Covers logical access controls over systems, including user provisioning, access reviews, segregation of duties, and termination processes. Ensures only authorized users can access sensitive systems and data.

Addresses processes for managing changes to systems, applications, and databases: including design, approval, testing, and deployment. Ensures changes are authorized, tested, and properly documented.

Involves job scheduling, backup and recovery, incident management, and system monitoring to ensure systems operate as intended and recover appropriately after failures.

Focuses on system development lifecycle (SDLC) governance, including new system implementation, migration activities, and data integrity during deployment.

Focuses on the design and operating effectiveness testing of IT General Controls that support financial reporting, including user access, change management, and system operations controls.

Evaluates controls relevant to user entities’ internal control over financial reporting (ICFR). Involves understanding control objectives, testing operating effectiveness, and reviewing subservice organizations and complementary user controls.

Covers evaluation and testing of operational and security controls based on the AICPA Trust Services Criteria. Involves reviewing control design and effectiveness across key domains such as cybersecurity, system availability, and data privacy.

Framework for managing and reducing cybersecurity risk through identification, protection, detection, response, and recovery functions. Often used to benchmark and assess IT Risk maturity.

International standards providing requirements and guidance for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

Framework for IT governance and management used to align IT strategy with business objectives and ensure effective control and compliance.

ERP systems such as SAP, Oracle, Workday, or NetSuite. Experience with user access reviews, configuration controls, automated control testing, or audit extraction processes within these environments.

Knowledge of database-level controls (SQL Server, Oracle DB, MySQL, etc.), system configurations, or infrastructure-level security and monitoring.

Automated controls embedded within systems to ensure completeness, accuracy, and validity of transactions. Includes configuration testing, data interface controls, and system-dependent calculations.

Data analytics and GRC platforms help automate testing, streamline issue tracking, and provide insight into control effectiveness and risk trends across large environments.