IT audit and compliance monitoring
| |

The IT Audit That Nobody Actually Does

There is a rhythm that most organisations fall into with their IT governance. An annual audit happens. The report comes back amber-to-green. The board receives a reassuring summary. Everyone moves on.

Six months later, something goes wrong that the audit missed. Sometimes that something is a minor operational frustration. Sometimes it is a breach.

The audit was not lying. The environment was clean when it was checked. What the audit did not capture is what happened between the check and the incident — because environments do not stay still.

The gap has a name: configuration drift

Every time a staff member joins and gets provisioned access that nobody reviews when they leave, the environment drifts. Every time a new cloud tool gets signed up for on a corporate credit card without going through IT, the environment drifts. Every time a server gets stood up for a project and nobody decommissions it when the project ends, the environment drifts.

None of this is negligence. It is just what happens when human beings run technology in a business that is focused on doing its actual work. The problem is that an annual audit is a photograph. Your environment is a video. The photograph looked fine. The video is a different matter.

Configuration drift is not theoretical. It is the default state of any IT environment that is maintained by humans who have other jobs to do. The question is not whether drift happens — it is how quickly you detect and correct it.

Shadow IT is not a small problem

The term shadow IT covers everything that runs in your organisation outside of the knowledge of the IT function. According to most estimates, organisations use between two and ten times more software applications than their IT departments know about. Some of this is harmless — a team using a free scheduling tool. Some of it is not — a team storing customer data in a personal Dropbox account, or using a free AI tool that processes confidential documents through a third-party server.

POPIA has made this more consequential for South African businesses. If customer data touches an application that has not been through your procurement process, you almost certainly have a data processing agreement gap. That is a compliance exposure regardless of whether anything bad has happened.

The practical challenge is that shadow IT is invisible to the people who are supposed to manage it. You cannot govern what you cannot see. By the time most organisations discover shadow IT, it is because something went wrong — a data leak, a vendor breach, an audit finding. Discovery after the fact is expensive.

Access rights accumulate faster than they are reviewed

Every joiner gets provisioned. Movers — people who change roles internally — rarely get their old access removed when they take on new access. Leavers often retain system access for weeks or months after their departure because the offboarding process involves an HR checklist and the IT deprovisioning is a separate step that gets missed when everyone is busy.

The result is that most organisations have a meaningful number of accounts with access rights that no longer reflect what those people actually do or whether they still work there. This is not hypothetical — it is the most common finding in any honest access review. We wrote about why identity is the front door and why annual access reviews are not enough.

What it would take to stay on top of it

Manual reviews at any meaningful scale are not realistic. A quarterly access review conducted by hand across a hundred-person organisation is a significant time investment that produces results accurate at the moment of completion and stale by the following week.

What actually works is continuous automated monitoring — something that flags the gap when it appears rather than discovering it six months later. When an account has not been used in ninety days, flag it. When a device appears on the network that is not in the asset register, flag it. When a new application starts consuming bandwidth from a corporate network, flag it.

The key insight is that the monitoring does not need to be sophisticated. It needs to be continuous and it needs to cover the things that actually change — assets, access, configurations, and patches. Not a quarterly deep dive. A live view that updates as the environment changes.

From audit to awareness

This is the model Claritam is built on. Not a better audit. A live picture of what is actually happening, with human review focused on the things that need a judgment call rather than the things that should have been caught automatically.

For the advisory side of these questions — what the findings mean, how to prioritise remediation, what to tell the board — Greg Hay works with South African organisations on exactly this. The combination of continuous monitoring and experienced advisory is what closes the gap between a clean audit report and a clean environment.

Want a Real Picture of Your IT Environment?

Claritam gives you continuous visibility into your assets, access, and compliance posture — not a snapshot from the last audit. Talk to us about a live assessment.

Request Assessment →

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *