Audit Packet Checklist (48-hour evidence readiness) — Drizly (FTC 2022)

If examined (regulator, auditor, litigation), you should be able to produce the following within 48 hours.

A) Architecture + boundaries

• Cloud and application architecture diagrams covering customer-data processing paths.
• Internet-facing API/service inventory with ownership and data classification.
• Security baseline and exception governance for cloud boundary controls.

B) Change control proof

• Change-management records for secret handling, IAM, and monitoring control updates.
• Emergency change evidence from remediation windows with follow-up validation.
• Approval records for high-impact fixes affecting customer-data exposure risk.

C) IAM least privilege proof

• Privileged-access inventory for cloud accounts and production services.
• Access-certification and stale-privilege cleanup evidence.
• MFA and credential-rotation records for administrative identities.

D) Logging + monitoring proof

• Telemetry source list (cloud audit logs, app logs, auth logs, data-access logs).
• Retention configuration and policy evidence for investigative log continuity.
• Alert definitions and incident-ticket samples for credential/privilege misuse.

E) Risk management & governance

• Risk-register artifacts mapping FTC-order obligations to workstreams and owners.
• Governance reporting for remediation milestones and residual-risk decisions.
• Independent review artifacts and closure proof for identified gaps.

F) Incident response readiness

• IR playbooks for cloud misconfiguration and unauthorized data access events.
• Forensic preservation procedures and evidence-handling records.
• Tabletop exercises and lessons-learned tracker for FTC-order readiness.