Practice area · 02/08
IT audit.
Controls testing across infrastructure, applications, and third parties. Scoped to the examination cycle, written to outlast it.
Controls testing across infrastructure, applications, and third parties. Scoped to the examination cycle, written to outlast it.
Examiners ask 'show me.' We build for that.
IT audit is where most institutions discover their controls are theoretical. The policy says backups are tested quarterly; the evidence shows the last test ran in August. The access matrix says terminated users are removed within 24 hours; the report shows three accounts active four months past separation. We find these gaps before the examiner does.
Our scope covers infrastructure (servers, network, cloud), application controls (core banking, loan origination, payments), identity and access management, change management, vulnerability and patch management, data classification, and third-party / vendor risk. We run testing on a frequency that matches your examination cycle, with workpapers that travel.
This is the practice where the offshore team earns its keep. Testing 200 user-access samples is not work that requires a partner. Designing the sampling, reviewing the exceptions, and naming what they mean — that is.
Server hardening, network segmentation, cloud configuration, encryption at rest and in transit.
Input validation, authorization, segregation of duties, calculation accuracy in core systems.
Provisioning, deprovisioning, privileged access, periodic access reviews, MFA enforcement.
Change tickets, approval workflow, segregation between development and production.
Scan cadence, exception tracking, remediation timelines, exemption governance.
Onboarding diligence, ongoing monitoring, SOC report review, concentration risk.
System inventory, control universe, prior-examination findings reviewed.
Walkthroughs, sample selection, evidence requested, exceptions tracked.
Exceptions analyzed, root cause named, severity rated, remediation discussed.
Report drafted, vetted with IT and management, presented to the committee.
Risk Advisory · Internal Controls · 27 yrs
Andres has run IT audit programs at banks, fintech sponsor-bank relationships, and Fortune 1000 institutions. He sits on the engagement for every examination cycle.
We do not perform penetration testing or red-team exercises. Those are a different discipline, and we keep a short list of firms we trust to do them — happy to share names.