Audit Packet Checklist (48-hour evidence readiness) — Equifax (post-2017 oversight)

If examined (regulator, auditor, litigation), you should be able to produce the following within 48 hours.

A) Architecture + boundaries

• Enterprise architecture diagrams covering internet-facing systems and sensitive data boundaries.
• Asset inventory for consumer-data platforms with accountable owners.
• Boundary-control standards and exception records tied to consent-order obligations.

B) Change control proof

• Change-management evidence for vulnerability and patching controls in critical systems.
• Approval trails for high-risk security changes and emergency remediation tickets.
• Post-change validation artifacts showing control operation after deployment.

C) IAM least privilege proof

• Privileged-access inventory for consumer-data systems and administrative tooling.
• Access-certification records with remediation tickets and completion proof.
• MFA and privileged-session-control evidence for high-risk access paths.

D) Logging + monitoring proof

• Logging matrix for security telemetry, administrative actions, and data-access events.
• Retention/control-policy evidence for logs used in compliance and investigations.
• Detection and response ticket samples with timestamps, triage notes, and outcomes.

E) Risk management & governance

• Risk-register items linked to FTC/CFPB/state obligations and remediation milestones.
• Executive and board reporting packages tracking order/settlement commitments.
• Independent assessments and closure evidence for identified control gaps.

F) Incident response readiness

• Incident-response plans for data exposure scenarios and regulator notification workflows.
• Evidence-preservation procedures and legal-hold coordination records.
• Tabletop and post-incident review outputs with owner-assigned follow-up tasks.