5
Structured audit reports with findings, risk ratings, and framework citations
Governance · Risk · Compliance
Richard Vincent
GRC Analyst Portfolio
Cybersecurity professional building a GRC-focused portfolio around control assessment, audit reporting, risk documentation, and compliance mapping. Technical SOC background strengthens my ability to understand the systems, threats, and controls behind governance and compliance work.
20+
Documented findings across identity, logging, data, patching, and governance
3
Frameworks applied — NIST CSF, ISO 27001, and CIS Controls — per report
H/M/L
Risk rating model used to communicate severity and prioritize remediation
Portfolio Environment
Meridian Consulting Group
All portfolio projects are scoped to a consistent fictional organization — giving the work real context, continuity, and business relevance rather than disconnected exercises.
The Business Scenario
Meridian Consulting Group is a 22-employee professional services firm operating in a Microsoft 365 cloud environment. No dedicated IT or security staff. Several common small-business security gaps that require governance, audit, risk management, and control improvement.
Note: Meridian Consulting Group is a fictional organization created for educational and portfolio demonstration purposes only.
- Industry: Professional Services / Business Consulting
- Size: 22 employees, Atlanta GA
- Technology: Microsoft 365, SharePoint, OneDrive, Windows endpoints
- Security State: No security team, partial MFA, limited monitoring
- GRC Need: Policies, audits, access reviews, risk register, vendor oversight
- Audit Scope: All 5 reports cover distinct control domains for this org
Featured Tool Demo
AI-Assisted GRC Assessment Assistant
Interactive portfolio demo showing how a GRC assessment can move from intake and evidence collection to questionnaire-driven analysis and draft reporting. This tool is presented as a portfolio project and all outputs require human review before any real-world use.
WorkflowIntake → Evidence → Questions → Draft Report
PurposePortfolio Demonstration
OutputDraft Readiness Report
ImportantHuman Review Required
Interactive Project
Structured GRC Intake and Reporting Workflow
This project demonstrates how GRC assessment work can be organized into a repeatable process: company intake, evidence upload, questionnaire-based analysis, and AI-assisted draft reporting. It is designed to show process thinking, reporting structure, and framework-aware recommendations.
- Company profile intake
- Evidence upload workflow
- Security questionnaire capture
- AI-assisted draft findings and recommendations
- Framework-aligned reporting structure
Portfolio Projects
Five named GRC deliverables.
Each project is a concrete, defined piece of work with specific outputs — not a description of GRC topics. Each one simulates what a junior GRC analyst would produce on the job.
Access Control & Identity Management Audit
Reviewed user account hygiene, MFA enforcement, shared account usage, and offboarding procedures for Meridian's Microsoft 365 environment. Identified critical gaps including three active accounts for departed employees and MFA disabled for 14 of 22 users.
What Was Produced
Scoped audit with defined evidence review methodology
4 findings with observation, risk statement & framework citation
Prioritized remediation table (Immediate / 30 Day / 90 Day)
Control maturity assessment across 5 access control areas
Security Logging & Monitoring Readiness Review
Assessed Microsoft 365 Unified Audit Log coverage, alert policy configuration, log retention period, and whether any process exists for reviewing security events. Found the organization completely unable to detect or investigate a security incident.
What Was Produced
Audit log coverage gap analysis across M365 workloads
Alert policy gap findings with BEC threat context
Log retention policy assessment vs. 12-month industry standard
Detective control maturity assessment with remediation table
Data Protection & Backup Controls Assessment
Evaluated backup coverage and restoration testing, workstation data risk, data classification posture, and BitLocker encryption status across employee devices. Found backups untested and four workstations storing client deliverables with no backup coverage.
What Was Produced
Backup design vs. operating effectiveness analysis
Data classification gap finding with 3-tier recommendation
Encryption posture assessment across workstation sample
Ransomware risk context and recovery readiness rating
Vulnerability & Patch Management Audit
Reviewed asset inventory accuracy, OS patch status across sampled workstations, end-of-life software exposure, and network device firmware currency. Found two Windows 10 EOL devices, three workstations with patches 45–91 days outstanding, and no asset register.
What Was Produced
EOL software risk finding with CVE exposure context
Patch cadence gap analysis per sampled device
Asset inventory gap finding and minimum register recommendation
Network firmware remediation recommendation with SLA guidance
Security Governance & Policy Framework Review
Assessed policy framework completeness, security awareness training program, third-party vendor security requirements, and incident response readiness. Found zero formal policies, no training records, vendors with system access but no contractual security obligations, and no IR contact list.
What Was Produced
Policy inventory gap analysis vs. ISO 27001 Clause 5 requirements
Security awareness training gap finding with phishing risk context
Vendor management finding for 3 vendors with system access
IR readiness gap finding — root cause analysis for all 5 audits
Audit Report Collection
All five reports in one place.
