The Sentinel’s Ledger: Advanced IT Audit for a Resilient Sri Lanka

Governing the "Black Box"  Auditing AI Algorithms Artificial Intelligence is no longer just a buzzword; by 2026, it is driving credit approvals, hiring decisions, and fraud detection. But for an auditor, AI presents a terrifying "Black Box" problem. If we cannot read the code to see why a decision was made, how can we assure controls are working? The answer lies in auditing the inputs and the outputs , rather than the processing logic itself. This is the core of the NIST AI Risk Management Framework (AI RMF) , which emphasizes "Manage," "Map," "Measure," and "Govern". Auditing Data Integrity (The Input) "Garbage in, Garbage out" is the golden rule of AI. If an AI model is trained on biased or insecure data, the model itself becomes a liability. Auditors must verify the Chain of Custody for training data. Was the data "poisoned" by a competitor? Was personal data (PII) stripped out before training?. Audi...

The "Shared Responsibility" Trap in Cloud Audits  The "Cloud" is not a magic fortress; it is simply someone else's computer. Yet, a surprising number of organizations in 2026 still fall for the "Shared Responsibility" trap. Management assumes that because they moved to AWS, Azure, or Google Cloud, their security is "handled." As auditors, it is our job to expose this dangerous fallacy. The Shared Responsibility Model is clear: the provider is responsible for the security OF the cloud (infrastructure, hardware, global networks), while the customer is responsible for security IN the cloud (data, identity management, encryption, and firewall configurations). Where the Audit Fails The most critical failures happen at the "seams" of this model. Identity & Access Management (IAM): The cloud provider secures the login portal, but if the customer allows a "Root User" to have no Multi-Factor Authentication (MFA), the breac...

  The Human Firewall: Auditing Culture as a Control For years, the industry has treated the "Human Layer" as the weakest link. We blame users for clicking phishing links and mandate boring, annual training videos. But in 2026, we know that Culture is a Control . A firewall can block malware, but only a paranoid and empowered culture can stop a Business Email Compromise (BEC) scam. But how do you audit "culture"? It feels intangible. However, leading frameworks like COBIT 2019 and ISACA's Human Factors guidance suggest that culture can be measured if you look at the right metrics. The "No-Blame" Audit The old metric was "Phishing Click Rate" (how many people failed). The new metric is "Reporting Rate" (how many people alerted security). If 10 people click a malicious link, but 5 of them immediately call IT to report it, the risk is contained. If 0 people click, but no one reports the strange email, you are flying blind. Auditor...

 From Recovery to Resilience – The 2026 Audit Shift Theme: Why "Disaster Recovery" is outdated and why "Cyber Resilience" is the new standard auditors must test. Content: For decades, the "Disaster Recovery (DR) Plan" was the safety net of the IT world. If a server crashed, you restored from a backup. If a building flooded, you moved to a hot site. But in 2026, this reactive model is dangerously obsolete. The modern threat landscape—dominated by ransomware that hibernates in backups and AI-driven DDoS attacks—demands a shift from recovery to resilience . Resilience is not about bouncing back; it is about withstanding the blow. It is the ability of a system to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises. For the IT auditor, this represents a fundamental change in testing methodology. We can no longer simply check off "backup logs" or "annual drill results." We must audit the ...