Integrating IT and Audit Functions

🚨 CISOs & Audit Leaders: Stop Treating SOX and Cyber as Separate Worlds 🚨 Financial reporting integrity and cyber resilience are inseparable. Outages, privilege abuse, or data tampering in crown-jewel systems can create material misstatements as fast as they create breaches. I put together a practical framework to integrate IT SOX controls with Cybersecurity Risk Management—so you reduce duplicate work, harden defenses, and give the Board decision-ready insights. ✅ Step-by-Step Framework 1️⃣ Joint Governance & RACI — Stand up a SOX–Cyber steering committee; approve a shared glossary and decision rights. 2️⃣ Scope Alignment — Reconcile SOX in-scope systems with cyber “crown jewels”; map data flows & dependencies. 3️⃣ Unified Control Catalog — Harmonize ITGC + Security controls; cross-walk to COSO, COBIT, NIST CSF, ISO 27001. 4️⃣ Integrated Risk Assessment — Score risks by likelihood, financial materiality, detectability; link risks→controls→metrics in GRC. 5️⃣ Access & SoD by Design — Enforce JML, least privilege, quarterly recerts for privileged/financial roles. 6️⃣ Change Management Hardening — Segregated SDLC, code reviews, approvals, tested builds, auditable CI/CD gates. 7️⃣ Cyber Telemetry to SOX Assets — Tag privileged/financial events in SIEM; monitor vuln/patch SLAs & CSPM drift. 8️⃣ Unified Testing & Analytics — One calendar and test scripts; automate evidence; define KCIs/KRIs with thresholds. 9️⃣ Issues & Remediation SLAs — Single workflow from finding→fix→validation; risk-based timelines; root-cause prevention. 🔟 Continuous Improvement — Quarterly retros; update catalog/metrics; track tooling ROI and org change (M&A, new ERP, regions). What you’ll get: Less duplication, stronger controls, and continuous assurance. Reporting that satisfies both the CFO and the CISO. Faster, audit-defensible remediation. #SOX #ITGC #Cybersecurity #RiskManagement #InternalAudit #CISO #GRC #NISTCSF #COBIT #COSO #ISO27001 #DevSecOps #CloudSecurity #DataGovernance #BoardReporting

Dear Auditors, Database Audit and Access Reviews Databases hold the crown jewels of every organization, sensitive data. Customer records, financial transactions, trade secrets, and analytics all live here. That’s why database auditing and access reviews are vital to every IT and cybersecurity audit. 📌 Understand the Database Landscape Start by identifying all critical databases, production, development, and test. Many breaches start from overlooked non-production environments that hold live data. Make sure the inventory is complete. 📌 Review Access Controls Who has access to the data? Check database roles and user accounts. Confirm that privileges align with job functions. Administrators, developers, and analysts should have only the access they need, nothing more. 📌 Privileged and Shared Accounts Pay close attention to privileged accounts such as DBAs and service IDs. Are passwords shared? Are activities logged? Strong auditing means every privileged action should be traceable to an individual. 📌 Segregation of Duties (SoD) No single person should be able to develop, approve, and deploy database changes. Review SoD matrices for key roles like developers, DBAs, and application owners. Lack of separation often hides unauthorized activity. 📌 Database Logging and Monitoring Confirm that database audit logs are enabled. Logs should capture login attempts, privilege escalations, data exports, and schema changes. Review where logs are stored and how long they’re retained. Attackers often delete logs, auditors should ensure they can’t. 📌 Encryption and Masking Sensitive data should not be stored in plain text. Review encryption controls for data at rest and in transit. Check whether test environments use masked or anonymized data to reduce exposure. 📌 Access Review Process Periodic access reviews help maintain control. Ensure that managers regularly review user access lists and revoke access for inactive or transferred employees. The process should be documented, tracked, and verified. 📌 Audit Evidence Key artifacts include user access listings, role definitions, privilege reports, audit logs, encryption configurations, and access review approvals. These provide assurance that database access is both controlled and monitored. Strong database auditing builds confidence that data is protected from insider abuse and external compromise. It demonstrates that the organization not only stores information, it safeguards it. #DatabaseSecurity #DataGovernance #ITAudit #CyberSecurityAudit #AccessControl #GRC #RiskManagement #InternalAudit #InformationSecurity #DataProtection #CyberVerge #CyberYard

