NSAuditor AI EE 0.9.3 Deepens SOC 2 Type II Audit Support with Named Procedures, WORM Validation, and AT-C 320 Disclosures

Nsasoft has released NSAuditor AI Enterprise Edition 0.9.3, an EE-only patch that delivers four targeted improvements to SOC 2 Type II audit evidence — addressing the gaps auditors encounter when moving from point-in-time scans to sustained Type II sampling engagements.

Named Manual Procedures for Every Partial Control

The most immediately auditor-facing change is the addition of a manualProcedure field to all four PARTIAL controls in the SOC 2 coverage matrix: CC6.3, CC8.1, A1.2, and PI1.5. Each field is populated with AT-C 320 sample-ready evidence direction — specifying the sampling unit, a recommended sample size, and the scope of the manual procedure that must accompany automated scanner output.

Previously, auditors had to determine independently how to incorporate the human side of these controls into Type II testing. With 0.9.3, that guidance is embedded directly in the compliance artifact, eliminating ambiguity and reducing back-and-forth between auditor and operator during evidence review.

WORM Validation at the Artifact Layer

EE 0.9.3 adds an opts.requireTypeIIWormClaim gate to the SOC 2 artifact renderer. When set, the renderer validates Object Lock COMPLIANCE-mode configuration — including sufficient retention period — before writing any Type II artifact to storage. If the WORM assertion cannot be confirmed, the write is refused with a EWORM_RENDERER_CLAIM_INVALID error.

This closes a class of evidence-integrity risk where a SOC 2 artifact could be written to mutable storage without the renderer objecting. Successful writes now annotate result.wormClaim, giving auditors a machine-readable immutability attestation alongside the artifact itself.

Type II Shape Disclosure in SLA Compliance Summary

The SLA Compliance Summary section now includes an explicit disclosure of the operator-supplemental evidence stream required for AT-C 320 Pattern A/B sampling: CloudTrail, Azure Activity logs, GCP Audit logs, and change-management tickets. Auditors can see directly in the compliance output what additional evidence they should request to complete a sustained Type II engagement — rather than discovering the gap during fieldwork.

Framework Label Accuracy

The phrase “with 2022 points of focus” has been removed from the SOC 2 framework label. NSAuditor AI does not currently model Points of Focus granularity within the AICPA TSC 2017 framework. The claim was inaccurate and has been corrected in both the compliance engine metadata and the SOC 2 coverage documentation.

Coverage and Installation

The 0.9.3 patch is EE-only. Coverage matrices are unchanged: 10 domains / 4 categories / 33 controls for SOC 2 and 7 rules / 3 categories / 45 controls for HIPAA. The plugin count remains at 24. CE 0.1.70 and agent-skill 0.1.37 are unaffected by this release.

To install:

npm install -g nsauditor-ai@0.1.70 @nsasoft/nsauditor-ai-ee@0.9.3

Full SOC 2 documentation and release notes are available at nsauditor.com/ai/docs/soc2/. Enterprise feature details can be found at nsauditor.com/ai/enterprise/.