Credit: stevanovicigo / Getty As I’ve mentioned in this space a few times over the last month, I’m currently writing a story on Sarbanes-Oxley compliance. But it is quickly turning into an IT audit story. The CIOs I have talked to so far all have horror stories about auditors giving them conflicting information or no information at all. One CIO described watching helplessly as his internal and external auditors yelled at each other over which auditing standard to use. Another came up with a list of 185 controls, but her auditors wouldn’t tell her which ones were unnecessary, so now she has 185 controls to enforce. I took an educated guess in the previous posts that compliance has been a manual process. I can confirm that this is mostly true—one source bought a system a year ago but hasn’t had a chance to learn how it works yet, let alone put it into production. Also, the IT audit is taking way too much time. So in the interest of helping out the readers who haven’t had their first IT audit yet here are the five most common control weaknesses: Improper account provisioning with segregation of duties Insufficient controls for change management A general lack of understanding around key system configurations Audit logs not being reviewed (or that review itself not being logged) Abnormal transactions not identified in a timely manner For the readers who have gone through an audit, does that list sound right? Also, how many controls did you end up documenting (185 sounds high to me)? Are there ones that your auditor told you aren’t really necessary? And as always, if you want to vent, well, that’s what the comment section is for. Related content feature 10 most popular IT certifications for 2023 Certifications are a great way to show employers you have the right IT skills and specializations for the job. These 10 certs are the ones IT pros are most likely to pursue, according to data from Dice. By Sarah K. White May 26, 2023 8 mins Certifications Careers interview Stepping up to the challenge of a global conglomerate CIO role Dr. Amrut Urkude became CIO of Reliance Polyester after his company was acquired by Reliance Industries. He discusses challenges IT leaders face while transitioning from a small company to a large multinational enterprise, and how to overcome them. By Yashvendra Singh May 26, 2023 7 mins Digital Transformation Careers brandpost With the new financial year looming, now is a good time to review your Microsoft 365 licenses By Veronica Lew May 25, 2023 5 mins Lenovo news Alteryx works in generative AI for speedy analytics results OpenAI integration and AI wizardry for report generation are aimed at making Alteryx’s analytics products more accessible. By Jon Gold May 25, 2023 3 mins Analytics Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe