Start Trial
PortalMeridianKeystoneRMM
Audit & Compliance Manual

Executive Summary

Leadership-facing posture views, concise status communication, and the summaries used to explain program state without flattening it.

Audience: Leadership and compliance ownersFocus: Executive posture communicationStatus: Public manual

Scope

Leadership summaries only work when they stay grounded in the same operating truth the compliance team is using. This page keeps the public-safe communication model and strips implementation-level detail.

SSOT Document — Single Source of Truth Audience: Compliance leads presenting to an audit committee, board, CISO, or other executive stakeholder. Also the go-to page for a weekly posture check without wading into the full dashboard. Last Updated: 2026-04-15

Overview

The Executive Summary is a single-page, simplified posture view for one compliance program. It shows a readiness percentage, a trend sparkline over the last 30 days (configurable), and the counts that matter for escalation conversations: open alerts, open findings, open MAPs, and per-framework coverage. Think of it as the slide you’d paste into a status deck — no drill-downs, no noise.

Getting Started

Prerequisites

  • Permission: Meridian.view. Every authenticated user in the tenant has this by default.
  • Program setup: The program must exist in your tenant. Posture data (readiness, trend, counts) only populates once you’ve:
  • Bound at least one framework.
  • Defined controls and tests.
  • Let the continuous-monitoring pipeline run at least one test cycle.
  • Waited a day for the first readiness_snapshots row to persist (trend line only).
  • See docs/manual/compliance-programs.md for initial program setup.

Reading the Page

Readiness Dial

A radial progress dial showing the program’s current readiness %. Colors: - Green — 90% or above - Yellow — 70% to 89% - Red — under 70%

What it means: “of the controls that apply to this program, what percentage are either passing all their tests or carrying an approved exception?” Controls marked “not applicable” are excluded from both sides of the ratio. A control with no tests counts against you.

Readiness Trend Sparkline

A line chart of the last N days (default 30) of readiness. Populated from daily snapshots — the line does not include today’s live number unless a manual snapshot has been taken today.

Known behavior: the x-axis spaces points equally regardless of calendar gaps. If the snapshot loop missed days, the line compresses without a visible gap. If you need date-accurate trend analysis, use the reporting exports instead.

Empty state: “No trend data yet” on brand-new programs or tenants whose first snapshot hasn’t run.

KPI Cards

Four cards below the dial and trend:

  • Controls — total / implemented. “Implemented” is a narrower count than readiness (it excludes controls with approved exceptions). So expect readiness to be ≥ (implemented / total).
  • Open alerts — count of alerts in open or acknowledged status. Matches the default view of the program’s Alerts page.
  • Open findings — findings linked to the program’s audit cycles that are not remediated or closed.
  • Open MAPs — Management Action Plans (remediation commitments) linked through findings that are open or in_progress.

If Open MAPs shows 0 but you know you have open MAPs, check with platform ops — there’s a defensive fallback that zeros the count on schema errors and logs the exception.

Framework Coverage Table

One row per framework bound to the program. Columns:

  • Framework — name, version, and (if configured) the target maturity level (Type 1, Level 2, etc.)
  • Total — requirements in the framework (or in the target level if one is set)
  • Covered — requirements with at least one fully-covering control
  • Partial — requirements with partially-covering controls
  • Excepted — requirements under approved exception
  • %(Covered + Excepted) / Total * 100, rounded

The rows are read-only in this view — to dig into which requirements are partial or not covered, use the Dashboard.

Header Links

Two buttons at the top right: - Dashboard — jumps to the relevant workflow for the full drill-down. - Alerts — jumps to the relevant workflow for alert triage.

Common Tasks

Preparing for an Audit Committee Meeting

When to use: Weekly / quarterly board or audit-committee prep.

Steps: 1. Open the relevant workflow for the program you’re presenting. 2. Take a screenshot of the readiness dial + trend section — that’s your headline slide. 3. For the detail appendix, screenshot the framework coverage table. 4. Capture the four KPI numbers into your deck talking points. 5. If the readiness dropped recently, open the Alerts page from the header and review the top open alerts so you can speak to them.

Expected Outcome: You have a one-page summary that matches the single source of truth and doesn’t require the audience to log in.

Spotting a Posture Regression

Situation: Readiness number looks lower than last week.

Steps: 1. Look at the sparkline — where did the drop happen? 2. Click Dashboard to see the attention items for the current state. 3. Click Alerts filtered to Open and look at the most recent test_failure rows — those are the likely cause. 4. If the drop aligns with a specific day, cross-reference the audit log for that date via the Reporting module.

Expected Outcome: You can identify the specific control/test responsible and either acknowledge the alert with a remediation note or assign a MAP.

Changing the Trend Window

When to use: Board wants a 90-day posture view instead of 30-day, or you want to zoom in on the last week.

Steps: 2. Refresh the page.

Expected Outcome: Sparkline redraws with the new number of data points, assuming the program has that many snapshots on file.

Note: there is no UI control for trend_days today — it’s a URL-only parameter.

Forcing a Fresh Snapshot

When to use: You shipped a big fix today and don’t want the trend to show yesterday’s stale number on the exec view.

Steps: 2. Reload the executive summary. 3. The trend’s latest point should now be today’s readiness.

Expected Outcome: The sparkline’s right-most point matches the big readiness number.

Permissions Reference

Permission Grants
Meridian.view Read the executive summary for any program in your tenant.
Meridian.admin Same, plus the ability to fire scheduler ticks / freshness sweeps that feed upstream data.

Auditors holding Meridian.view / Meridian.audit can share this URL without any further grant.