GRC Audit and Compliance is a product‑focused audit and continuous testing team.
We meet our audit obligations to customers and external stakeholders and give leadership clear insight into GitHub’s control posture.
We also support go‑to‑market efforts by treating customer‑facing assurance reports as product features.

Current audit scope:

• SOC 1, SOC 2, SOC 3 – GHEC and Actions
• ISO 27001 – GHEC and Actions
• FedRAMP Low Tailored – GHEC
• PCI DSS – GHEC
• Microsoft non‑financial disclosures – GitHub NFD metrics (Developers, MAC, MEU)
• Microsoft internal audits – Security Governance, Trade Compliance, and others
• GHAE – compliance and risk management
• Azure DevOps – compliance, privacy, and risk programs

Learn more in the Security GRC Compliance repo.

• Build productive customer partnerships and repair strained relationships.
• Review audit project plans, work papers, and reports; discuss issues with management; confirm quality controls.
• Plan, schedule, and execute IT audits within budget and deadlines; supervise audit staff and coach for improvement.
• Identify and assess complex business and technology risks; advise management on mitigation.
• Assign work, track progress, and deliver semester and annual performance reviews for team members.

Sr. IT Control Analyst

• Designed, implemented, and tested controls for ISO 27001, ISO 27018, AICPA, and NIST.
• Built an SDLC audit plan that streamlined controls for 1,500 developers.
• Managed external SSAE‑18 and ISO 27018 audits and internal assessments.
• Completed customer due‑diligence questionnaires quickly.
• Advised stakeholders on changing compliance requirements.
• Identified risk and guided remediation.

IT Control Analyst

• Supported compliance, external, and internal audit work.
• Streamlined internal processes by improving tooling.
• Maintained risk and control matrices, test plans, and status trackers.
• Assessed ITGC design and implementation against policies.
• Verified control evidence for completeness, accuracy, and precision.

Risk Advisory Services Consultant

• Performed general computer control reviews on UNIX, Windows, AS/400, and Oracle systems.
• Tested automated application controls for financial reporting software.
• Evaluated and improved client operational efficiency.
• Reviewed the design, build, and operation of client business processes.
• Led cyber‑security risk assessments and audits.
• Supported financial audit and SOX teams with control design and testing.
• Assessed security issues and recommended remediation.
• Managed the IT Audit SharePoint knowledge repository, boosting productivity.

• IT design and consulting for Standing Stone Nursery.
• Intake and review of GitHub bugs reported in HackerOne.

• Exotic plants 🌴
• 4‑wheeling 🚴‍♂️
• Hiking 🥾
• Travel ✈️
• Time with the dogs 🐕🐕🐕

• LinkedIn
• Slack: @HaDoyle12
• Instagram
• ISACA Mentorship