knowledge, ABILITIES & EXPERIENCE
Skills
My mission is to empower organizations by delivering strategic, value-focused solutions that not only ensure compliance but drive operational excellence, enhance decision-making, and protect long-term business integrity.
What William has done for other companies
Professional Experience
What William can do for you
Knowledge, Skills & Experience
Credentials
Education & Certifications
WHAT WILLIAM CAN DO FOR YOU
IT AUDIT ASSURANCE & ADVISORY SERVICES
The TOP 50
| Access/Permissions & SOD | Evaluate user access rights and Segregation of Duties (SoD) to prevent conflicts and reduce the risk of fraud or error. |
| Active Directory | Assess and optimize Active Directory configurations, users, permissions, and security practices to strengthen enterprise identity management. |
| Application Audits | Review and test application controls, configurations, and access to ensure security, compliance, and data integrity. |
| Backup & Restoration | Evaluate backup strategies and restoration capabilities to ensure data availability, business continuity, and resilience against data loss. |
| Business Continuity | Develop and assess strategies to ensure critical business functions can continue during and after a disruption. |
| Change Management | Evaluate IT change processes to ensure system changes are authorized, documented, tested, and implemented with minimal risk to operations. |
| CIS Critical Security Controls | Evaluate cybersecurity maturity based on the CIS Controls framework to prioritize security improvements and risk mitigation. |
| Cloud Computing | Evaluate cloud architecture, configurations, and controls to ensure compliance, security, and cost-effectiveness. |
| Cloud Controls Matrix (CCM) | Assess cloud environments using the CSA Cloud Controls Matrix to identify control gaps and strengthen cloud governance and security. |
| Cloud Services Platforms | Assess cloud platforms (AWS, Azure, GCP) for proper governance, configuration, and security best practices. |
| Cloud Vendor SOC 1 & 2 Reports Review | Interpret and assess vendor SOC reports to ensure alignment with internal risk and compliance requirements. |
| Custom Development Project Review | Evaluate technical & control environments to ensure the system is secure, accurate, reliable, and compliant with regulatory and business standards. |
| Data Retention | Assess data retention policies and practices to support compliance, legal readiness, and efficient data lifecycle management. |
| Data Privacy | Support compliance with data privacy laws (e.g., GDPR, CCPA) through audits, policy reviews, and data protection assessments. |
| Database | Review database security, access, and performance controls to ensure secure and reliable data management. |
| Disaster Recovery Programs | Evaluate or design IT disaster recovery plans to ensure rapid restoration of services following outages or cyber incidents. |
| Endpoint Security | Assess controls on laptops, desktops, & mobile devices to ensure they are protected against malware, unauthorized access, & data leakage. |
| Generative AI | Assess the risks and controls around Generative AI tools and integrate responsible AI governance frameworks. |
| Governance | Review systems, strategies, and processes for effective alignment with business goals, risk management, and compliance requirements. |
| HIPAA | Ensure compliance with HIPAA security and privacy requirements through targeted audits and gap assessments. |
| Identity & Access Management (IAM) | Evaluate and optimize IAM frameworks to ensure secure and efficient management of user identities and access rights. |
| Interfaces | Review system interfaces for secure data flow, error handling, and compliance with integration and data exchange standards. |
| IoT review | Review Internet of Things (IoT) devices and networks for security, governance, and integration risks within the enterprise environment. |
| IT Asset Management | Track and manage IT assets throughout their lifecycle for improved compliance, cost control, and risk mitigation. |
| IT Audit Planning | Design and develop risk-based IT audit plans aligned with business priorities and regulatory requirements. |
| IT Compliance | Assess compliance with internal policies and external regulations affecting IT systems and processes. |
| IT Procurement Process | Review IT purchasing procedures to ensure cost-effectiveness, vendor compliance, and risk mitigation. |
| IT Risk-Control Matrix | Develop or assess IT risk-control matrices to map controls to risks and enhance audit readiness. |
| IT Service Management | Evaluate ITIL-based service management practices for efficiency, reliability, and alignment with business goals. |
| Network Folders Access & Permissions | Analyze access controls on shared network folders to reduce unauthorized access risks and strengthen data security. |
