 release is EE-only. Coverage matrices are unchanged: 10/4/33 SOC 2, 7/3/45 HIPAA, 24 plugins. CE 0.1.70 and agent-skill 0.1.37 are unaffected.

Install via npm:

npm install -g nsauditor-ai@0.1.70 @nsasoft/nsauditor-ai-ee@0.9.3

Documentation: nsauditor.com/ai/docs/soc2/ · nsauditor.com/ai/enterprise/

Related Posts:

  • nsauditor-ai-ee-0-3-9-pi15-dynamodb-api-gateway
  • nsauditor-ai-ee-0-3-2-false-clean-soc2-fix-c12-disposal
  • nsauditor-ai-ee-0-3-6-federated-trust-notaction-privesc
  • nsauditor-ai-ee-041-update-key-enhancements-for-mobile-and-api-security-teams
  • nsauditor-ai-ee-0-6-1-inspector2-guardduty-auditor