← Setting Up Posture Scans---
title: IAR and SPR — auditable artifacts
status: draft
note: AI-generated first-pass transcript pending video production + SME review.
---
The IAR and SPR are the artifacts auditors and security reviewers see.
The work in modules 1–4 produces the data; this module is how you
turn that data into documents that stand up to scrutiny.
## IAR vs SPR
- **IAR — Initial Assessment Report**. One-time, generated within the
first two weeks of onboarding a client. Sets the baseline:
inventory, posture snapshot, framework alignment, gap list,
prioritized roadmap.
- **SPR — Security Posture Review**. Recurring. Default cadence is
quarterly, with monthly executive summaries. Compares current
posture to baseline, surfaces deltas, refreshes attestations.
Both render from the same finding + attestation data, with different
templates and emphasis.
## What the auditor needs
Three things, every time:
1. **Citations to evidence.** Every claim in the report links back to
the connector that observed it, with timestamp + source artifact.
2. **Signed attestations.** Every framework control marked
"implemented" has a signed attestation with evidence.
3. **An honest gap statement.** Controls that aren't implemented are
listed with that status. Don't paper over gaps.
If any of those three is missing, an auditor will assume the rest of
the report is similarly fragile. The platform refuses to render with
incomplete provenance — but you should still review before sending.
## Generating an IAR
In the AEGIS app:
1. Open the client's "reports" tab.
2. Click "Generate IAR".
3. The platform builds the document from current scan data,
attestations, and findings.
4. Review every section.
5. Sign-off: a qualified MSP admin signs the attestation block.
6. Render to PDF. Send to client + auditor.
The IAR is signed once per onboarding cycle. If the client adds new
scope (a new office, a new SaaS app), you generate an addendum, not a
fresh IAR.
## Generating an SPR
The SPR runs on a quarterly cadence by default:
1. Auto-generated 5 business days before the quarter end.
2. You review and amend within those 5 days.
3. Quarterly review meeting with the client uses the SPR as the
agenda.
4. Sign-off from the client; the platform records acknowledgment.
Monthly executive summaries land between quarterly SPRs. They're
shorter, focused on score movement and high-severity changes.
## Framework attestations in the SPR
A framework attestation (NIST CSF, HIPAA, SOC 2) requires:
- Each control has evidence links.
- A qualified human signs.
- The signature timestamp is recorded.
- The evidence the signature was based on is preserved.
`framework_attestation_signed` Pulse fires on each signature. Auditors
can request the chain of evidence from the Pulse stream.
## What you don't do
- **Don't** edit IAR or SPR PDFs after rendering. Re-run the
generator. The platform's rendered output IS the artifact.
- **Don't** sign attestations you can't defend. The signature is
yours; the consequences attach to it.
- **Don't** skip evidence collection because it's tedious. The audit
is the thing you trade tedium for.
## Hands-on
This is a self-paced module — no sandbox required. Open the AEGIS
docs page on IAR + SPR generation, walk through the structure of
each, and revisit the modules above with that structure in mind.
## Final assessment
Pass the final assessment for this path and you'll receive a signed
**Certified AEGIS Posture Scan Operator** credential. Share the
public verify URL with your MSP partner manager — it's evidence you
can stand up an AEGIS deployment honestly, end-to-end.
Module 5 of 5
IAR and SPR — auditable artifacts
Generate the Initial Assessment Report and Security Posture Review with citations the auditor will accept.
Video — pending production
Read the transcript below. Once recording is complete, the video will replace this notice.