Proving your Reports
Keep in mind...
When dealing with HIPAA compliance and auditors, one thing we quickly discovered. After an extensive approach to create alerts and reports that pertained to HIPAA, we found that the auditors liked the reports but couldn't accept them due to the fact that we had no way of proving that anyone actually read them. That caused us to put into practice a process by which our Compliance Officer had to sign-off on them before they were considered complete. This is an acceptable practice that is still in effect many audits later.
We had the same issues with SOx and PCI. In our environment, I'm the only one responsible for monitoring the reports. I created a spreadsheet that has all the reports listed in column A and a column for each day of the week. I record the number of records present in each report and save the spreadsheet each week. The auditors can always check to see if I REALLY reviewed the reports by creating the same report and seeing if I have the record count correct.