| NIST Cybersecurity Framework (CSF) | Implement or assess cybersecurity programs based on the NIST CSF to strengthen resilience and regulatory compliance. |
| Operating System Hardening/Standards | Assess OS configurations against industry standards to reduce vulnerabilities and enhance system security. |
| Operational/Process | Review operational workflows and processes to identify inefficiencies, control gaps, and improvement opportunities. |
| Patch Management | Assess the effectiveness of patch management processes to ensure timely identification, testing, and deployment of updates that protect systems against known vulnerabilities. |
| PCI/DSS | Assess payment environments for compliance with PCI/DSS standards to safeguard cardholder data. |
| Physical Security | Assess physical access controls to data centers and office environments to prevent unauthorized entry and protect critical assets. |
| Policy Management | Evaluate and streamline IT and security policies for consistency, compliance, and effectiveness. |
| Process Review/Improvements | Analyze and optimize business or IT processes for increased efficiency, control, and strategic alignment. |
| Procurement process review (Technology) | Examine technology procurement processes to enhance control, cost-efficiency, vendor compliance, and alignment with IT strategy. |
| Project Management Office Review | Provide assurance or advisory on project governance, risk management, and delivery effectiveness. |
| Regulatory Compliance Management | Support compliance with relevant regulations through control assessments, remediation, and monitoring. |
| Risk Assessments | Conduct comprehensive risk assessments to identify, analyze, and prioritize risks across IT and business functions. |
| Risk Management | Design or assess risk management frameworks to proactively identify and address enterprise risks. |
| Robotic Process Automation (RPA) | Assess RPA governance, security, and performance to ensure compliance and control effectiveness. |
| SCADA Systems | Evaluate SCADA systems for cybersecurity, reliability, and compliance to protect critical infrastructure and industrial operations. |
| SDLC (Software Development Life Cycle) | Evaluate software development practices for secure coding, change management, and lifecycle controls. |
| SOX (404) | Support and assess IT General Controls (ITGCs) and application controls to meet SOX 404 requirements. |
| System Upgrade / Migration | Assess, plan, and provide assurance over system upgrades or migrations to ensure seamless transitions, data integrity, and minimal business disruption. |
| Technology Infrastructure | Review IT infrastructure components for performance, security, and alignment with business continuity goals. |
| Third-Party Vendor Reviews | Evaluate third-party vendors for risk, compliance, performance, and alignment with security and contractual standards. |
COMPLIANCE, FRAMEWORKS, & STANDARDS
CIS Benchmarks – Assess system configurations against Center for Internet Security (CIS) Benchmarks to validate alignment with industry-recognized hardening standards.
CIS Critical Security Controls – Evaluate cybersecurity maturity based on the CIS Controls framework to prioritize security improvements and risk mitigation.
Cloud Controls Matrix (CCM) COBIT Framework – Assess cloud environments using the CSA Cloud Controls Matrix to identify control gaps and strengthen cloud governance and security.
COSO Framework– Assess internal control systems using the COSO framework to ensure reliable financial reporting, compliance, and operational effectiveness.
Data Privacy Regulations – Support data privacy regulations (e.g., GDPR, CCPA) through audits, policy reviews, and data protection assessments.
FFIEC – Conduct IT audits based on FFIEC guidelines to assess cybersecurity and technology risks in financial institutions and service providers.
HIPAA – Ensure compliance with HIPAA security and privacy requirements through targeted audits and gap assessments.
ISO27001 – Coming soon! Support certification readiness and audits aligned to ISO 27001 for robust information security management systems.
NIST Cybersecurity Framework (CSF) – Audit program developed from using CSF, different maturity models, and working with InfoSec/IT teams to tie-in controls with NIST 800-53 for baseline and annual audits.
NIST Generative AI Risk Management Framework – Coming Soon! Audit program developed based on NIST 600-1 AI Risk Management Framework (for Generative AI) with added best practices & controls based on research & other GenAI frameworks.
NIST Risk Management Framework (RMF) – Assess risk management and cybersecurity programs aligned with NIST RMF to ensure effective control implementation and federal compliance.
