How to Prepare Clients for a Surprise Compliance Audit (HIPAA, CMMC, SOC 2)

In highly regulated sectors, surprise audits are a common practice to help prevent compliance gaps that can arise from passive approaches to regulatory adherence. Surprise audits can reveal documentation concerns, inconsistent policies, and security weaknesses. That’s why managed services providers (MSPs) must enforce audit readiness in their routine operations and treat it more than an annual checklist, especially when supporting frameworks like HIPAA, SOC 2, and CMMC compliance for MSPs. .

Through a proactive compliance operations plan, MSPs can help clients meet their CMMS requirements, protect controlled unclassified information (CUI), and maintain continuous audit readiness. This—needless to say— is extremely important for MSPs supporting defense contractors, where CMMC requirements for managed service providers and NIST 800-171 controls play a critical role.

By implementing structured compliance monitoring and automated controls, enterprise leaders can deliver scalable CMMC compliance tools for MSPs and improve visibility across multi-tenant environments. In this article, we guide you through the tasks of preparing clients for a surprise compliance audit to ensure readiness for your managed CMMC compliance services.

Prefer video? Watch “How to Prepare Clients for a Surprise Compliance Audit (HIPAA, CMMC, SOC 2)” for more information.

Short on time? Here’s how MSPs can stay CMMC audit-ready

Preparing for audits like CMMC, HIPAA, and SOC 2 requires more than manual processes. MSPs need tools that can automate compliance checks and provide continuous visibility across all client environments.

With the right RMM for CMMC, MSPs can centralize compliance monitoring and maintain audit readiness at scale. Enterprise-ready solutions like NinjaOne combine endpoint management, automation, and reporting into a single platform, helping MSPs deliver consistent, CMMC-compliant RMM capabilities while reducing operational overhead.

CMMC audit checklist for MSPs

Use this checklist to quickly verify audit readiness across HIPAA, SOC 2, and CMMC environments.

Click a Task to Skip Ahead	Purpose
Task 1: Inventory devices by compliance scope	To classify endpoints by HIPAA, CMMC, or SOC 2 for targeted checks
Task 2: Validate patch, AV, and encryption status	To confirm systems are patched, protected, and encrypted
Task 3: Enforce policy baselines	To apply consistent security policies across all devices
Task 4: Validate logs, retention, and monitoring policies	To ensure the generation, retention, and audit of logs
Task 5: Verify access control and user tracking	To track accounts, privileges, and remote access
Task 6: Document backup and recovery proof	To show evidence of successful backups for audit

Prerequisites for surprise compliance audit readiness

Before proceeding with preparing clients for a surprise compliance audit, MSPs should ensure the following:

• Implementation of role-based access control based on least privilege, including enforced MFA.
• Standardized patch management, antivirus/EDR, and backup solutions.
• Proper configuration of Microsoft 365 or hybrid Active Directory environments.
• Maintained scripting capabilities (registry, CMD, and PowerShell).
• Deployment of a reliable RMM tool (such as NinjaOne) that is capable of pushing scripts, enforcing policies, and gathering compliance artifacts.

Task 1: Inventory devices by compliance scope

📌 Use Case:

Tagging devices allows MSPs to filter components in RMM tools (like NinjaOne) to quickly identify which systems fall under the HIPAA, CMMC, or SOC 2 scope. This is especially important in maintaining CMMC compliance for MSPs, where clearly defining in-scope systems is required to protect CUI.

In addition, proper device tagging supports multi-tenant compliance management and helps enterprises deliver scalable MSP client compliance solutions across environments without different regulatory requirements.

To create compliance tags in the registry:

1. Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
2. Run the following commands, but replace the “True” values with either True or False as appropriate for the endpoint’s compliance category (HIPAA, CMMC, SOC 2):

New-Item -Path “HKLM:\SOFTWARE\Org\ComplianceTags” -Force

Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\ComplianceTags” -Name “HIPAA” -Value “True”

Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\ComplianceTags” -Name “CMMC” -Value “True”

Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\ComplianceTags” -Name “SOC2” -Value “True”

To manually verify tags:

1. Open Command Prompt as administrator. Press the Windows key + X, then select Command Prompt (Admin) or Windows Terminal (Admin). If using Windows Terminal, ensure you’re in a Command Prompt tab, not PowerShell.
2. Run the following commands:

reg query HKLM\SOFTWARE\Org\ComplianceTags

3. Alternatively, open the Registry Editor. Press the Windows key + R. Type regedit and press Enter.
4. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Org\ComplianceTags
5. Verify that the expected compliance tag values (e.g., keys or string entries used by your organization) are present and match the configured policies. If they are missing or incorrect, the system may not be recognized as compliant during an audit.

Task 2: Validate patch, AV, and encryption status

📌 Use Case:

This task verifies that systems are patched, antivirus is active, and encryption is enforced.