🧾 ISACA releases the new IT Audit Framework 🔍🌐 ISACA has published the 5th Edition of the IT Audit Framework, a major refresh that aligns #ITaudit with how technology (and #risk) actually look today: cloud ecosystems, AI/ML, automation, third-party dependence, and rising expectations for digital trust.  ISACA also highlights that adherence to #ITAF is a requirement for #CISA certified professionals, which makes this update especially relevant for the global #audit community.  ✅ ITAF has always provided structure for planning, performing and reporting IT audit work. What changed is the environment: ➡️ IT is no longer a closed perimeter, it’s a digital ecosystem across cloud/SaaS/APIs/third parties. ➡️ Audit teams are expected to deliver faster insights, use analytics, and operate closer to the business. ➡️ Emerging tech introduces new risk patterns that don’t fit “traditional control checklists.” ITAF 5 is a response to that reality, modernizing terminology, scope, and practical guidance. #ISACA summarizes key updates in four themes: ✅ Modernized content and scope ITAF 5 updates definitions and examples to reflect modern technologies like #cloudcomputing, #AI / #ML, and business automation, moving beyond the older “traditional IT controls” focus. ✅ Digital trust and emerging technology integration Digital trust concepts are woven through the audit lifecycle, and the framework adds guidance for AI/ML auditing, aligned with ISACA’s broader AI audit resources. ✅ More practical and usable for organizations of all sizes ISACA explicitly calls out improved clarity, more practical language, and better usability. ✅ Broader audit practices and governance expectations The scope expands to include data analytics, agile auditing, continuous assurance, and #AIgovernance, plus stronger expectations around transparency and oversight of automated systems. 📘What’s inside ITAF 5 keeps a clear structure: Standards (mandatory), Guidelines (recommended), and Tools & Techniques, with Standards grouped into: ➡️ General Standards (1000 series): ethics, independence, objectivity, due care, proficiency, criteria, assertions ➡️ Performance Standards (1200 series): planning, risk assessment, evidence, supervision, use of experts, irregularities ➡️Reporting Standards (1400 series): reporting and follow-up 🎯Companion guidance Alongside ITAF 5, ISACA also updated companion guidance, including Performance Guidelines 2208: Information Technology Audit Sampling.  This is very practical in 2026 reality: massive logs, cloud events, identity records, CI/CD pipelines, and a constant push toward data-driven assurance. The guidance explicitly discusses statistical, nonstatistical, data-driven (analytics-enabled) and hybrid sampling approaches, and even addresses when sampling is inappropriate.  #cybersecurity #riskmanagement #ITGRC #TheSOC2 #ITGRCAdvisory #BWAdvisory #AkademiaITGRC CyberMadeInPoland Cyber London Jan Anisimowicz, PMP, CISM, CRISC, ESG

.📢 Implementing IT Audit & GRC: A Smart Strategy for Security & Profitability Organizations today must stay ahead of cyber risks and regulatory requirements. A well-structured IT Audit & GRC (Governance, Risk & Compliance) program helps ensure security, accountability, and long-term profitability. 🔑 Key Focus Areas in IT Audit & GRC Implementation: 1. Governance * Define security policies & roles * Align IT strategy with business goals 2. Risk Management * Conduct regular risk assessments * Maintain a risk register with mitigation plans 3. Compliance * Implement controls based on frameworks (ISO 27001, NIST, SOC 2) * Conduct regular internal audits & ensure documentation 4. Controls Implementation * Access management, change control, data protection * Monitoring & incident response planning 5. Automation & Tools * Use SIEM, GRC platforms, and compliance dashboards * Automate alerts, audits, and reporting 6. Training & Awareness * Regular employee training * Role-based security awareness programs 💼 Business Benefits of Adopting IT Audit & GRC: ✅ Reduce cyber risks and data breaches ✅ Build trust with customers & stakeholders ✅ Avoid regulatory penalties ✅ Improve operational efficiency ✅ Attract investors through transparency ✅ Strengthen brand reputation 🎯 GRC isn't just about security—it's a strategic investment for long-term growth. #ITAudit #GRC #ISO27001 #RiskManagement #CyberSecurity #Compliance #ITGovernance #CloudSecurity #InfoSec #InternalAudit #SIEM #BusinessContinuity #ITCompliance #CISA #AzureSecurity