OWASP Top Ten – Evaluate web applications for vulnerabilities based on the OWASP Top Ten, helping to identify and remediate common security flaws.
PCI/DSS – Assess payment environments for compliance with PCI/DSS standards to safeguard cardholder data.
SOX 404 – Support and assess IT General Controls (ITGCs) and application controls to meet SOX 404 requirements.
Along with many other standards, industry best practices & experience.
WHAT WILLIAM HAS DONE FOR OTHER COMPANIES
20 Challenges & Successful Solutions
★★★★★
THIRD-PARTY VENDOR REVIEW DELIVERED $350k SAVINGS & PROCESS EFFICIENCY
By reviewing application vendor contracts and analyzing invoices, $350K was saved. Cost was further reduced as process improvements, standards & best practices were put into place and vendor findings turned into negotiating leverage for contract renewals.
INSURANCE INDUSTRY
/
Public company
★★★★★
EXCEL SCRIPT IDENTIFIED OVER $3M IN DUPLICATE VENDOR PAYMENTS
A duplicate invoice payment search script was developed in Excel using SAP vendor invoice data that allowed a Vendor Audit team to easily discover and collect over $3M in the first 2 years of operation.
OIL & GAS INDUSTRY
/
Public company
★★★★★
HIGH-RISK ACCESS SECURITY ISSUES IDENTIFIED WITHIN HR SOX APP FOR 20+ EXECUTIVE MGMT. ACCOUNTS
Critical Workday access issue discovered that had been an approved work-around solution in place for 3 years, but not documented or communicated. It was not previously identified because the work-around utilized a different type of user account, normally associated with non-Production environments. Simply put, no one had looked beyond the norm of Production access testing or asked the right questions. Once identified, mitigation ensued with a securely configured solution and documented workaround (along with additional SOX testing for assurance!).
OIL & GAS INDUSTRY
/
Public company
★★★★★
LONG-TERM VALUE ACHIEVED WITH SOX DATA COLLECTION & REVIEW PROCESS AUTOMATION
Determined to make SOX testing more efficient, automation options were discussed with several members of IT. To minimize development time (& keep it simple), I worked with the SharePoint Admins to develop the necessary workflows, and led project efforts until we had a working model. The first year likely didn’t save much time, however we learned from it. After further refining the process and working with app owners to gain their support, more time was saved the second year than expected. The efficiency continued as the automated workflows became a normal part of the SOX testing process. Similar automation was implemented later at another company using Alteryx and Power BI.
FINANCIAL INDUSTRY
/
Public company
OIL & GAS INDUSTRY
/
Public company
★★★★★
SUCCESSFULLY ESTABLISHED IT AUDIT PROGRAM AS THE COMPANY’S FIRST IT AUDITOR
● Identified IT assets, performed risk assessment
● Defined the audit universe, and developed 3-year, risk-based IT Audit Plan
● Introduced IT Auditing to Executive Management with a document defining the process & audit universe, including it as a precursor to the IT Audit Plan (as requested by the IA Director).
● Overcame the challenge of being the first IT Auditor, developing relationships with IT & business personnel built on trust and mutual respect.
● Successfully passed regulatory compliance audits (i.e. SOX, HIPAA, PCI) and performed IT & OT technology audits focused on adding maximum value.
OIL & GAS INDUSTRY
/
Public company
RETAIL INDUSTRY
/
Private company
★★★★★
CROSS-TRAINED AUDIT TEAM ON IT AUDITS, ADDING TO RESOURCE CAPABILITIES & IMPROVING AUDIT EFFICIENCY
Non-IT, Internal Auditors were included in IT Audit projects whenever possible for cross-training & experience. Over time, this helped increase our team’s capabilities & overall audit efficiency. This was especially helpful for high-frequency audits involving applications, cybersecurity, and SOX compliance.
