EP91 Automation vs. Assurance: The Debate Shaping the Future of GRC

Описание: Introduction: Pete welcomes AJ Yawn (Director of GRC Engineering at Acquia) and Joseph Kirkpatrick (Founder of Kirkpatrick Price) for a special discussion on automation in GRC.

• AJ’s Background: Former Army captain, Coalfire alum, startup founder, author of GRC Engineering for AWS. AJ brings experience from multiple sides of compliance.
• Joseph’s Background: Veteran auditor whose firm pioneered early SaaS 70 and PCI auditing; emphasizes hiring technically skilled auditors to ensure audits have real value.
• Opening Positions: Joseph supports selective automation but warns against claims that automation can “replace” human oversight.
• AJ’s View: Automation is essential for technical controls and scalability, though not for everything; GRC professionals need stronger technical skills to leverage it.
• Debate on Audit Integrity: Both criticize firms producing cheap, low-quality SOC 2 reports, often prioritizing speed and profit over security assurance.
• Continuous Monitoring vs Assurance: They distinguish between operational automation (monitoring) and independent validation (assurance); one cannot replace the other.
• CPA Role Under Scrutiny: AJ questions why CPAs remain central to SOC 2 audits when many lack technical backgrounds; Joseph defends CPA oversight as vital for public trust.
• Accountability and Ethics: Both call for stronger standards, oversight, and transparency to differentiate credible auditors from “rubber-stamp” operations.
• Shared Vision: Despite disagreements, both agree that automation should enhance, not erode, trust and that the industry must elevate GRC to a more rigorous, respected discipline.

You can find AJ on LinkedIn here:   / ajyawn  

You can find Joseph on LinkedIn here:   / joseph-kirkpatrick  

AJ’s book is on Amazon! https://www.amazon.com/GRC-ENGINEERIN...