Credit: stevanovicigo / Getty As I’ve mentioned in this space a few times over the last month, I’m currently writing a story on Sarbanes-Oxley compliance. But it is quickly turning into an IT audit story. The CIOs I have talked to so far all have horror stories about auditors giving them conflicting information or no information at all. One CIO described watching helplessly as his internal and external auditors yelled at each other over which auditing standard to use. Another came up with a list of 185 controls, but her auditors wouldn’t tell her which ones were unnecessary, so now she has 185 controls to enforce. I took an educated guess in the previous posts that compliance has been a manual process. I can confirm that this is mostly true—one source bought a system a year ago but hasn’t had a chance to learn how it works yet, let alone put it into production. Also, the IT audit is taking way too much time. So in the interest of helping out the readers who haven’t had their first IT audit yet here are the five most common control weaknesses: Improper account provisioning with segregation of duties Insufficient controls for change management A general lack of understanding around key system configurations Audit logs not being reviewed (or that review itself not being logged) Abnormal transactions not identified in a timely manner For the readers who have gone through an audit, does that list sound right? Also, how many controls did you end up documenting (185 sounds high to me)? Are there ones that your auditor told you aren’t really necessary? And as always, if you want to vent, well, that’s what the comment section is for. Related content brandpost Sponsored by Freshworks When your AI chatbots mess up AI ‘hallucinations’ present significant business risks, but new types of guardrails can keep them from doing serious damage By Paul Gillin Dec 08, 2023 4 mins Generative AI brandpost Sponsored by Dell New research: How IT leaders drive business benefits by accelerating device refresh strategies Security leaders have particular concerns that older devices are more vulnerable to increasingly sophisticated cyber attacks. By Laura McEwan Dec 08, 2023 3 mins Infrastructure Management case study Toyota transforms IT service desk with gen AI To help promote insourcing and quality control, Toyota Motor North America is leveraging generative AI for HR and IT service desk requests. By Thor Olavsrud Dec 08, 2023 7 mins Employee Experience Generative AI ICT Partners feature CSM certification: Costs, requirements, and all you need to know The Certified ScrumMaster (CSM) certification sets the standard for establishing Scrum theory, developing practical applications and rules, and leading teams and stakeholders through the development process. By Moira Alexander Dec 08, 2023 8 mins Certifications IT Skills Project Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe