u/Different_Scheme5176

What automation are you actually building or using in your audit/ITGC programs? Looking to swap ideas

Fellow auditors — curious what people are doing in the automation space across internal audit and ITGC programs. Not talking about theoretical AI stuff, but real, practical automation you’ve actually implemented or are working on.

A couple of things I’m currently working on or have built:
- Termination control automation using a script to streamline access revocation monitoring and evidence collection
- Exploring AI prompts combined with Power Automate for UAR evidence collection, email notifications, and tracking — still building it out but excited about where it’s heading

Would love to hear what others are doing beyond just SOX:
- What processes have you automated in operational audits, risk assessments, or continuous monitoring?
- Has anyone used AI tools like Claude or ChatGPT in a meaningful way in their audit workflow?

Always looking to learn from what others are doing drop your experience below.

reddit.com
u/Different_Scheme5176 — 5 days ago
▲ 17 r/CISA+1 crossposts

10 years in IT audit but mostly SOX — feel stuck. How do I take my career to the next level?

Throwing this out to the audit/GRC community for honest feedback.

Background:

I have been in IT audit for about 10 years but want to be upfront — the majority of my experience is IT SOX compliance specifically, not broad IT audit. The last 4+ years I owned and built an IT SOX/ITGC program from the ground up at a mid-to-large company — framework, scoping, GRC platform implementation, control owner training, external auditor relationships, and executive reporting. Before that, a large enterprise SOX program (47+ applications, 500+ controls) and public accounting doing IT audit and SOC work. CISA certified. I have also built compliance automation using Power Automate.

Outside of SOX I have minimal exposure — some operational audits, SOC 1 Type 2 reviews, brief ERM involvement. Not enough to call any of it core experience.

The problem:

I know the difference between IT SOX and IT audit broadly. SOX is a defined compliance exercise. Real IT audit requires risk-based topic selection, audit planning, and judgment I haven't built enough reps on. When I read JDs outside of SOX I feel underqualified despite 10 years in the workforce.

My questions:

If you moved from heavy IT SOX into something broader — what was it and was your SOX background an asset or a limitation?

If staying in audit — what types of IT audits would add the most value to a SOX-heavy resume?

What non-audit roles do you think this background realistically supports without starting over — GRC, IT Risk, Internal Controls, AI Governance?

Is 10 years of deep IT SOX experience a ceiling or a foundation?

No sugarcoating. Just honest takes.

reddit.com
u/Different_Scheme5176 — 10 days ago