If you are a small audit shop (5-10 professionals), what audit documentation tools do you use? I am trying to find a tool that would save time in documentation but would not be costly.

4.3k views2 Upvotes4 Comments

Sort by:

Information Security Manager9 months ago

CISO assistant has an open source version and supports audits against many different frameworks

Senior Manager Internal Audit in Travel and Hospitality9 months ago

For a small audit shop of 5-10 professionals, an Excel-based system works perfectly fine if structured well. It’s cost-effective, easy to customize, and flexible enough to handle risk matrices, audit programs, and findings trackers. Pairing it with SharePoint or Teams can add collaboration and version control, making it even more efficient. If you’re looking for something slightly more advanced without breaking the bank, tools like AuditBoard and ZenGRC might be worth exploring. In my opinion, the key is to keep it simple, ensure consistency with templates, and choose something that fits your team's needs without overcomplicating things.

Finance Manager in Healthcare and Biotech10 months ago

We use Audimex, and I also know IboQSR from the past. Both are German vendors.

Internal Audit Specialist in Energy and Utilities10 months ago

there is lots of competition for software that automates working papers (e.g., AutoAudit, TeamMate). Go price them. Some smaller software vendors probably aren't keeping up with enhancing their tools to become new Governance/Risk/ Control software that combines enterprise risk management, first line of defense, and audit working papers (and more). These lagging software companies probably lowered their prices to keep business. When you price out the software vendors, also check out how easy it is for you to run reports. Some software almost needs an IT specialist to run reports, while others are more intuitive for casual users.

Content you might like

What’s the top cybersecurity challenge concerning your organization right now?

AI-driven threats (deepfakes, automated attacks) 19%

Software supply chain risks 19%

Insider risk (both malicious & accidental) 10%

Regulatory compliance 9%

Cloud misconfigurations 11%

Shadow IT (or shadow AI) 11%

Ransomware 7%

Talent shortage in cybersecurity10%

Something else (comment to explain)4%

View Results

We would like to know what is the best advanced threat detection / prevention security control that provides the most bang for buck for a large organisation that wants to enhance its security posture to better detect and mitigate advanced threat actors.

Main goals are to reduce dwell time, enrich alerts, reduce SOC engineer incident response time, illicit targeted threat intelligence to compliment 3rd party Threat Intelligence providers

Network Detection and Response (NDR)21%

Endpoint Detection and Response (EDR)47%

Extended Detection and Response (xDR = NDR / EDR / CDR)62%

Intrusion Detection & Prevention Systems (TLS Decrypting) IDPS34%

Deception Technology (External Only)10%

Deception Technology (Internal Only)16%

Deception Technology (External & Internal)8%

View Results

How are you addressing technical debt risk resulting from AI coding tools? Have you established specific processes to manage vulnerabilities in AI-generated code, and are you collaborating with software engineering or other teams using these tools?

What sorts of challenges have you encountered in adapting your governance framework to address AI adoption across business units, and how are you attempting to resolve these?

Are you seeing changes in the quality or speed of threat intelligence from sources you relied on in previous years? Can you share how you are being impacted so far by the uncertainty around public-private partnerships for cyber information sharing?