IT Audit Remediation: What is IT Audit Remediation? IT audit remediation is the process of fixing failed IT General Controls and IT Application Controls before final testing. It ensures compliance with SOX and strengthens cybersecurity. Without proper remediation, organizations risk regulatory penalties, financial misstatements, and security breaches. Key Steps in the Remediation Process 1. Identify Control Deficiencies During ITGC/ITAC testing, auditors document failed controls and analyze the root cause (e.g., weak policies, misconfigurations). Deficiencies are categorized as low, medium, or high risk based on impact. 2. Communicate Findings Control failures are reported to management, IT, and compliance teams. A remediation plan is developed, outlining corrective actions, timelines, and owners. 3. Implement Corrective Actions Control owners apply fixes such as: Updating security policies and access controls. Enabling multi-factor authentication (MFA). Restricting privileged user access. Improving system logging and monitoring. 4. Retest the Control Auditors verify remediation effectiveness through: Reviewing updated policies and security settings. Performing walkthroughs with control owners. Testing sample transactions to validate compliance. Checking system logs for proper enforcement. 5. Confirm Effectiveness & Report If remediation is successful, the audit progresses. If the control fails again, further corrective actions are required. How to Test Remediated Controls? Testing remediated controls ensures that corrective actions have been implemented effectively and the risk has been mitigated. This involves: 1. Review Documentation– Check if updated policies, procedures, and system configurations align with compliance standards. 2. Perform Walkthroughs – Engage with control owners to demonstrate how the new process or control functions. 3. Test Sample Transactions – Select a set of transactions to confirm that the control consistently prevents or detects errors. 4. Check System Logs & Access Settings – Verify that security settings (e.g., access restrictions, logging mechanisms) are properly enforced. 5. Discuss with Stakeholders – Gather feedback from IT and compliance teams to ensure the fix is practical and sustainable. 6. Conduct Automated Control Checks – Use audit tools or scripts to validate system settings, access controls, and data integrity in real time. If any issues persist during testing, additional adjustments may be required before the control is deemed effective. What If a Control Fails Again? 1. Identify Why It Failed – Was the fix incomplete or ineffective? 2. Adjust the Remediation Plan – Strengthen policies, automate controls. 3. Apply Temporary Compensating Controls – Implement manual oversight or additional approvals. 4. Escalate to Senior Management – If high risk, inform leadership and regulators. 5. Extend Testing Timelines – If fixes require system upgrades or vendor changes.

ITGC Audit Playbook is a strategic guide to help organizations prepare for and navigate Information Technology General Controls (ITGC) audits. It outlines key control domains : Access Management, Change Management, IT Operations, SDLC and Security; detailing best practices and compliance strategies. The playbook offers step-by-step preparation, documentation guidance, audit response techniques and post-audit remediation planning. Designed for IT leaders, auditors and compliance teams, it serves as a practical tool to ensure robust control, regulatory alignment and effective risk management for systems impacting financial and operational integrity. #ITGC #ITGCAudit #CIOLeadership #RiskManagement #ITControls Soumya Biswas Sanjib Chatterjee Swarnendu Sarkhel Abhijit Dutta

