ControlMap Audit Report Missing Info!!

We have a new report coming out with some of this information specifically for CMMC. In other frameworks this audit related information was typically not needed in report format because there was not necessarily another party to export the information to. With CMMC this is a differing use case and we are building a report for this purpose. Can you share if CMMC Is the use case you are looking for or is it another framework?

Hi Dan - I invited my co-worker ​@Alan T to assist in responding to this as he was the one to use the audit module for a specific engagement he was working on. I will say that the framework used was CIS 8.1. 

Dan Fox — appreciate the response and the context.

For my use case, this isn’t CMMC-specific. We’re using ControlMap for internal audit / governance & security maturity testing (framework-agnostic), and the end-state of any internal audit is a stakeholder-ready Final Report. Regardless of framework/regulation, that report needs consistent narrative elements: scope, testing approach/methodology, results, and—most importantly—findings and recommendations.

In ControlMap, those exact report-critical fields exist at the Request level in the UI (e.g., “Testing approach” and “Recommendations and findings”), but the currently available exports (Audit Evidence & Result report and the spreadsheet extract) appear to omit them entirely. That creates a gap where the “story” and rationale for the ratings can’t be delivered in a defensible format to stakeholders/clients without manual copy/paste.

A few questions / asks to help close the loop operationally:

1. Is this omission intentional (by design), or a current limitation/bug?

2. Will the upcoming CMMC report include those narrative fields (Testing Approach + Recommendations/Findings) at a per-control/per-request level?

3. If yes, will that reporting capability be extended to non-CMMC frameworks / custom maturity models as well? (That’s the real unlock for internal audit.)

4. Is there any interim workaround (API endpoint, expanded export template, or configurable report builder) that can include those specific fields in an export?

From an internal audit mechanics standpoint, if ControlMap can’t generate a closeout-quality report that includes those narrative sections, it forces teams back into Word/PowerPoint and undermines the value of running the assessment in the platform.

Happy to share more specifics on the framework/maturity model we’re using if that helps you validate requirements for a framework-agnostic “Final Report” output.

Thanks - Alan