TL;DR: IT audits expose whether controls, evidence, and accountability actually hold up across systems, vendors, and user activity, according to Zluri’s guide. The deeper issue is that audit readiness depends on identity lifecycle discipline, not just better reporting or a cleaner dashboard.
NHIMG editorial — based on content published by Zluri: Security & Compliance Effective IT Audit Management, a guide for IT teams
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should IT teams prepare identity evidence for an audit?
A: They should build an evidence chain that connects access approval, entitlement change, review, and revocation records to the source systems that created them.
Q: Why do third-party access paths create audit risk?
A: Third-party access creates audit risk because ownership, review cadence, and business justification often sit outside the IAM team’s direct control.
Q: What breaks when service accounts are not visible in audits?
A: When service accounts are invisible, organisations lose the ability to prove who or what had access, when it was reviewed, and whether it was revoked on time.
Practitioner guidance
- Map audit scope to identity evidence sources Link access approvals, recertification records, logs, and offboarding events to the systems that generate them so auditors can trace control operation without manual reconstruction.
- Assign owners to every third-party access path Require a named business owner for vendor accounts, SaaS integrations, and API tokens, and make that owner accountable for review, expiry, and removal.
- Separate evidence collection from remediation tracking Keep audit findings, corrective actions, and closure status in one workflow so unresolved access issues cannot disappear between reporting cycles.
What's in the full article
Zluri's full guide covers the operational detail this post intentionally leaves for the source:
- The step-by-step audit planning sequence, including scope definition, stakeholder evaluation, and fieldwork preparation.
- The practical breakdown of general control audits across systems, applications, telecommunications, and enterprise architecture.
- The article’s operational tips for managing auditor communication, documentation, and follow-up expectations.
- The dashboard and reporting workflow Zluri describes for tracking compliance-related data and vendor records.
👉 Read Zluri's guide to effective IT audit management for IT teams →
IT audit management: what IAM teams need to re-evaluate?
Explore further
IT audit management is identity governance by another name. The article treats audits as a general control review, but the practical failure mode is identity drift across people, systems, and vendors. When access, logs, and approvals are scattered, the audit becomes a test of whether the organisation can prove governance rather than merely claim it. The implication is that IGA quality is now an audit outcome, not a separate programme concern.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that remediation delays can outlast the audit cycle itself.
A question worth separating out:
Q: Who is accountable when audit findings are not remediated?
A: Accountability belongs to the control owner who accepted the finding, the system owner who must make the change, and the governance function that tracks closure. If no one owns remediation, the audit becomes a reporting exercise instead of a control improvement process. Persistent exceptions should be treated as identity risk until closed.
👉 Read our full editorial: IT audit management is really identity governance in disguise