Audit, Risk & Compliance (ARC): The Three Pillars of Strong Governance "Let me explain why Audit, Risk, and Compliance aren’t just checkboxes—they’re your governance backbone." I’ve had this conversation many times with peers, clients, and boards. And here’s what I often say when someone asks, “How do you build strong governance?” You start with ARC: - Audit - Risk Management - Compliance Each has its role, but when aligned, they become a strategic force. Let me walk you through it from experience: 🔍 Audit is your independent lens. Think of Audit as the team that tells you what’s happening. Their job is to verify that controls are working not just existing on paper. ▶ Example: I once saw an internal audit uncover a $500K billing discrepancy no one had noticed. That wasn’t just cost savings it was a control failure caught before it became reputational damage. The best audit teams today use data analytics and real-time assurance tools to stay ahead. Traditional static audits no longer suffice. ⚠️ Risk is your radar. Risk Management isn’t about stopping risk, it’s about knowing which risks matter, and how much risk you can take to grow. I’ve seen risk teams run scenario analyses ahead of market expansion that flagged FX volatility. With a solid hedging plan, they avoided a 7% EBITDA hit. That’s what proactive risk management looks like. And right now? The strongest risk programs I’ve seen are integrating AI, ESG risk, and third-party oversight into their frameworks. ✅ Compliance is your moral and legal compass. Compliance isn’t just about avoiding fines. It’s about building trust internally and externally. A solid compliance program is the reason one company I worked with navigated new data privacy regulations across multiple countries without missing a beat or getting penalized. What’s changing? Compliance is becoming more automated, more behavior-driven, and more global. And that means compliance officers need better tech and a seat at the strategy table. Now here’s the key: ARC only works when it's integrated. When Audit, Risk, and Compliance operate in silos, things fall through the cracks. But when they collaborate sharing insights, aligning priorities, and using common platforms governance becomes a value driver. A recent PwC survey backs this up: - 73% of execs say ARC alignment improves decision-making - 65% plan to invest in integrated GRC platforms - Over half say Internal Audit is now a transformation partner If you’re leading or supporting ARC functions, my advice is simple: Don’t build walls, build bridges. The future of governance isn’t in functions. It’s in how those functions work together. Let me know how ARC works in your organization today. Do the functions collaborate, or still operate in silos? #Governance #InternalAudit #RiskManagement #Compliance #GRC #BoardEffectiveness #OperationalResilience #Leadership #3prm #tprm #GovernanceExcellence #RiskStrategy #ComplianceCulture

If you’re stepping into AI governance and wondering where to begin, this is your first map. 📘 The Artificial Intelligence Auditing Framework by The The Institute of Internal Auditors Inc. is foundational — and that’s exactly why it works. It doesn’t assume expertise. It doesn’t skip steps. It builds a shared understanding of how auditors can engage with AI in a responsible, structured way. 🛠️ Why is it worth your time? It translates AI risks into familiar audit terms — roles, controls, governance, assurance. It offers basic but comprehensive coverage of the most critical areas: Where and how to start mapping AI use in your organization What questions to ask across departments (especially when no formal AI policy exists) How to build a central AI inventory What to include in an acceptable use policy How to integrate AI into enterprise risk management Where the auditor fits in both advisory and assurance roles What the C-suite and Board need to hear — and how to say it 🔍 Inside the framework you'll find: ✅ Part 1 – Overview Covers AI history, adoption levels, and common architectures Explains key concepts like Reactive vs Limited Memory AI, and why they matter to auditors ✅ Part 2 – Getting Started Practical tools for identifying AI use across your organization Prompts for conversations with IT, legal, data teams, and the C-suite Tips on building AI inventories, classifying risks, and using the Three Lines Model ✅ Part 3 – AI Auditing Framework Outlines roles for Governance, Management, and Internal Audit Breaks down strategy, data governance, cybersecurity, vendor risk, and internal controls Links to COBIT, COSO, ISO 42001, and NIST AI RMF Aligns with assurance goals without overwhelming practitioners ✅ Part 4 – Practitioner’s Guide & Checklist A plain-language checklist to scope, assess, and document AI maturity and gaps Includes concrete action items like reviewing audit logs, inventorying use cases, and evaluating explainability === Did you like this post? Connect or Follow 🎯 Jakub Szarmach Want to see all my posts? Ring that 🔔.

