Alternatively, you can download the required report and evidence directly from
the destination storage bucket. For the detailed instructions,
see Download an object from a bucket.
Audit summary report
An audit summary report is a comprehensive report that provides a high-level
overview of all compliance controls and a responsibilities matrix to help you
understand the system.
In the destination storage bucket, the audit summary report uses the following naming
convention:
CONTROL_PACKAGE_NAME: The name of the control package, such
as SOC2 2017.
TIMESTAMP: A timestamp when the report was generated.
UNIQUE_ID: A unique ID for the report.
For each applicable control type, the following fields are populated in the
audit summary report:
Control type
Description
Control Info
A description and requirement for the control.
Google Responsibility
Google Cloud responsibility and implementation details.
Customer Responsibility
Customer responsibility and implementation details.
Assessment Status
Status of compliance for the control. Status can be one of the
following types:
Non-Compliant: Compliance drift detected
Compliant: System is compliant
Manual Review Needed: Artifacts are produced but user input
is required to conclude on status of compliance
Skipped: Manual control, automation not present
Control Report Link
A link to the control overview report.
Control overview report
A control overview report contains a detailed description of the compliance
evaluation for a single control. It provides assessment details for each
compliance check with observations and expected values.
In the destination storage bucket, the control overview report uses the following
naming convention:
CONTROL_PACKAGE_NAME: The name of the control package, such as
CIS_CONTROLS_V8.
TIMESTAMP: A timestamp when the report was generated.
UNIQUE_ID: A unique ID for the report.
CONTROL_ID: The ID for the control.
A control overview report looks similar to the following example:
Control ID: COMPLIANT
Service name
# of resources
Status
Resource Evaluation Details
Resource ID
Measured Field
Current Value
Expected Value
Status
Evidence Resource URI
Evidence Timestamp
Evidence for Project/Folder
Evidence Link
Total services in scope for this control
Total resources in audit scope
Compliance status
Resource identifier
Configuration to be measured for audit
Observed values
Compliant values
Individual compliance status
Timestamp when evidence was collected
product1.googleapis.com
2
COMPLIANT
Resource 1
abc
10
>=10
COMPLIANT
Resource 1
12/05/2023 12:55:16
Project 1
Link 1
def
15
=15
COMPLIANT
Resource 4
12/05/2023 13:55:16
Project 1
Link 4
Resource 2
xyz
20
=20
COMPLIANT
Resource 2
12/05/2023 14:55:16
Project 1
Link 2
product2.googleapis.com
1
COMPLIANT
Resource 3
def
5
>=5
COMPLIANT
Resource 3
12/05/2023 15:55:16
Project 1
Link 3
Evidence
Evidence includes all the resources evaluated for each control, including a raw
dump of asset data along with the command that was run to produce the output.
In the destination storage bucket, evidence uses the following
naming convention:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eAudit Manager generates and stores three types of artifacts post-audit: an audit summary report, a control overview report, and evidence.\u003c/p\u003e\n"],["\u003cp\u003eTo access these reports, users need specific IAM roles, including either an Audit Manager Admin or Auditor role, and a Cloud Storage role such as Storage Admin, Storage Legacy Bucket Owner, or Storage Legacy Object Reader.\u003c/p\u003e\n"],["\u003cp\u003eThe audit summary report offers a high-level overview of compliance controls, including Google and customer responsibilities, assessment statuses, and links to control overview reports.\u003c/p\u003e\n"],["\u003cp\u003eThe control overview report details the compliance evaluation for a specific control, providing assessment details, observations, and expected values, and can be viewed based on control or status.\u003c/p\u003e\n"],["\u003cp\u003eEvidence includes evaluated resources and related data, providing a raw dump of asset information and the corresponding command outputs, all downloadable in JSON format.