What is compliance reporting?

Compliance reporting is the documentation of evidence that your organization meets regulations (NIS2, GDPR, ISO 27001, SOC 2). It includes: audit trail (who changed what and when), evidence collection (screenshots, logs, exports), dashboards (compliance metrics), and a formal report for the auditor.

How much time does manual compliance reporting take?

Manual compliance reporting is time-consuming: collecting logs from many systems, exports, aggregation and formatting, and preparing for an annual audit consumes additional hours. The exact effort depends on organization size and number of systems. Automating reporting in an ITSM system materially reduces that time: reports are generated on a schedule, and the team's role narrows to verification and oversight.

Which regulations require compliance reporting?

NIS2 - mandatory audit trail, incident reporting, policy documentation. The NIS2 directive has been transposed into Polish law by an amendment to the National Cybersecurity System Act, signed in February 2026; some provisions entered into force in April 2026. GDPR (Articles 5, 32, 33) - proof of data protection, audit trail of access to personal data, breach notifications. ISO 27001 - annual control testing, audit evidence. SOC 2 (for SaaS providers) - recurring control testing and evidence retention.

Does ManageEngine SDP have built-in compliance reporting?

Yes. SDP has: (1) Audit Trail (immutable log of every action - create ticket, change status, assign). (2) Custom Reports (query template for compliance - tickets by status, age, priority, resolution time). (3) Compliance Dashboard (widgets for compliance metrics - SLA breach %, incident resolution time, vulnerability patch time). (4) Export to PDF (complete report ready to send to the auditor).

How do you store evidence for the required retention period?

ManageEngine SDP combined with archiving: (1) Immutable audit trail in SDP. (2) Compliance reports exported on a schedule to PDF and archived automatically. (3) Long-term storage in cheap cold storage (for example, AWS S3 Glacier - archival classes are very cheap per GB). (4) Encrypted copies (AES-256) and access control limited to compliance staff.

Compliance reporting in ITSM - automated NIS2 and GDPR reports

← Back to Blog

Security

Jakub Roszkiewicz · May 2026 · 10 min read

Compliance reporting is a task no IT manager wants to do by hand: collecting logs from many systems, Excel formulas, manual aggregation and a multi-page document at month end. The problem is that such a process easily produces incomplete or inconsistent documentation - and then the auditor asks extra questions. In this article I show how to automate compliance reporting, build evidence collection on the fly, use compliance dashboards and prepare a PDF export ready for the auditor. Result: instead of hours of manual work, a repeatable scheduled process that only needs oversight.

audit trail

immutable log of every action in the system

automation

reports generated on schedule, not by hand

NIS2 - GDPR - ISO

regulations requiring documented evidence

What compliance reporting is and why it matters

Compliance reporting is the documentation of evidence that your organization meets regulations (NIS2, GDPR, ISO 27001, SOC 2). The auditor arrives and asks: "Show me proof that you controlled access to sensitive data". The answer cannot be "we believe so" - it has to be "here are the audit logs showing every access and change".

Elements of compliance reporting:

Audit trail: Immutable log (cannot be altered or deleted) of every action - who logged in, what they changed, when, from which IP
Evidence collection: Automatic gathering of evidence (screenshots, exports, metrics) into an audit folder
Compliance dashboard: Real-time view on whether you are compliant - SLA breach %, incident resolution time, patch lag
Formal report: PDF ready to send to the auditor - statistics summary, evidence, policy review

A company without compliance reporting, asked for "proof of compliance", says "we have no documents". The auditor notes: "Control not demonstrated, risk MEDIUM". A company with automated compliance says "here is the dashboard, here are the audit logs" - auditor notes: "Control operating effectively, evidence complete, PASS".

Audit trail - immutable log of every action in the system

Audit trail is the heart of compliance reporting - every access, change, deletion must be logged. Format:

Timestamp: Exact time (UTC, NTP-synchronized)
User: Who performed the action (login, employee ID)
Action: What exactly was done (create ticket, change status, assign to user, add attachment)
Object: What it concerns (ticket ID, database record)
Old value / New value: What changed (status: open -> closed, priority: low -> high)
Source IP: From which IP/machine (auditor wants to know whether from the corporate network or remote)
Result: Whether the action succeeded (success/failure - if someone tried to make an unauthorized change, it should be failure)

Evidence collection - automated gathering of evidence

Instead of manually exporting reports every month, the system should continuously collect evidence in a dedicated evidence folder/database:

Monthly compliance snapshot:
On the last day of the month, the system generates: number of incidents, average resolution time, SLA compliance %, change requests reviewed/approved, patches deployed last month.
Critical event logging:
Continuously: every access to PII data, every security incident, every change in access control, every failed login attempt (3+ failed = account lock).
Policy evidence:
Documents (Change Control Policy, Incident Response Plan, Security Policy) with the date of the last review and approved-by signature.
Training records:
Security training completion (who finished, when, what score), phishing simulation results, incident response drill results.

