After assigning a policy with the audit effect, the policy will automatically evaluate all of the resources within the scope of the assignment once it is active. There is no guarantee of how long this can take. For new resources, the results of policy evaluation are visible within 15 minutes, but, often, this is faster. 

Once the results are in, the compliance status for each policy or initiative can be viewed in the portal, resulting in an overview, as shown in the following screenshot:

The difference between this report and other reports, which are the result of a manual audit, is that this overview is constantly updated to reflect the actual, current state of compliance—it is not a snapshot of compliance at a specific point in time.

An important benefit of this type of compliance is that the rules or policies are applied continuously to all the existing resources and any incoming change. This means that it is possible to ensure that the application environment is always compliant and always adheres to any rules and policies that apply.

Contrast this with the often-used approach of having security and compliance audits only every so many months. Often, this results in environments that are only compliant just before the audit and with its compliancy slowly decaying afterward. That is, until it is time for another audit, of course, at which point it rises close to 100% again. At many companies, this results in a compliance graph as follows:

With this, we've discussed another example of how DevOps practices can help increase security and compliance—by ensuring infrastructure compliance. In the next section, several alternative tools for those mentioned in this chapter will be discussed.