As I\u2019ve mentioned in this space a few times over the last month, I\u2019m currently writing a story on Sarbanes-Oxley compliance. But it is quickly turning into an IT audit story. The CIOs I have talked to so far all have horror stories about auditors giving them conflicting information or no information at all. One CIO described watching helplessly as his internal and external auditors yelled at each other over which auditing standard to use. Another came up with a list of 185 controls, but her auditors wouldn\u2019t tell her which ones were unnecessary, so now she has 185 controls to enforce. \n\n\n\nI took an educated guess in the previous posts that compliance has been a manual process. I can confirm that this is mostly true\u2014one source bought a system a year ago but hasn\u2019t had a chance to learn how it works yet, let alone put it into production. Also, the IT audit is taking way too much time. So in the interest of helping out the readers who haven\u2019t had their first IT audit yet here are the five most common control weaknesses: \n\n\n\n Improper account provisioning with segregation of duties\n\n Insufficient controls for change management\n\n A general lack of understanding around key system configurations\n\n Audit logs not being reviewed (or that review itself not being logged)\n\n Abnormal transactions not identified in a timely manner \n\n\n\nFor the readers who have gone through an audit, does that list sound right? Also, how many controls did you end up documenting (185 sounds high to me)? Are there ones that your auditor told you aren\u2019t really necessary? And as always, if you want to vent, well, that\u2019s what the comment section is for.