Latest Product Updates for Audit Professionals

🧾 ISACA releases the new IT Audit Framework 🔍🌐 ISACA has published the 5th Edition of the IT Audit Framework, a major refresh that aligns #ITaudit with how technology (and #risk) actually look today: cloud ecosystems, AI/ML, automation, third-party dependence, and rising expectations for digital trust.  ISACA also highlights that adherence to #ITAF is a requirement for #CISA certified professionals, which makes this update especially relevant for the global #audit community.  ✅ ITAF has always provided structure for planning, performing and reporting IT audit work. What changed is the environment: ➡️ IT is no longer a closed perimeter, it’s a digital ecosystem across cloud/SaaS/APIs/third parties. ➡️ Audit teams are expected to deliver faster insights, use analytics, and operate closer to the business. ➡️ Emerging tech introduces new risk patterns that don’t fit “traditional control checklists.” ITAF 5 is a response to that reality, modernizing terminology, scope, and practical guidance. #ISACA summarizes key updates in four themes: ✅ Modernized content and scope ITAF 5 updates definitions and examples to reflect modern technologies like #cloudcomputing, #AI / #ML, and business automation, moving beyond the older “traditional IT controls” focus. ✅ Digital trust and emerging technology integration Digital trust concepts are woven through the audit lifecycle, and the framework adds guidance for AI/ML auditing, aligned with ISACA’s broader AI audit resources. ✅ More practical and usable for organizations of all sizes ISACA explicitly calls out improved clarity, more practical language, and better usability. ✅ Broader audit practices and governance expectations The scope expands to include data analytics, agile auditing, continuous assurance, and #AIgovernance, plus stronger expectations around transparency and oversight of automated systems. 📘What’s inside ITAF 5 keeps a clear structure: Standards (mandatory), Guidelines (recommended), and Tools & Techniques, with Standards grouped into: ➡️ General Standards (1000 series): ethics, independence, objectivity, due care, proficiency, criteria, assertions ➡️ Performance Standards (1200 series): planning, risk assessment, evidence, supervision, use of experts, irregularities ➡️Reporting Standards (1400 series): reporting and follow-up 🎯Companion guidance Alongside ITAF 5, ISACA also updated companion guidance, including Performance Guidelines 2208: Information Technology Audit Sampling.  This is very practical in 2026 reality: massive logs, cloud events, identity records, CI/CD pipelines, and a constant push toward data-driven assurance. The guidance explicitly discusses statistical, nonstatistical, data-driven (analytics-enabled) and hybrid sampling approaches, and even addresses when sampling is inappropriate.  #cybersecurity #riskmanagement #ITGRC #TheSOC2 #ITGRCAdvisory #BWAdvisory #AkademiaITGRC CyberMadeInPoland Cyber London Jan Anisimowicz, PMP, CISM, CRISC, ESG

C5 is getting a significant upgrade. Here’s what changed in C5:2025 (community draft) vs C5:2020. If you build, buy, or audit cloud services in the EU, watch out for what's coming. TL;DR – 132 → 158 pages – New subcriteria for sharper audits (e.g., .01B, .01AS, .01AC) – Stronger alignment with EUCS Substantial, NIS2, ISO/IEC 27001:2022, CSA CCM v4 – Final release planned for Dec 2025; feedback open until Sep 15, 2025 Major updates 1. Granularity & Auditability ↳ Subcriteria and explicit “sharpening” vs “complementing” labels make expectations crystal clear. 2. Modern Threat Coverage ↳ AI usage/disclosure, confidential computing, containers, supply chain risk, post-quantum crypto, client/data separation. 3. Machine-readable formats ↳ Final: PDF/XLSX + YAML (DE & EN) to plug into your GRC stack. 4. Cryptography ↳ CRY grows from 4 → 20 criteria (full key lifecycle, external KMS, PQC readiness). 5. Operations ↳ OPS 24 → 33: hardening, vuln scans, dataset separation, container mgmt, patch mgmt, confidential computing attestation. 6. Asset & IAM ↳ AM 6 → 12 (full inventories, lifecycle control, removable media); IDM → IAM with clearer privileged/data access rules. 7. Supply chain control ↳ SSO 5 → 8: termination strategy, transparency, supplier exchange controls. ___ ♻️ Share this post with someone working for a cloud provider ✚ Follow Aron Lange for more

