AI · Cyber
IT Audit
IT audit, in the way I practice it, is not the annual ritual of testing controls a quarter after the fact. It is the discipline that gives a board, an external auditor, and an institutional investor a reasoned, evidenced view that the systems running the enterprise — financial, operational, and increasingly model-driven — actually do what management says they do.
An audit opinion is only as good as the operating reality underneath it. My job is to make the operating reality auditable in the first place — so the opinion writes itself and the surprises end.
What I am actually auditing
From financial integrity to enterprise risk
The boundary of IT audit has moved. Twenty years ago it ended at the general ledger and the access controls around it. Today it has to cover every system that touches a number a CFO will sign, every model that influences a customer outcome, and every third party with a key to the environment. I run the engagement to that wider boundary on purpose, because that is where the risk now lives.
In practice that means three concentric rings: the financial close and the IT general controls under it; the operational systems that feed revenue, billing, and customer outcomes; and the enterprise risk posture that boards, regulators, and rating agencies are now scoring. One audit, three rings, one set of evidence — not three disconnected reviews that contradict each other.
The components
What a credible IT audit posture looks like
These are the components I expect to see — and to be able to evidence — in any enterprise that calls itself audit-ready.
- ITGC under the financial closeAccess, change, and operations controls over every system in scope for the financial statements — tested continuously, not at year-end. If the auditor is discovering exceptions in October, the operating model is broken, not the testing.
- SOX & internal controls over financial reportingA risk-ranked control set tied to actual financial statement assertions, walkthroughs that match the system as built, and exceptions that are remediated and re-tested before the opinion — not after.
- Segregation of duties & privileged accessAn SoD ruleset enforced in the identity layer, with a quarterly review of toxic combinations and standing privileged access. Most material weaknesses I have seen started as a convenience that became a habit.
- Change management & release governanceEvery production change traceable from ticket to commit to deployment to approver — including emergency changes, vendor changes, and AI-generated changes. The audit trail has to survive a forensic review, not just a checklist.
- Third-party & SOC report consumptionA live inventory of critical service providers, the SOC 1 / SOC 2 reports they produce, and the complementary user entity controls the enterprise actually operates. A SOC report you cannot map to your own controls is a comfort blanket, not assurance.
- Data integrity & reconciliationsEnd-to-end reconciliations across the systems of record, the data warehouse, and any AI or analytics layer drawing from them. If the number on the dashboard does not tie to the number in the GL, the dashboard wins the argument and the audit loses.
Enterprise risk posture
Where IT audit meets enterprise risk
Audit committees do not want a control list. They want to know whether the enterprise can take the risk it is taking. That is an enterprise risk question, and IT audit is the discipline that supplies the evidence base for it.
- Risk taxonomy & appetiteA shared taxonomy for technology, cyber, model, and operational risk — scored against an explicit, board-approved appetite. Heatmaps without an appetite statement are decoration.
- Continuous control monitoringAutomated monitoring of the controls that matter most, with exceptions routed to named owners and aging tracked. The era of point-in-time testing is over for any control worth relying on.
- Issue management & remediationA single issues register that audit, risk, and compliance all draw from — with severity, owner, target date, and evidence of closure. One register, not three.
- Audit committee reportingA standing committee report that maps audit findings to risk appetite to remediation status, in the language the committee already uses for credit, market, and operational risk.
How it runs
The operating cadence
The cadence I install is monthly at the control owner layer, quarterly at the audit committee, and annually at the full board — with continuous monitoring underneath so nothing waits for a calendar to surface. External auditors get a single, curated evidence room rather than chasing artifacts function by function. Management certifications are signed against evidence that already exists, not assembled in the week before.
Done this way, IT audit stops being the function the business hides from and starts being the function that lets the business move faster — because every material decision has a defensible record, and the audit committee can answer the questions it is being asked.
If your audit committee is still being surprised in the fourth quarter — or your external auditor's findings keep arriving as news — the operating model under the audit needs work, not the audit itself. That is the room I'm built for.