Fractional IT controls expertise for companies that can't afford a finding — delivered in weeks, not quarters, by a CISA-certified practitioner with 15+ years at EY, Deloitte and Fortune 500s.
Book a 15-Minute Call →A single material weakness costs far more than the controls work required to prevent it — in audit fees, board scrutiny, and the management time consumed responding to findings. The companies that get it right don't get lucky. They have the right expertise on-call before fieldwork begins.
Reviewers don't understand what "complete and accurate" means. Terminated users slip through. The auditor finds it, and now you have a finding to respond to — on their timeline, not yours.
The documentation precision required under SOX is foreign to companies that have never been through it. Pre-IPO, SPAC, or newly public — you don't know what you don't know until the auditor tells you.
You've received a control deficiency notice mid-audit. Most companies have no one internally who can tell the difference between "this looks bad but is fine" and "this is genuinely broken." That call has to be made fast.
Every engagement is scoped to a specific problem and delivered with audit-ready output. Pick what fits where you are right now.
Your semi-annual User Access Review campaign, run end-to-end. I generate the evidence, document completeness and accuracy, prep all reviewer files, reconcile against active staff listings, and catch terminated users before the auditor does. You receive fully audit-ready output — I handle the campaign execution.
A structured assessment of your current IT control environment — what's broken in user access and change management — before the auditor finds it. You get a gap analysis and 90-day remediation roadmap that tells you exactly what to fix, in what order, and what "good" documentation looks like. Ongoing advisory retainers are also available for companies that want coverage through audit season.
I review your drafted audit responses and evidence packages before they go to the auditor — reframing what looks like a deficiency into a compliant control, drafting management responses to existing findings, and coaching your team on how to present evidence correctly. For companies mid-audit with a preliminary finding, this is the engagement that keeps a "significant deficiency" from becoming final. Retained hourly advisory is also available during active fieldwork.
I've been the person inside the organization who kept the auditors from finding anything, and I have been the auditor looking for control weaknesses and gaps. I've managed user access review campaigns for multi-billion dollar organizations, managed SSAE 18 SOC 2 examinations and CUEC mappings, and led SOX-404 integrated audits for a variety of industries with a focus in financial services, manufacturing, healthcare and the U.S. government to name a few. That playbook is what I bring to every engagement — not a methodology I'm still building.
Transformed environments with multiple material weaknesses into 100% issue-free audit cycles in first, second and third line of defense roles.
CISA certification. 15+ years leading SOX-404 integrated audits across financial services, technology, healthcare, and manufacturing.
Active IT Controls Manager and ISACA Northwest Ohio Chapter Board Member. The standards I apply are the standards in use today.
Deep expertise in identity and access management and NetSuite ERP — the two areas where most IT control deficiencies originate.
Every engagement starts with a 15-minute call. There's no pitch deck and no obligation. You describe where you are, I tell you whether I can help and what it would cost.
Tell me where you are in the audit cycle, what problem you're trying to solve, and your timeline. I'll give you an honest read on whether an engagement makes sense.
If there's a fit, I send a concise proposal: deliverables, timeline, and a fixed price. No hourly estimates. No scope-creep surprises.
Once the agreement is signed, work begins immediately. Most engagements reach first deliverable within two weeks. UAR campaigns can be completed in under four weeks.
15 minutes. No pitch. Just an honest conversation about whether I can help.
Book a 15-Minute Call →