🚀 New IIA Guidance: Auditing Business Applications & AI – What IT/IS Auditors Need to Know The Institute of Internal Auditors (IIA) has released updated guidance for auditing business-critical applications (like ERP systems) and a comprehensive framework for auditing Artificial Intelligence (AI) in organizations. Here’s what’s new and why it matters for IT and IS auditors: ❇️ 1. Auditing Business Applications (IIA GTAG, Oct 2025 Update) [https://lnkd.in/ebg_ieEn | PDF] ➡️ Expanded Scope: The updated guide covers not just traditional ITGCs and cybersecurity, but also emphasizes emerging technologies—AI, IoT, and Blockchain. ➡️ Nine Key Control Categories: The guide organizes control objectives into 9 practical areas, including: 1. Governance & Risk Management (including AI governance) 2. Technology Planning 3. System Development Life Cycle (SDLC) 4. Production Support 5. Application Security 6. Records & Information Management 7. Vendor Management 8. Software Asset Management 9. Database Administration & Business Intelligence ➡️ Practical Tools: Includes sample risk assessment questions, scoping methods, and mapping to major frameworks (COBIT, NIST, CIS). ➡️ Takeaway: Most controls align with what we already cover in ITGC/Cyber reviews, but now with a sharper focus on emerging risks and technologies. ❇️ 2. Auditing AI (IIA AI Auditing Framework, Sept 2024 Update) [https://lnkd.in/e47tmNkV | PDF] ➡️ Holistic Approach: The framework helps auditors assess an organization’s AI strategy, usage, data management, and cybersecurity. ➡️ Comprehensive Checklist: Over 100 controls and considerations—covering governance, management, risk, compliance, and technical aspects. ➡️ Key Focus Areas: 1. AI governance and accountability 2. Data integrity, privacy, and security 3. Cyber resilience and third-party/vendor risk 4. Bias, transparency, and explainability in AI models 5. Ongoing monitoring, testing, and reporting ➡️ Practical Steps: The framework is designed for both advisory and assurance roles, with a “quick start” checklist for audit planning and execution. ➡️ Takeaway: This is a must-have resource for auditors looking to stay ahead of AI risks and support responsible AI adoption. 🟢 I encourage all IT and IS auditors to review these documents and consider how the new guidance can be integrated into your audit plans. Let’s keep raising the bar for assurance in the digital age!

📣 𝗠𝗗𝗦𝗔𝗣 𝗔𝘂𝗱𝗶𝘁 𝗔𝗽𝗽𝗿𝗼𝗮𝗰𝗵 - 𝗩𝗲𝗿𝘀𝗶𝗼𝗻 𝟬𝟭𝟬 𝗜𝘀 𝗛𝗲𝗿𝗲. On February 6, 2026, IMDRF published revision 010 of the MDSAP Audit Approach (MDSAP AU P0002.010), replacing version 009 (August 2024). 𝗪𝗵𝗮𝘁 𝗰𝗵𝗮𝗻𝗴𝗲𝗱 𝗮𝗻𝗱 𝘄𝗵𝗮𝘁 𝗶𝘁 𝗺𝗲𝗮𝗻𝘀 𝗳𝗼𝗿 𝘆𝗼𝘂𝗿 𝗤𝗠𝗦 𝟭. "𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗦𝘂𝗽𝗽𝗹𝗶𝗲𝗿" 𝗧𝗲𝗿𝗺𝗶𝗻𝗼𝗹𝗼𝗴𝘆 𝗥𝗲𝗽𝗹𝗮𝗰𝗲𝗱 The term "critical supplier" has been removed and replaced with "suppliers that should be considered for audit as part of the MDSAP audit, with defined categories. 𝟮. 𝗙𝗗𝗔 𝗤𝗦𝗥 𝗥𝗲𝗳𝗲𝗿𝗲𝗻𝗰𝗲𝘀 𝗥𝗲𝗺𝗼𝘃𝗲𝗱 - QMSR Throughout. All references to the former Quality System Regulation have been replaced with the Quality Management System Regulation (21 CFR Part 820), effective February 2, 2026. Section numbering has changed. The QMSR aligns US requirements more closely with ISO 13485:2016 - but it is not identical. Update your internal audit checklists and regulatory reference matrices. 𝟯. 𝗡𝗲𝘄 𝗠𝗗𝗦𝗔𝗣 𝗔𝘂𝗱𝗶𝘁 𝗧𝗮𝘀𝗸 : Predetermined Change Control Plans (PCCP). A new section under Device Marketing Authorization (21 CFR 807.81; 21 CFR 814.39) requires auditors to review PCCP sections of cleared 510(k) or approved PMA submissions for AI-enabled devices, and confirm that device changes remain within the pre-approved scope. If you manufacture AI/ML-based devices for the US market, this is a new audit checkpoint. 𝟰. 𝗧𝗚𝗔 𝗥𝗲𝗰𝗮𝗹𝗹 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸 𝗨𝗽𝗱𝗮𝘁𝗲𝗱. Australia's Uniform Recall Procedure for Therapeutic Goods (URPTG) has been replaced with the Procedure for Recalls, Product Alerts and Product Corrections (PRAC). Verify your recall procedures reference the correct TGA document. 𝟱. 𝗔𝗡𝗩𝗜𝗦𝗔 𝗥𝗲𝗴𝘂𝗹𝗮𝘁𝗼𝗿𝘆 𝗥𝗲𝗳𝗲𝗿𝗲𝗻𝗰𝗲𝘀 𝗨𝗽𝗱𝗮𝘁𝗲𝗱. In the Device Marketing Authorization process, RDC nº 36/2015 (IVDs) is replaced with RDC nº 830/2023, and RDC nº 40/2015 (medical devices) is replaced with RDC nº 751/2022. If you market in Brazil, confirm your regulatory submissions and QMS procedures cite the current regulations. 𝟲. 𝗙𝗗𝗔 𝗗𝗲𝘃𝗶𝗰𝗲 𝗟𝗶𝘀𝘁𝗶𝗻𝗴 𝗠𝗮𝗶𝗻𝘁𝗲𝗻𝗮𝗻𝗰𝗲 𝗪𝗶𝗻𝗱𝗼𝘄. The document now specifies that device listing information must be reviewed and updated between October 1 and December 31 annually, or at the manufacturer's discretion when changes occur (21 CFR 807). Auditors will verify compliance with this timeline. What Should You Do Now? Download the document https://lnkd.in/ddh5Yn4f Map the six changes against your current QMS. Prioritize the QMSR alignment updates - these have the broadest operational impact. Do not wait for your next MDSAP audit to discover the gaps. Gsap Mor Moshe Iris Shamir Dr. Sivan Luder Avital Levertov #MDSAP #MedicalDevices #QualityManagement #QMSR #FDA #RegulatoryAffairs #ISO13485 #MedTech