\u003c/p\u003e\n"]]],[],null,["# View an audit\n\nWhen an audit is completed, Audit Manager creates and stores\nthe following types of artifacts in the destination storage buckets for you to\nview:\n\n- [Audit summary report](#summary-report)\n- [Control overview report](#control-report)\n- [Evidence](#evidence-info)\n\nBefore you begin\n----------------\n\nEnsure that you have the following IAM roles:\n\n- One of the following Audit Manager roles for the resource:\n\n - [Audit Manager Admin](/iam/docs/understanding-roles#auditmanager.admin) (`roles/auditmanager.admin`)\n - [Audit Manager Auditor](/iam/docs/understanding-roles#auditmanager.auditor) (`roles/auditmanager.auditor`)\n- One of the following Cloud Storage roles for the storage bucket that\n contains Audit Manager reports:\n\n - [Storage Admin](/iam/docs/understanding-roles#storage.admin) (`roles/storage.admin`)\n - [Storage Legacy Bucket Owner](/iam/docs/understanding-roles#storage.legacyBucketOwner) (`roles/storage.legacyBucketOwner`)\n - [Storage Legacy Object Reader](/iam/docs/understanding-roles#storage.legacyBucketReader) (`roles/storage.legacyObjectReader`)\n\nView Audit Manager reports\n--------------------------\n\n1. In the Google Cloud console, go to the **Audit Manager** page.\n\n [Go to Audit Manager](https://console.cloud.google.com/compliance/auditmanager)\n2. In the **Compliance audits** section, click **View audits**.\n\n3. On the **View assessments** page, you can view the status of an\n in-progress audit or a completed audit.\n\n4. Depending on the type of audit information you want to view, follow the\n instructions in the corresponding tab.\n\n ### Audit summary report\n\n 1. To view the audit summary, click the link in the **Status** column.\n\n The **Basic information** page displays the information about\n compliance controls in scope and the status of the automated compliance:\n - Compliant: Shows the configurations that meet all the requirements.\n - Violations: Shows the misconfigurations that are detected against a given control.\n - Manual review needed: Shows the configurations that need user inputs to prove compliance and process control.\n - Skipped: Shows the configurations that Audit Manager skipped for a given control.\n 2. To see the details of a status, click **View**.\n 3. To export the audit summary report, click **Export** . The [audit summary report](#summary-report) is exported in the ODS format.\n\n ### Control overview report\n\n 1. To view the audit summary, click the link in the **Status** column.\n\n The **Basic information** page displays the information about\n compliance controls in scope and the status of the automated compliance.\n - Compliant: Shows the configurations that meet all the requirements.\n - Violations: Shows the misconfigurations that are detected against a given control.\n - Manual review needed: Shows the configurations that need user inputs to prove compliance and process control.\n - Skipped: Shows the configurations that Audit Manager skipped for a given control.\n 2. You can view the control overview report based on a control or status.\n - To view the control overview report based on a control, do the following:\n 1. Expand the required control.\n 2. To view the detailed compliance assessment against each rule, click the corresponding hyperlink. The controls page shows the responsibility, findings, and requirements.\n - To view the control report based on a status, do the following:\n 1. For the required status, click **View**.\n 2. From the list of controls, click the required hyperlink. The controls page shows the responsibility, findings, and requirements.\n 3. To export the control overview report, click **Export** . The [control overview report](#control-report) is exported in the ODS format.\n\n ### Evidence\n\n 1. To view the audit summary, click the link in the **Status** column.\n\n The **Basic information** page displays the information about\n compliance controls in scope and the status of the automated compliance.\n - Compliant: Shows the configurations that meet all the requirements.\n - Violations: Shows the misconfigurations that are detected against a given control.\n - Manual review needed: Shows the configurations that need user inputs to prove compliance and process control.\n - Skipped: Shows the configurations that Audit Manager skipped for a given control.\n 2. You can view the control overview report based on a control or status.