Recently worked with Rhymetec and BD Emerson on SOC 2 engagements and both of the vCISOs were acting like they’ve never been in an audit before or were confused about controls from the type 1? I did some digging and some of the “vCISO”s have 2 years of experience? Who is actually paying for this shit?
Has anyone found a firm where you haven’t questioned leadership/management on the quality/practices(IE: not looking at policies/procedures(or omitting statements) or scared to call out exceptions). A lot of firms claim they’re doing things the right way but I have found this false after working at a bunch of them and reviewing prior work of managers who are still there. (This isn’t a place to to post random audit firms you worked with unless you’re a framework expert)