IT SOX Audit, readiness


  • For new and existing clients: Scoping, Risk assessment, Design of IT processes, IT General Controls (ITGC), IT Automated controls (ITAC) and IT dependent manual controls, Implementation of aforementioned controls,  Training for relevant personnel, execution of internal audits, remediation support, management assessments, and audit representation for external audits.


  • For established and complex environments: Control rationalization, Segregation of duties analysis, Design of mitigating controls.





















SSAE16, SOC1, SOC2, SOC3 Attestation

  •   Perform initial gap analysis and create a gap assessment report.
  •   Identify business requirements of report users.
  •   Perform a detailed readiness support.
    • Assess the design and effectiveness of controls.
    • Remediate the control gaps.
    • Transition from SAS70 to SSAE16.
  •   Rigorous and efficient control testing.




  • Scoping support.
  • Policies and procedures development support.
  • PCI gap analysis and documentation support.
  • Controls Prioritization and gaps remediation support.
  • PCI-QSA and ASV support and liaison with external PCI auditors.



  • Scope optimization.
  • Policies and procedures development support.
  • Perform a HIPAA risk assessment encompassing security rule, privacy rule HITECH act and Omnibus rule, document the gaps.
  • Gaps remediation support.



  • Scoping and inventory of Information systems.
  • Information system categorization support based on the risk level.
  • Risk assessment and system security plan support based on NIST guidelines.
  • Certification and accreditation support.

ISO 27001 Readiness

  • ISMS Scope definition, ISO 27001 Gap assessment report and

implementation roadmap.

  •  Policies, processes and guidelines required for ISO 27001compliance.
  •  Implementation support.
  •  Liaison with external auditors.



Enterprise IT Risk Assessment

  • Identifying an approach to perform IT Risk assessment.
  • Establish a common risk language across the organization and to establish a risk committee to coordinate certain activities of the risk functions.
  • Identify and describe the risks in “Information security risk register”.
  • Implementing a risk-ranking methodology to prioritize risks within and across functions and risk mitigation.

Security Architecture Review

  • Perform a security architecture review to examine all layers of network architecture – including but not limited to network design, external connections, hosts, servers, business logic, staging areas, procedures, and quality assurance – to determine the security vulnerabilities.
  • Assessment report to document the findings of the security architecture review with recommendations for improvement.



Web Application Penetration Testing

  • Perform testing to reveal security vulnerabilities resulting from web application implementation errors.
  • Expose weaknesses stemming from the web application’s relationship to the rest of the IT infrastructure.
  • Assess web application security versus real-world attacks through manual and automatic techniques.
  • Identify security flaws in the web application and prioritize the findings to support in risk mitigation.



External Network Penetration Testing

  • Perform testing from outside the corporate network to reveal security vulnerabilities in the infrastructure.
  • Prioritize the findings based on the risk level.
  • Risk Mitigation Support.


Wireless Security Assessment

  • Investigate physical installation of access points.
  • Review existing wireless security policies, architecture and configurations.
  • Analyze security gaps and recommend improvements.

Code Review

  • Identify code review scope and objectives.
  • Perform code review on the base code in small chunks instead of reviewing the code for each and every project.
  • Perform three stage code review iterations to identify all the bugs in the code that is unique to the application architecture.
  • Prioritize the findings and mitigate.
  • Recommend compensating controls.

Vendor Risk Assessment

  • Identify scope of the assessment.
  • Assess Information risks.
  • Identify internal and external constraints for vendor risk assessment.
  • Liaison between functional units and vendor to get the vendor information security questionnaire completed.
  • Prepare a gap assessment with findings for improvement.
  • Follow-up with vendor to make sure identified risks are mitigated.