EN ES
Request a consultation

Practice area

IT audit.

Controls testing across infrastructure, applications, and third parties. Scoped to the examination cycle, written to outlast it.

The practice

IT controls that pass examination — and stay passable.

Examiners ask 'show me.' We build for that.

IT audit is where most institutions discover their controls are theoretical. The policy says backups are tested quarterly; the evidence shows the last test ran in August. The access matrix says terminated users are removed within 24 hours; the report shows three accounts active four months past separation. We find these gaps before the examiner does.

Our scope covers infrastructure (servers, network, cloud), application controls (core banking, loan origination, payments), identity and access management, change management, vulnerability and patch management, data classification, and third-party / vendor risk. We run testing on a frequency that matches your examination cycle, with workpapers that travel.

Testing 200 user-access samples is not work that requires a partner. Designing the sampling, reviewing the exceptions, and naming what they mean — that is.

The work

The work in this practice, named.

  1. Infrastructure controls Server hardening, network segmentation, cloud configuration, encryption at rest and in transit.
  2. Application controls Input validation, authorization, segregation of duties, calculation accuracy in core systems.
  3. Identity & access Provisioning, deprovisioning, privileged access, periodic access reviews, MFA enforcement.
  4. Change & release Change tickets, approval workflow, segregation between development and production.
  5. Vulnerability & patch Scan cadence, exception tracking, remediation timelines, exemption governance.
  6. Third-party / vendor risk Onboarding diligence, ongoing monitoring, SOC report review, concentration risk.
A typical engagement

An IT audit cycle, end to end.

Phase Timing Deliverable
Scoping Weeks 1–2 System inventory, control universe, prior-examination findings reviewed.
Testing Weeks 3–10 Walkthroughs, sample selection, evidence requested, exceptions tracked.
Findings Weeks 11–13 Exceptions analyzed, root cause named, severity rated, remediation discussed.
Reporting Weeks 14–16 Report drafted, vetted with IT and management, presented to the committee.
Related practice areas