Compliance audit workbench

Burnish is a structured assessment tool for point-in-time compliance gap analysis. It manages the full workflow from requirement evaluation through professional report delivery.

Log in to your account
Supported frameworks
Five frameworks, each with pre-loaded requirements, controls, and scoring
Every assessment starts with the complete structure of the selected framework — clauses, requirements, and controls. Status definitions, scoring models, and report structures are specific to each standard.
ISO 27001:2022
127 requirements
93 Annex A controls
ISO 42001
AI management system
requirements + controls
CMMC Level 1
17 practices
SPRS scoring
CMMC Level 2
110 practices
SPRS scoring with DoD weighting
HIPAA
Security Rule
requirements + safeguards
Capabilities
What the tool does
Burnish handles the mechanical work of a compliance assessment — structure, scoring, cleanup, and formatting — so the assessor can focus on evaluation.

Framework-driven assessment

Requirements and controls are pre-loaded per framework. Status tracking, effectiveness scoring, and section breakdowns are computed from metadata. Nothing is hardcoded per standard.

AI findings cleanup

Raw field notes are rewritten into professional prose automatically. Grammar, structure, and clarity are fixed. Factual content is preserved — nothing is added, softened, or inferred.

Recommendations for every finding

Every nonconformity and opportunity for improvement receives a recommendation. When findings are present, the system generates a custom recommendation scoped to the specific observation. Built-in recommendations are used as fallbacks.

Professional report generation

A complete .docx report is generated from the assessment data — executive summary, section narratives, scoring tables, and findings detail. The executive summary is calibrated to the engagement's overall severity tier.

SME flagging

Any control can be flagged for subject matter expert follow-up. SME counts are surfaced in the executive summary and report output. The assessment acknowledges what it cannot fully evaluate alone.

CMMC SPRS scoring

Full Supplier Performance Risk System implementation with correct DoD weighting — 5-point, 3-point, and 1-point controls, partial credit rules, and the 3.12.4 gate. Computed automatically from assessment status.

Workflow
Assessment to report in four steps
01

Create engagement

Select the client, framework, and audit date. Requirements and controls load automatically.

02

Assess

Set each requirement and control to its status. Record findings as field notes. Flag items for SME review.

03

Review

AI cleans field notes into professional prose. Recommendations are generated for every finding.

04

Report

Generate the .docx — executive summary, section narratives, scoring, and findings detail. Ready for delivery.

AI-assisted output
What the AI does — and what it doesn't
Burnish uses AI for two specific tasks: cleaning field notes and generating recommendations. The AI does not assess controls, assign statuses, or make audit judgments. Every assessment decision is made by the assessor.

Findings cleanup

Raw notes written during interviews and evidence review are automatically rewritten into professional prose. The original factual content is preserved. Grammar, sentence structure, and clarity are fixed. Nothing is added or softened.

Field notes as entered
no competency eval for infosec ppl. JDs dont mention security at all. training records are a mess - asked for evidence, got a spreadsheet with 3 of 12 ppl on it. no certs, no dates on half of them. HR says "we do it verbally" lol

Cleaned for report

The same finding, rewritten for a professional deliverable. Every fact from the original is retained. The assessor's judgment is unchanged — only the presentation is improved.

As it appears in the report
No evidence of competency evaluation was identified for roles with information security responsibilities. Job descriptions do not reference security responsibilities or required competencies. Training records provided consist of a spreadsheet listing 3 of 12 personnel, with no certifications documented and dates missing for several entries. HR indicated that competency evaluation is conducted verbally with no formal records maintained.
Report output
What the deliverable includes

Complete .docx report

The report is generated directly from assessment data. No manual formatting, no copy-paste between tools. The executive summary is automatically calibrated to the engagement's severity — language, remediation timelines, and certification guidance adjust based on overall effectiveness.

  • Executive summary — severity-calibrated, board-readable
  • Section-by-section effectiveness breakdown
  • Section narratives with status distribution
  • Detailed findings with cleaned observations
  • Recommendations for every NC and OFI
  • SPRS score calculation (CMMC engagements)
  • SME follow-up summary where applicable
Burnish Audit · Sample Client · ISO 27001:2022
Executive Summary
The organization's information security management system demonstrates a foundation of 73 percent overall effectiveness across all 127 assessed requirements and 93 controls. The organization has established baseline security practices in several areas; however, the presence of 17 nonconformities and 32 opportunities for improvement indicates that maturity gaps exist requiring remediation prior to certification.

The organization demonstrates particular strength in Organizational Controls, achieving 85 percent effectiveness. The assessment identified Support at 40 percent and Technological Controls at 53 percent as the areas where additional development is most needed.

Remediation efforts should prioritize closure of the 17 nonconformities, with particular focus on Support and Technological Controls. An implementation timeline of 3–6 months, coupled with executive sponsorship, is realistic for achieving certification readiness.
Security
How your data is protected

Encrypted at rest

All engagement data is stored on encrypted block storage. Backups are automated on a configurable schedule.

Authenticated access

Every request requires session authentication. CSRF protection is enforced on all state-changing operations. Sessions are invalidated on logout and server restart.

Role-based access

Admin and auditor roles control access to management functions. Engagement ownership restricts edit access to the assigned assessor. Other users have read-only visibility.

Ready to begin?

Log in to create your first engagement or resume an existing assessment.

Log in
Contact your account administrator for access credentials.