✳ Integrating AI, Privacy, and Information Security Governance ✳ Your approach to implementation should: 1. Define Your Strategic Context Begin by mapping out the internal and external factors impacting AI ethics, security, and privacy. Identify key regulations, stakeholder concerns, and organizational risks (ISO42001, Clause 4; ISO27001, Clause 4; ISO27701, Clause 5.2.1). Your goal should be to create unified objectives that address AI’s ethical impacts while maintaining data protection and privacy. 2. Establish a Multi-Faceted Policy Structure Policies need to reflect ethical AI use, secure data handling, and privacy safeguards. Ensure that policies clarify responsibilities for AI ethics, data security, and privacy management (ISO42001, Clause 5.2; ISO27001, Clause 5.2; ISO27701, Clause 5.3.2). Your top management must lead this effort, setting a clear tone that prioritizes both compliance and integrity across all systems (ISO42001, Clause 5.1; ISO27001, Clause 5.1; ISO27701, Clause 5.3.1). 3. Create an Integrated Risk Assessment Process Risk assessments should cover AI-specific threats (e.g., bias), security vulnerabilities (e.g., breaches), and privacy risks (e.g., PII exposure) simultaneously (ISO42001, Clause 6.1.2; ISO27001, Clause 6.1; ISO27701, Clause 5.4.1.2). By addressing these risks together, you can ensure a more comprehensive risk management plan that aligns with organizational priorities. 4. Develop Unified Controls and Documentation Documentation and controls must cover AI lifecycle management, data security, and privacy protection. Procedures must address ethical concerns and compliance requirements (ISO42001, Clause 7.5; ISO27001, Clause 7.5; ISO27701, Clause 5.5.5). Ensure that controls overlap, such as limiting access to AI systems to authorized users only, ensuring both security and ethical transparency (ISO27001, Annex A.9; ISO42001, Clause 8.1; ISO27701, Clause 5.6.3). 5. Coordinate Integrated Audits and Reviews Plan audits that evaluate compliance with AI ethics, data protection, and privacy principles together (ISO42001, Clause 9.2; ISO27001, Clause 9.2; ISO27701, Clause 5.7.2). During management reviews, analyze the performance of all integrated systems and identify improvements (ISO42001, Clause 9.3; ISO27001, Clause 9.3; ISO27701, Clause 5.7.3). 6. Leverage Technology to Support Integration Use GRC tools to manage risks across AI, information security, and privacy. Integrate AI for anomaly detection, breach prevention, and privacy safeguards (ISO42001, Clause 8.1; ISO27001, Annex A.14; ISO27701, Clause 5.6). 7. Foster an Organizational Culture of Ethics, Security, and Privacy Training programs must address ethical AI use, secure data handling, and privacy rights simultaneously (ISO42001, Clause 7.3; ISO27001, Clause 7.2; ISO27701, Clause 5.5.3). Encourage a mindset where employees actively integrate ethics, security, and privacy into their roles (ISO27701, Clause 5.5.4).

In AuditBoard's 2024 Focus on the Future benchmarking report, survey respondents identified cybersecurity and IT as two top focus areas in Internal Audit’s 2024 audit plan. For those planning to audit these areas, it's important to keep in mind operational pain points commonly cited by Infosec, IT Compliance, and IT Operations colleagues. - Infosec and IT teams frequently interact with various internal and external audit teams. They often face requests to provide the same data and documents repeatedly. - Frequently, these auditors assess the same controls, leading InfoSec/IT control owners to repeatedly explain the same controls and answer identical control-related questions. - Periodic testing might expose problems requiring InfoSec's remedies. Yet, due to multiple audit teams, InfoSec and IT could be managing varied issue lists, possibly duplicating action plan updates for different auditors. Ironically, the time spent dealing with these pain points could be causing the control deficiencies, and take focus away from other strategic IT and security projects. For those Internal Audit teams that both want to provide assurance over cyber and IT controls, and help eliminate these pain points, here are two steps to consider adding to your audit programs: 1. Can you help create a unified risk and controls matrix for all teams with significant control responsibilities (e.g. Finance, IT and Compliance)? This matrix should seek to standardize control data and identify redundant controls managed by different parties. Having a unified risk and controls matrix can reduce redundant data requests, and identify opportunities for different audit teams to rely on each other’s work. A unified RCM can also help identify and address gaps in control coverage for key risks. 2. Can the issue management and remediation process of IT be consolidated with the remediation process of the internal audit or another department? Assigning issue management to one team can simplify trend identification and root cause analysis, aid in devising strategies to prevent future issues, and ensure responsibilities are handled by a capable team. Attempting to eliminate these common IT and InfoSec pain points can help strengthen internal audit relationships, enhance IT control performance, and also serve as a foundational step in an organization's Connected Risk journey. AuditBoard #internalaudit #ConnectedRisk #EnablingPositiveChange