These checks align with CMMC requirements for MSPs and NIST 800-171 controls, ensuring endpoints are properly secured and compliant during audits.

Steps

1. Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
2. Verify patch status for Windows Updates by running the following commands:

• • To see the last 5 installed updates:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5

• • To check for missing updates:

Get-WindowsUpdateLog

• • Or, if the PSWindowsUpdate module is installed:

Get-WindowsUpdate -MicrosoftUpdate -AcceptAll

• • To verify patch status for third-party software:

Since Windows doesn’t provide a built-in command for these, you can use centralized patch management tools like NinjaOne. You can also check vendor update logs to confirm the latest versions are installed. Many audit teams expect both OS and third-party patches to be documented.

3. To verify AV/Defender status:

Get-MpComputerStatus | Select AMServiceEnabled, AntivirusEnabled, RealTimeProtectionEnabled

4. To verify encryption (BitLocker)

Get-BitLockerVolume | Select MountPoint, ProtectionStatus

5. The results can be exported to CSV and attached to audit prep tickets if needed.

Task 3: Enforce policy baselines

📌 Use Case:

This task ensures consistent security policies are enforced across all systems, making audits easier to pass. GPOs or scripts can be used to drive compliance configurations, including account lockout policy, password length and complexity, audit object access and logon events, disable guest accounts, and enable security event log retention.

Log validation is a critical component of CMMC compliance for defense contractors, as auditors require proof of continuous monitoring, event tracking, and log retention.

For domain-joined systems (via Group Policy):

1. Open the Group Policy Management Console (GPMC).
2. Edit or create a GPO.
3. Navigate to:
   • Computer Configuration > Windows Settings > Security Settings > Account Policies
   • Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration
4. Configure password policies, account lockouts, screensaver (idle timeout enforcement) and auditing.

For standalone/non-domain systems (via Local Policy or scripts):

1. Press Windows key + R, type gpedit.msc, and press Enter to open the Local Group Policy Editor.
2. Configure the same policies locally under Security Settings.
3. If Group Policy is not available (e.g., Windows Home editions), apply registry-based scripts to enforce the same baselines.

Task 4: Validate logs, retention, and monitoring policies

📌 Use Case:

This task can help you check if event logs are being generated, retained, and not overwritten. This task can help you check if event logs are being generated, retained, and not overwritten. These checks support CMMC requirements for managed service providers, particularly around access control, identity management, and least-privilege enforcement.

To check security log status:

1. Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
2. Run the following command:

Get-WinEvent -LogName Security -MaxEvents 5 | Format-List

This command queries the Windows Security event log for the 5 most recent events and sends the output to the console (screen) in a list view. The number “5” is just for reference and can be changed based on the number of events you want to see.

Running this command confirms that new events are actively being generated and recorded in the Security log. During an audit, this helps prove that log collection is functioning correctly and that logs aren’t missing or overwritten.

To check the log retention policy:

1. Open Command Prompt as administrator. Press the Windows key + X, then select Command Prompt (Admin).
2. Run the following command:

wevtutil gl Security | findstr “retention”

This command will show the retention status of the Windows Security Event Log:

• retention: false means that when full, the retention status of the Windows Security Event Log will be overwritten by the newest events.
• retention: true means that before overwriting, the log will be archived automatically.

Task 5: Verify access control and user tracking

📌 Use Case:

This task can help MSPs document user accounts, privileged access, and RDP permissions. Demonstrating access reviews satisfies audit requirements for account governance.

Automated backup validation also supports compliance reporting for MSPs, providing verifiable evidence required during CMMC and SOC 2 audits.

To check local user accounts:

1. Open Command Prompt as administrator. Press the Windows key + X, then select Command Prompt (Admin).
2. Run the following command: net user <username>

This command displays detailed information about the specified account, including:

• Username and full name
• Whether the account is active
• Password requirements (expiration, last set, change required)
• Group memberships
• Profile path and home directory
• Permitted logon hours

To list AD users with elevated rights:

1. Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
2. Run the following command:

Get-ADGroupMember -Identity “Domain Admins”

This command retrieves all members of the Domain Admins group in Active Directory, which typically includes accounts with the highest level of privileges. Reviewing this list helps confirm that only authorized users have elevated rights.

Get-LocalGroupMember -Group “Remote Desktop Users”

This command displays all the accounts that belong to the Remote Desktop Users group on the local machine. Anyone in this group can remotely log in to the system through Remote Desktop Protocol (RDP). Auditors often check this list to ensure that only approved users have remote access, since excessive or unmonitored RDP permissions can create compliance and security risks.

Task 6: Document backup and recovery proof

📌 Use Case:

This task can show the last successful backup in the registry for automated RMM scanning. Provides auditors with verifiable evidence that backup and recovery practices are enforced and monitored.