Compliance dashboards - real-time view on metrics

A compliance dashboard shows on one screen whether the organization is compliant or not. Sample widgets:

Incident Resolution SLA: Share of incidents resolved on time (target 95%). Red if < 80%, yellow if < 90%, green if > 95%
Change Control: Share of changes reviewed/approved (target 100%). Unauthorized changes = red alert
Patch management: Share of systems patched within RTO (CVSS 9+ in 24h, CVSS 7-9 in 7 days). Red if lag > RTO
Access control: Number of accounts with excessive privileges (admin where not needed). Should be 0
Audit trail integrity: Whether audit logs are complete and unmodified (daily integrity check). Green = pass, red = fail
Security incidents: Number and status of incidents (open, in-investigation, resolved). Resolved % vs. SLA

Table - what requires compliance reporting (NIS2, GDPR, ISO 27001)

Regulation	Compliance reporting requirement	Retention period	What the auditor checks
NIS2 (in PL transposed in 2026)	Incident response, patch management, access control, audit trail	min. 3 years (audit logs)	Whether you have policies, an incident response plan, and whether logs show incident handling
GDPR (Art. 5, 32, 33)	Data access audit trail, breach notification, DSAR evidence, privacy by design	7 years (compliance archive)	Audit trail of access to PII, evidence of Data Protection Impact Assessment, breach logs
ISO 27001	Control testing, vulnerability scans, change management, training records	Annual (3-year archive)	Evidence for every control: test results, scan reports, approval records
SOC 2 (for SaaS)	Weekly control testing, access logs, incident logs, change logs	Permanent (audit trail forever)	Audit trail of all access, all changes, all incidents; integrity checksums

ManageEngine SDP - built-in compliance features

ManageEngine ServiceDesk Plus has native support for compliance reporting:

Immutable Audit Trail: Every action in SDP is logged - create ticket, assign, comment, close. Cannot be deleted or modified (even an admin cannot)
Custom Reports: Query builder - create a report "all incidents closed in the last 30 days with SLA status". Export to PDF, schedule a monthly automated email
Compliance Dashboard: Widgets showing SLA compliance %, incident resolution time vs. target, change approval rate, patch lag vs. RTO
Change Control Workflow: Every change requires approval (defined by role), the audit log shows who approved and when
Archival policy: Tickets older than 1+ year automatic archive (can define retention 3/7 years), archives stored encrypted and read-only

Step by step - how to roll out compliance reporting

Step 1: Define compliance requirements (2 days)
Analyze which regulations apply to you (NIS2? GDPR? ISO 27001?). For each, define compliance metrics (SLA %, patch lag, incident resolution time).
Step 2: Configure audit trail (1 day)
ManageEngine SDP: Admin > Audit Trail > Enable immutable logging for: tickets, changes, access logs. Verify log destination (local database + offsite backup).
Step 3: Build a compliance dashboard (2 days)
SDP: Dashboard > Create custom widgets for compliance metrics. Add to the CEO/CISO dashboard. Schedule daily refresh (the system automatically updates values).
Step 4: Create the monthly compliance report (1 day)
SDP: Reports > Create template "Monthly Compliance Report". Include: incident count, SLA %, changes reviewed, patches deployed, security incidents. Schedule monthly export to PDF + email to CISO.
Step 5: Archive evidence (1 day)
Set up policy: scheduled PDF reports + a full export of audit logs to encrypted cloud storage (for example, AWS S3 Glacier). Retention should align with the applicable regulations. Test restore regularly.

Frequently asked questions (FAQ)

Is compliance reporting required for every company?

Not for under 50 people. For 50-200: recommended if you process personal data (GDPR) or have cyber exposure (NIS2). For 200+: mandatory (annual audit, regulatory requirement). For under 50: if you process health or financial data, yes, GDPR applies even for small orgs.

How long must I store audit logs?

Retention periods depend on the regulation and data type and are worth confirming for your industry. In practice, several-year periods are common, with longer ones for some documents (for example, billing). Typical approach: immutable log in production for the current period, then archive encrypted data in cheap cold storage (for example, AWS S3 Glacier).

Can I use the ManageEngine SDP audit trail or do I need a separate system?

The SDP audit trail is enough for compliance reporting on ticketing and change management. You also need additional logging for: login attempts (Active Directory), database access (SQL logs), file access (file server logs). Best: a centralized SIEM (Splunk, ELK) collecting all logs, with the SDP audit trail as one feed.

What are the most common compliance failures?

1) Missing audit trail (system does not log changes), 2) Incomplete logs (audit trail deleted or overwritten), 3) Manual compliance reports (always incomplete, always contain errors), 4) No change control (changes without approval), 5) No incident documentation (incident happened but was not documented).

How much does compliance reporting cost to roll out?

Compliance reporting features are built into ManageEngine SDP and included in the licence. The cost is mainly the implementation service: configuration of audit trail, dashboards, reports and team training, priced individually based on scope. After rollout, reporting runs on a schedule and only needs oversight. Main benefit: well-prepared documentation shortens and simplifies audits because the auditor works on complete evidence.

Jakub Roszkiewicz

CTO · Rotech Group · expert in compliance, audit trail, ManageEngine SDP and regulatory requirements

NIS2 - IT manager checklist Data security in helpdesk - GDPR and PII Zero-day and patch management - a 24-hour plan Backup and Disaster Recovery - plan for ITSM

Compliance reporting audit

Does your organization have compliance reporting ready for auditors?

Rotech Group will analyze how to automate compliance reporting - audit trail, evidence collection, dashboards, policy. Free assessment, no commitment.

Book a consultation →

Compliance reporting in ITSM -automated NIS2 and GDPR reports