💡 Exploring What’s New in Dynamics 365 Finance v10.0.45 Microsoft continues to refine D365 Finance with every release — and version 10.0.45 brings some excellent updates that strengthen control, auditability, and automation across the finance function. Here are three features that really stand out for me 👇 1️⃣ Out-of-Balance Ledger Settlement Reversal We’ve all seen cases where ledger settlements go out of balance across fiscal years. In 10.0.45, you can now automatically detect and reverse those out-of-balance settlements directly from the new “Out-of-balance ledger settlements” page. This saves time during period or year-end close and keeps your books clean without manual intervention. 2️⃣ Ledger Settlement Audit Trail (Description & Reason) Auditability just got better. The ledger settlement inquiry now displays the original transaction description and the reason entered at settlement — adding much-needed transparency to journal adjustments and reconciliations. 3️⃣ Fixed Asset Split & Intercompany Transfer (Preview) Managing assets across multiple entities has always been tricky. This new preview feature allows splitting or transferring fixed assets between legal entities — with previews of cost, depreciation, and net book value before posting. It’s a big step forward for organizations handling complex group structures or consolidations. Each of these enhancements may look small on paper, but together they bring greater accuracy, audit readiness, and cross-company consistency — three things every finance team needs. Have you tried any of these new features yet? Would love to hear your experience 👇 #MicrosoftDynamics365 #D365Finance #ERP #FinancialConsolidation #DigitalTransformation #FinanceAutomation inDX

🚨📢📘MDSAP Published Revised Audit Approach (AU P0002.10)🚨 🗓️ Revision Date: February 6, 2026 🌍 The Medical Device Single Audit Program (MDSAP) has officially released the latest revision of the MDSAP Audit Approach, a major milestone for medical device manufacturers, auditors, and regulatory professionals worldwide. ✨ What’s new & why it matters: ✅ Consolidates the Audit Model and Process Companion into a single, unified document ✅ Reinforces a risk‑based, process‑driven audit methodology ✅ Provides clearer task‑level guidance across the full audit cycle ✅ Strengthens alignment with ISO 13485:2016 and regulatory requirements across participating authorities ✅ Improves navigation, usability, and audit consistency 🌐 One audit. Multiple jurisdictions. Global confidence. This updated approach continues to support regulatory compliance across: 🇨🇦 Canada | 🇺🇸 USA | 🇯🇵 Japan | 🇦🇺 Australia | 🇧🇷 Brazil 🔍This document is now an essential reference for: 👨⚕️ a medical device manufacturer preparing for MDSAP. 🧾 an auditor or compliance professional. 🏭 a quality & regulatory leader managing global market access. 📎 Access the official document here👇: https://lnkd.in/gaaNk4FA 📢 Please share this post with your connections to help the MedTech community stay compliant. #MDSAP #MedicalDevices #RegulatoryAffairs #ISO13485 #QualityManagement #GlobalCompliance #MedicalDeviceRegulation #AuditReady #IMDRF