Sign up to save your podcasts
Or
Share Audit ≠ Security: Building Auditable Controls in a High-Velocity World ft Varun Prasad, Cloud Security & Privacy Assurance @ BDO
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Audit ≠ Security: Building Auditable Controls in a High-Velocity World ft Varun Prasad, Cloud Security & Privacy Assurance @ BDO
Audits are often misunderstood, frequently disliked, and almost always viewed as a necessary evil — but what if that mindset is holding security teams back? In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Varun Prasad to unpack what audits are actually designed to do: provide reasonable assurance, not absolute security. Drawing on more than two decades of experience across internal and external audits, Varun explains why “auditable controls” are the missing link between fast-moving engineering teams and slow, annual audit cycles — and how organizations can stop treating audits as an afterthought and start using them as a trust-building mechanism.
Key Takeaways:
- Audits are designed to provide reasonable assurance, not eliminate all risk
- The biggest failure in modern GRC is building controls that are automated but not auditable
- Continuous controls monitoring only works if auditors can validate completeness and accuracy
- Screenshots persist because they remain the clearest way to demonstrate system state over time
- Security controls should be built to improve posture first — and explained clearly second
What You’ll Learn:
- Why audit skepticism is a feature, not a flaw
- How internal and external audits serve fundamentally different purposes
- Where continuous monitoring breaks down from an auditor’s perspective
- What “auditable controls” actually mean in CI/CD environments
- How AI can assist auditors without replacing human judgment
This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com
Watch more episodes: https://www.compliancecow.com/podcast
Connect With Our Guest:
Varun Prasad | Cloud Security & Privacy Assurance | BDO
Connect on LinkedIn: https://www.linkedin.com/in/varunprasad/
Rate, review, and share if you enjoyed the show!
Subscribe to Security & GRC Decoded wherever you get your podcasts:
Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683
Apple Podcasts:
https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450
View all episodes
By Raj KrishnamurthyAudits are often misunderstood, frequently disliked, and almost always viewed as a necessary evil — but what if that mindset is holding security teams back? In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Varun Prasad to unpack what audits are actually designed to do: provide reasonable assurance, not absolute security. Drawing on more than two decades of experience across internal and external audits, Varun explains why “auditable controls” are the missing link between fast-moving engineering teams and slow, annual audit cycles — and how organizations can stop treating audits as an afterthought and start using them as a trust-building mechanism.
Key Takeaways:
- Audits are designed to provide reasonable assurance, not eliminate all risk
- The biggest failure in modern GRC is building controls that are automated but not auditable
- Continuous controls monitoring only works if auditors can validate completeness and accuracy
- Screenshots persist because they remain the clearest way to demonstrate system state over time
- Security controls should be built to improve posture first — and explained clearly second
What You’ll Learn:
- Why audit skepticism is a feature, not a flaw
- How internal and external audits serve fundamentally different purposes
- Where continuous monitoring breaks down from an auditor’s perspective
- What “auditable controls” actually mean in CI/CD environments
- How AI can assist auditors without replacing human judgment
This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com
Watch more episodes: https://www.compliancecow.com/podcast
Connect With Our Guest:
Varun Prasad | Cloud Security & Privacy Assurance | BDO
Connect on LinkedIn: https://www.linkedin.com/in/varunprasad/
Rate, review, and share if you enjoyed the show!
Subscribe to Security & GRC Decoded wherever you get your podcasts:
Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683
Apple Podcasts:
https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450