\n - To view the control overview report based on a control, do the following:\n 1. Expand the required control.\n 2. To view the detailed compliance assessment against each rule, click the corresponding hyperlink. The controls page shows the responsibility, findings, and requirements.\n - To view the control report based on a status, do the following:\n 1. For the required status, click **View**.\n 2. From the list of controls, click the required hyperlink. The controls page shows the responsibility, findings, and requirements.\n 3. To view the evidence for a finding, click the corresponding hyperlink. The **Object details** page with the evidence details opens in a separate tab.\n 4. To download the evidence, click **download Download** . The [evidence](#evidence-info) is downloaded in the JSON format.\n\nAlternatively, you can download the required report and evidence directly from\nthe destination storage bucket. For the detailed instructions,\nsee [Download an object from a bucket](/storage/docs/downloading-objects#console-download-object).\n\n### Audit summary report\n\nAn audit summary report is a comprehensive report that provides a high-level\noverview of all compliance controls and a responsibilities matrix to help you\nunderstand the system.\n\nIn the destination storage bucket, the audit summary report uses the following naming\nconvention:\n\n`audit-reports/audit_`\u003cvar translate=\"no\"\u003eCONTROL_PACKAGE_NAME\u003c/var\u003e`_`\u003cvar translate=\"no\"\u003eTIMESTAMP\u003c/var\u003e`/`\u003cvar translate=\"no\"\u003eUNIQUE_ID\u003c/var\u003e`/overall_report.ods`\n\nThe placeholder values are described as follows:\n\n- \u003cvar translate=\"no\"\u003eCONTROL_PACKAGE_NAME\u003c/var\u003e: The name of the control package, such as `SOC2 2017`.\n- \u003cvar translate=\"no\"\u003eTIMESTAMP\u003c/var\u003e: A timestamp when the report was generated.\n- \u003cvar translate=\"no\"\u003eUNIQUE_ID\u003c/var\u003e: A unique ID for the report.\n\nFor each applicable control type, the following fields are populated in the\naudit summary report:\n\n### Control overview report\n\nA control overview report contains a detailed description of the compliance\nevaluation for a single control. It provides assessment details for each\ncompliance check with observations and expected values.\n\nIn the destination storage bucket, the control overview report uses the following\nnaming convention:\n\n`audit-reports/audit_`\u003cvar translate=\"no\"\u003eCONTROL_PACKAGE_NAME\u003c/var\u003e`_`\u003cvar translate=\"no\"\u003eTIMESTAMP\u003c/var\u003e`/`\u003cvar translate=\"no\"\u003eUNIQUE_ID\u003c/var\u003e`/`\u003cvar translate=\"no\"\u003eCONTROL_ID\u003c/var\u003e`.ods`\n\nThe placeholder values are described as follows:\n\n- \u003cvar translate=\"no\"\u003eCONTROL_PACKAGE_NAME\u003c/var\u003e: The name of the control package, such as `CIS_CONTROLS_V8`.\n- \u003cvar translate=\"no\"\u003eTIMESTAMP\u003c/var\u003e: A timestamp when the report was generated.\n- \u003cvar translate=\"no\"\u003eUNIQUE_ID\u003c/var\u003e: A unique ID for the report.\n- \u003cvar translate=\"no\"\u003eCONTROL_ID\u003c/var\u003e: The ID for the control.\n\nA control overview report looks similar to the following example:\n\n### Evidence\n\nEvidence includes all the resources evaluated for each control, including a raw\ndump of asset data along with the command that was run to produce the output.\n\nIn the destination storage bucket, evidence uses the following\nnaming convention:\n\n`audit-reports/audit_`\u003cvar translate=\"no\"\u003eCONTROL_PACKAGE_NAME\u003c/var\u003e`_`\u003cvar translate=\"no\"\u003eTIMESTAMP\u003c/var\u003e`/`\u003cvar translate=\"no\"\u003eUNIQUE_ID\u003c/var\u003e`/evidences/evidence`\u003cvar translate=\"no\"\u003eEVIDENCE_ID\u003c/var\u003e`.json`\n\nThe placeholder values are described as follows:\n\n- \u003cvar translate=\"no\"\u003eCONTROL_PACKAGE_NAME\u003c/var\u003e: The name of the control package, such as `CIS_CONTROLS_V8`.\n- \u003cvar translate=\"no\"\u003eTIMESTAMP\u003c/var\u003e: A timestamp when the report was generated.\n- \u003cvar translate=\"no\"\u003eUNIQUE_ID\u003c/var\u003e: A unique ID for the report.\n- \u003cvar translate=\"no\"\u003eEVIDENCE_ID\u003c/var\u003e: A unique ID for the evidence."]]
