Audit Manager overview

Audit Manager is a compliance audit solution that helps you to simplify your compliance audit process on Google Cloud. Audit Manager lets you run audits against built-in frameworks and custom frameworks that you define using Compliance Manager or Assured Workloads frameworks (Preview).

Audit Manager has the following capabilities:

  • A shared responsibilities matrix that shows separation of duties and recommendations to manage your responsibilities.
  • Compliance documents for Google Cloud
  • Automated compliance assessments to evaluate compliance controls on workloads to understand their state of compliance.
  • Evidence collection for compliance audits.
  • Gap identification to help remediate the generated violations.

Audit Manager can provide assessments for any Google Cloud project or folder.

Supported frameworks

Audit Manager can evaluate your resources against the cloud controls and controls for the following built-in frameworks:

If you purchase Security Command Center Premium or Enterprise subscriptions or enable Assured Workloads, the following:

Migrating from older frameworks

If you ran an audit before June 30, 2026, you used different frameworks. These frameworks are no longer available for running audits. The following table maps the older frameworks to the frameworks that you can deploy using Compliance Manager or Assured Workloads frameworks (Preview).

Older framework Equivalent Audit Manager framework Equivalent Compliance Manager framework (Preview) Equivalent Assured Workloads frameworks framework
NIST 800-53 Revision 4 NIST 800-53 Revision 5 NIST 800-53 Revision 5
Google-recommended AI controls [1] [1]
SOC2 2017 SOC2 2017 SOC2 2017 SOC2 2017
CIS Controls v8 CIS Critical Security Controls v8 CIS Critical Security Controls v8
PCI DSS 4.0 PCI DSS v4.0.1 PCI DSS v4.0.1
Cloud Controls Matrix 4.0 CSA Cloud Controls Matrix v4.0.11 CSA Cloud Controls Matrix v4.0.11
NIST CSF v1 NIST Cybersecurity Framework 1.1 NIST Cybersecurity Framework 1.1
CIS Google Cloud Foundation Benchmark 2.0 CIS GCP Foundations Benchmark v3.0 CIS GCP Foundations Benchmark v3.0
ISO 27001 2022 ISO 27001:2022 ISO 27001:2022

If you ran audits using the older frameworks, you can continue to view the audit reports on the View assessments page and in the Cloud Storage buckets where you stored the reports.

1 Both Compliance Manager and Assured Workloads frameworks (Preview) include the Google Recommended AI Essentials - Gemini Enterprise Agent Platform built-in framework. You can use this framework instead of the older Google-recommended AI controls framework, though it uses different controls to evaluate your environment.

Custom frameworks

Before June 30, 2026, Audit Manager included a preview feature that let you create custom frameworks. If you created a custom framework using that preview feature, you can continue to run audits against the custom framework and view the reports that you created. However, you can't view or edit your custom framework.

If none of the built-in frameworks in Audit Manager apply to your environment, you can use the following options:

Controls and cloud controls

Audit Manager includes controls and cloud controls within its frameworks. Consider the following:

  • Controls are general objectives that let you assess asset protection, risk mitigation, and business regulatory objectives. Controls can be composed of technical and non-technical cloud controls.

  • Cloud controls are software-defined controls that check for particular configurations in your Google Cloud environment. Most cloud controls are technical. For example, a control is a regulatory requirement to audit your environment, and a cloud control is the specific mechanism to ensure that Cloud Audit Logs is enabled for various APIs.

  • Frameworks are collections of controls and cloud controls that help you meet a particular regulatory standard. For example, Audit Manager includes a framework for ISO 27001 2022. Cloud controls and controls that are technical include one or more rules that Audit Manager can check during an audit and collect evidence for.

How controls and cloud controls are audited

How Audit Manager audits a control or cloud control depends on whether Audit Manager can technically evaluate the control or cloud control. Consider the following:

  • Some controls or cloud controls require manual reviews because there are no API calls that Audit Manager can make to validate them. For example, a control might require you to review access systems that aren't in Google Cloud. If a control or cloud control requires a manual review, Audit Manager creates an observation that tells you that you must complete the review yourself. Technical evidence might be generated. The state of the control or cloud control is Optional: Manual Review Needed.

  • Some controls or cloud controls apply directly to a particular value in Google Cloud. For example, a cloud control can require that you turn on CMEK for Cloud Storage buckets. In this scenario, Audit Manager can make an API call to check a particular setting. The value that's returned is the evidence. Audit Manager can then evaluate whether the evidence meets or fails the expected rules. Audit Manager creates an observation that includes the evidence and the evaluation. The state of a control or cloud control can be any of the following:

    • If Audit Manager evaluates the evidence as meeting the rule, the state of the control or cloud control is Compliant.

    • If Audit Manager evaluates the evidence as failing the rule, the state of the control or cloud control is failed. For controls or cloud controls that include multiple rules, if any rule fails, the state is Violation.

    • If Audit Manager encounters any type of error during this process (for example, an API call timed out), the state of the control or cloud control is Skipped.

Audit Manager workflow

The high-level workflow of Audit Manager involves setting up Audit Manager access and managing audits.

  1. To set up Audit Manager access, you must be an Audit Manager Admin (roles/auditmanager.admin) and enroll resources for audit.
  2. To manage audits, you can be an administrator or an auditor and do the following:
    1. Run audits.
    2. Get audit status.
    3. View detailed Audit Manager reports.

What's next