The full report collection demonstrates end-to-end GRC thinking: scoping, evidence review, findings documentation, risk rating, framework mapping, control maturity assessment, and prioritized remediation.
Reports5 Published
FrameworksNIST CSF · ISO 27001 · CIS
EnvironmentMeridian Consulting Group
Risk RatingsHigh / Medium / Low
Full Report Collection
Security Audit Report Series — Meridian Consulting Group
Five structured audit reports covering the most critical control domains for a small business cloud environment. Each report follows a consistent format: scope, methodology, findings with framework citations, recommendations with priority tiers, and a control maturity assessment.
- 01 · Access Control & Identity Management Audit — High Risk
- 02 · Security Logging & Monitoring Readiness Review — High Risk
- 03 · Data Protection & Backup Controls Assessment — Medium Risk
- 04 · Vulnerability & Patch Management Audit — High Risk
- 05 · Security Governance & Policy Framework Review — Medium Risk
Methodology
Audit methodology and GRC workflow.
Each audit report follows a practical GRC methodology that mirrors how a junior analyst supports control assessments, audit readiness, findings documentation, and remediation tracking.
Identify
Define the business environment, assets, systems, and control areas in scope.
Assess
Review evidence, determine control gaps, and evaluate risk exposure per finding.
Document
Write findings with observations, risks, framework citations, and maturity notes.
Remediate
Recommend prioritized actions with named owners, urgency, and effort estimates.
Monitor
Support ongoing improvement through review schedules and audit readiness tracking.
Program Maturity
Before and after the GRC assessment series.
This shows the business value of the audit work: moving Meridian from undocumented, informal security practices toward a documented, framework-aligned governance and control baseline.
Initial State — Control Gaps
- Three former employee accounts still active in M365
- MFA not enforced for 14 of 22 users
- No alert policies configured — zero detection capability
- Backup restoration never tested
- Two EOL Windows 10 devices, three with patches 45–91 days late
- No information security policies, training, or IR plan
Improvement Roadmap — Defined Outputs
- Immediate account revocation + offboarding checklist documented
- M365 Conditional Access MFA enforcement recommended
- 5 alert policies defined; log retention path recommended
- Quarterly backup test procedure and OneDrive KFM policy proposed
- EOL upgrade path and patch cadence SLA established
- Policy template, training platform, vendor clause, and IR contact sheet defined
Technical Foundation
SOC experience that strengthens GRC analysis.
My SOC portfolio demonstrates hands-on security work in incident investigation, Windows log analysis, phishing review, DNS activity analysis, and web attack investigation. That foundation helps me assess the controls, risks, and evidence behind governance work.
Incident Investigation Experience
Practical investigation work involving network traffic, endpoint activity, and suspicious accounts — translates directly into understanding what detective controls need to surface and preserve.
Log Analysis & Indicator Review
Reviewing logs, indicators, and findings builds intuition for what constitutes strong audit evidence, what gaps look like in practice, and how to frame control deficiencies for a non-technical audience.
Technical-to-GRC Positioning
Technical exposure combined with governance documentation, risk thinking, and compliance-focused control assessment positions me for roles that need analysts who understand both sides.
Frameworks
Control and compliance alignment.
These frameworks are applied across all five audit reports — not just listed as keywords. Each report cites specific control references from the applicable Annex, function, or control number.
Govern, Identify, Protect, Detect, Respond, Recover
Used for cybersecurity governance, risk communication, and control function mapping across all five audit domains.
Information Security Management Controls
Applied at the Annex A control level — A.5, A.6, A.8 — for access, policy, logging, backup, and vulnerability findings.
Prioritized Technical Safeguards
Used to connect audit recommendations to specific, implementable safeguards — Controls 1, 3, 6, 7, 8, 11, 14, 17.
Payment Security and Compliance Evidence
Foundational learning path for payment security, compliance evidence, and control validation methodology.
Training
Cybersecurity and GRC development.
Current training combines technical security foundations with governance, risk, compliance, audit readiness, and control assessment skills.
CompTIA Security+
Security fundamentals covering threats, architecture, implementation, operations, risk, governance, and controls — reinforcing the technical foundation behind GRC work.
GRC Mastery Program
Planned next-step training focused on frameworks, audits, risk assessments, compliance documentation, and governance workflows after Security+ is completed.
Credly Badge Profile
Public badge profile for verifying completed training and certification achievements across cybersecurity and GRC learning tracks.
Contact
Open to GRC, compliance, and security analyst roles.
Recruiters and hiring teams can access my resume, audit reports, verified badges, and project work below.
ResumeView Resume PDF
Audit ReportsView GRC Audit Report Collection
GRC AssistantLaunch Interactive Demo
LinkedInlinkedin.com/in/richvince
GitHubgithub.com/RichVince
SOC Portfoliorichvince.github.io
Target RolesGRC Analyst · IT Audit Associate · Security Compliance Analyst · Risk Analyst
LocationAtlanta Metropolitan Area