To verify that a last successful backup timestamp entry is created or updated in the registry:

1. Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
2. Run the following command:

Set-ItemProperty -Path “HKLM:\SOFTWARE\Org\ComplianceBackup” -Name “LastSuccessfulBackup” -Value (Get-Date).ToString(“u”)

This command creates or updates a custom registry key (ComplianceBackup) under the HKEY_LOCAL_MACHINE key. The LastSuccessfulBackup value is set to the current date and time in universal format.

3. Integrate with your RMM system:
   • Most RMMs let you define custom fields or registry scan rules.
   • Configure your RMM to read the value of HKLM:\SOFTWARE\Org\ComplianceBackup\LastSuccessfulBackup.
   • This way, the RMM can automatically track when the last successful backup was run and generate compliance evidence reports.

To verify that the last successful backup timestamp was recorded in the registry.

1. Open the Registry Editor. Press the Windows key + R. Type regedit and press Enter.
2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Org\ComplianceBackup
3. Confirm that the LastSuccessfulBackup value shows the correct timestamp.

In addition to registry-based tracking, RMM platforms like NinjaOne can generate detailed backup reports automatically. By applying policies, you can also define backup retention periods to ensure compliance with regulations such as HIPAA, CMMC, or SOC 2.

⚠️ Troubleshooting/Things to look out for

Risks	Potential Consequences	Reversals
Missing registry tags	Audit evidence of backup or compliance activity may not exist.	Check if scripts are deployed with the SYSTEM context.
Log retention disabled	Key security and compliance events may be missing, leading to failed audit checks.	Use GPO to enforce min log sizes and retention.
Inaccurate user lists	Auditors may find discrepancies in access control documentation.	Refresh AD sync or review nested group membership.
Encryption not enabled	Devices without BitLocker may be flagged as non-compliant, exposing sensitive data.	Check BitLocker policy application and TPM presence.

Additional considerations for surprise compliance audit preparation

Beyond the common matters to check, we recommend implementing these best practices to ensure compliance with various regulations. These practices are especially important for MSPs delivering managed CMMC compliance services and supporting clients in regulated industries such as defense and government contracting.

• DLP policies: Go beyond simply enabling Data Loss Prevention (DLP) in Microsoft 365 or on endpoints. During an audit, you may be asked to show how sensitive data is prevented from leaving the environment and how data retention and archiving rules are enforced. Be ready to demonstrate that backup systems meet required retention periods (for HIPAA, CMMC, or SOC 2) and that archived data is accessible for review.

RMM solutions like NinjaOne can simplify this step by generating detailed reports on backup status, retention settings, and endpoint compliance, giving auditors clear evidence that your organization is protecting and retaining data properly.

• MFA audit: Ensure all administrators and end-user accounts use Multi-Factor Authentication (MFA), which is a key requirement for CMMC Level 2 MSP environments..
• Offboarding: Confirm deactivated accounts and asset return logs exist.
• Vendor risk tracking: Maintain an updated list of third-party services with access to data—an important requirement for MSPs handling CUI under CMMC compliance for MSPs..
• Incident response readiness: Be prepared to explain your process for handling a compromised endpoint, including isolation, reimaging, and reporting procedures.
• Vulnerability scan results: Keep recent vulnerability scan reports for each endpoint to demonstrate proactive risk management.
• Device inventory: Maintain a complete, accurate inventory of all devices accessing organizational data.

To learn more about what NinjaOne can do, check out our FAQ on our RMM solution.

NinjaOne services for compliance audit readiness

NinjaOne and its tools can help prepare clients for a surprise compliance audit. These capabilities make NinjaOne a strong choice for MSPs looking for an RMM for CMMC or a CMMC-compliant RMM that supports automated compliance controls and centralized visibility.

• Endpoint management: Tagging endpoints based on compliance scope (HIPAA, CMMC, SOC 2).
• Scripting: While NinjaOne provides built-in visibility into AV status, patching, and backups, scripting can be used to run regular checks for more specific compliance requirements, such as verifying encryption status, specific SaaS data, and others.
• Alerting: Alerting on gaps in compliance coverage or agent issues.
• Reporting: Generating pre-audit and QBR reports for internal and client-facing use.

Final thoughts on preparing for surprise compliance audits

Audit readiness involves a collective effort from MSPs and clients, guaranteeing that the managed IT environment complies with industry regulations. MSPs, in particular, can implement practices such as device tagging, regular validation scripts, policy enforcement, log retention, user tracking, and backup documentation to help their clients prepare for surprise compliance audits.

It’s also ideal to pair these practices with a robust IT solution like NinjaOne. As a comprehensive endpoint management tool, NinjaOne supports scalable audit readiness across tenants, ensuring clients are ready in case independent auditors or regulatory bodies do a surprise compliance check.

Related topics:

• HIPAA Compliance: Everything You Need to Know
• What is SOC Compliance? Basic Overview for Businesses
• What Is CMMC? Overview and Definition
• What is a Compliance Audit? Definition & Importance
• What is a Compliance Audit? Definition & Importance