MULTIPLE INDUSTRIES
/
Public and Private companies
★★★★★
“HANDS-ON” AUDIT PREP ENHANCED AUDIT VALUE AND HELPED TO BUILD TRUST WITH IT SYSTEM ADMINS FOR INITIAL LINUX SERVER STANDARDS AUDIT
In preparation for first-time Linux Server Standards audit, installed home Linux workstations with various Linux flavors. Then, used CIS Baselines to write and test scripts, identifying key access, configuration and security information as needed to help determine level of system hardening standards. While primarily done to learn & prepare for the audit, these efforts were key in building rapport and gaining support of the Senior Linux Admin, who tested, and even improved the scripts, ultimately helping to make the audit more effective.
OIL & GAS INDUSTRY
/
Public company
★★★★★
PRIOR IT EXPERIENCE ESTABLISHED CREDIBILITY, ENHANCING SUPPORT AND AUDIT EFFECTIVENESS
Having worked in IT and been ‘on the other side’ of the audit as the person responsible for SOX compliance, I’ve been through both the challenges and successes in IT, including responding to audit requests, problem-solving, risk mitigation, and everything in-between.
Therefore as the auditor, I always treat others the way I would want to be treated, doing my very best to listen, foster understanding, and focus on balancing controls with business, security & compliance needs.
MULTIPLE INDUSTRIES
/
Public and Private companies
★★★★★
AUDIT FINDINGS HELPED TO AVERT CRITICAL SYSTEM FAILURE
While working with our Internal Audit team on a ‘routine’ company business unit audit, research & follow-up on a potential application issue turned into a full IT application audit, noting critical vendor risk. After prompt communication with Executive Management, action promptly ensued, working with IT & Cybersecurity in resolving immediate issues as well as developing a long-term solution. This action resulted in averting a business disaster that would’ve occurred just a month after it was discovered.
RETAIL INDUSTRY
/
Private company
★★★★★
ENHANCED IT SERVICE DELIVERY AUDIT WITH YoY KPI/KRI COMPARISONS DASHBOARD AND AUTOMATION, IMPROVING AUDIT EFFICIENCY & VALUE
As a special project, IT Service Delivery risk was planned for review to add assurance by determining if any changes in risk had occurred over the previous year. After identifying key process areas and related metrics, Service Delivery application data was successfully downloaded in Excel to verify documented KPI’s/KRI’s, and compare & chart YoY trending. The process was then automated with app data queried directly in Excel to provide an efficient, effective solution for risk reviews and the audit program.
FINANCIAL INDUSTRY
/
Public company
★★★★★
DEVELOPED EFFECTIVE CLOUD COMPUTING AUDIT PROGRAM FOR ASSESSING COMMON, HIGH-RISK AREAS WHERE CONTROL ISSUES ARE OFTEN IDENTIFIED
Cloud computing audit program developed based on CSA’s Cloud Computing Matrix (CCM), NIST 800-53 Security and Privacy Controls for Information Systems, and Organizations, and experience of having learned where common control issues are often identified. The program also goes further, reviewing third-party vendor contracts & SOC reports including historical information and the procurement process itself.
OIL & GAS INDUSTRY
/
Public company
RETAIL INDUSTRY
/
Private company
★★★★★
STRENGTHENED IT RELATIONS | ENHANCED TRUST | VALUE ADDED— PARTNERED WITH IT IN CRITICAL SAP CLOUD MIGRATION PROJECT
Worked with the IT Director and project team, utilized the COBIT Framework and a common sense approach, and identified opportunities for improvement as needed for the next phase of the migration project. Once communicated, mitigation promptly ensued. A follow-up audit review verified project enhancements, and greatly helped with the overall success of the project.
RETAIL INDUSTRY
/
Private company
★★★★★
SUCCESSFULLY INCREASED AWARENESS & “RAISED THE BAR” ON APPLICATION CONTROLS BY PARTNERING WITH BUSINESS APP OWNERS IN PROJECT TO REVIEW 25 EXISTING SaaS SOLUTIONS
Collaborated with the IT Security team and met with app owners & business management prior to audit to foster support. Many similar high risk control issues were identified and mitigated, leading to increased user awareness and security. This project also strengthened relationships, especially with business app process owners, many of whom continued to ask questions and provide updates on noted app issues or potential vendor concerns.
OIL & GAS INDUSTRY
/
Public company
★★★★★
INCREASED AWARENESS & MITIGATED RISK BY PROVIDING SOC1 / SOC2 REVIEW PROCESS TRAINING TO SaaS APPLICATION OWNERS
Developed presentation and performed training for business SaaS solution app process owners (and even some IT app owners!) as needed for awareness, understanding and implementation of a common SOC report review, approval, & escalation process for any issues where further discussion may be warranted. This process often improved with time including automated workflows.
MULTIPLE INDUSTRIES
/
Public and Private companies
★★★★★
STRENGTHENED PROCUREMENT PROCESS STANDARDS FOR NEW SOFTWARE SOLUTIONS & CONTRACT RENEWALS
…
MULTIPLE INDUSTRIES
/
Public and Private companies
★★★★★
CYBERSECURITY FRAMEWORK-BASED AUDIT PROGRAM, ANNUAL REVIEWS & COMPARISON REPORTING SUCCESSFULLY IMPLEMENTED (THANKS TO STRONG CISO & INFORMATION SECURITY TEAM SUPPORT!)
…
OIL & GAS INDUSTRY
/
Public company
★★★★★
BUSINESS CONTINUITY & DISASTER RECOVERY AUDIT SIGNIFICANTLY STRENGTHENED BUSINESS RESILIENCE
…
MULTIPLE INDUSTRIES
/
Public and Private companies
★★★★★
SIGNIFICANTLY REDUCED TECHNOLOGY COST & ENHANCED PROCUREMENT PROCESS & CONTRACT STANDARDS
…
INSURANCE INDUSTRY
/
Public company
★★★★★
>>> Add 1 more to make it 20!
…
industry COMPANY
/
Public or Private company
★★★★★
LED CLIENT PROJECT TO SUCCESSFULLY ACHIEVE FIRST YEAR SOX COMPLIANCE FOR CLIENT AFTER BEING BROUGHT IN TO HELP WITH ONLY 6 MONTHS BEFORE THE COMPLIANCE DEADLINE
…
OIL & GAS INDUSTRY
/
Public company
CREDENTIALS
Education & Certifications
⟩ CISA – Certified Information Systems Auditor (Since 2013)
⟩ CISM – Certified Information Security Manager (Since 2018)
⟩ Former certified network engineer who installed & supported networks and systems around the country for over 10 years.
Technology Skills
Active Directory – Former AD Admin, AD security hardening, querying AD data via Excel Power Query
Microsoft Office 365, TEAMS, Visio – Highly experienced power user
Technology Infrastructure – Former certified network engineer who installed & supported networks and systems around the country for mid-large firms.
Scripting / Automation – Automating processes, data interfaces, macros to solve problems and improve processes, queries & formatting data for reporting/other uses.
Cybersecurity – Certified in Information Security Management, established Cybersecurity audit programs with baseline & Current-to-Target security posture comparison, & experienced in using various tools.
Policy management – Developing and managing policies, procedures, standards & guidelines
Operating Systems – Building, managing & auditing Windows & Linux servers & workstations
Applications (Too many to list) – End user, administrator, and auditor of On-Prem & Off-Prem systems. Some key app solutions include: SAP, S/4HANA, Oracle NetSuite, ServiceNow, Salesforce, Workday, Teammate, & Origami Risk.
IT Management – Strategic Planning, Budgeting, and managing resources
Data Analysis & Analytics – Excel Power Query & Dashboards, Power BI, and previous experience using Tibco Spotfire
IT Asset Management – Identifying IT assets and establishing a process to manage them through their lifecycle.
IT Procurement & Third-Party Vendor Management – Everything from negotiating terms & pricing to researching/reviewing vendors, and implementing standards.
Service & Support – For years I supported clients (and installed many of their systems).
Leadership-Focused & Value-Driven
As a CISA and CISM-certified professional with a deep background in IT and cybersecurity, I specialize in transforming audit and compliance efforts into strategic assets. With experience across diverse industries and technical domains, I help organizations strengthen governance, improve resilience, and extract measurable value from every engagement.
Transform your IT landscape and compliance challenges into strategic advantages today!
✓ Leverage tailored audit & COMPLIANCE solutions for measurable results.
✓ Enhance governance and reduce operational risks.