The Audit That Goes Wrong: A Cautionary Walk Backwards
A composite incident, traced backward through the controls that should have prevented it. What was missing at each step, and what would have caught it.
The cleanest way to teach a security guideline is to walk backward through an incident. The events below are a composite from real engagements; identifying details are removed. Read it in reverse — the regulator’s letter on top, the privileged-access decision at the bottom — and you have the BB ICT Guideline in operational form. Every line in this story maps to a control domain in the Guideline; every gap maps to a finding the institution was not ready for. The sequence in which they happen is the sequence in which they tend to happen everywhere.
The cascade, in reverse
- T+45 dRegulator's letter arrivesMaterial findings: privileged-access sprawl, change-management bypass, incomplete asset inventory, weak third-party risk management.
- T+14 dForensics completeLateral movement traced through a vendor-shared service account that had not been rotated in 19 months.
- T+3 dExternal notificationCustomer-data exposure confirmed; DPA notified inside the statutory window — barely.
- T+12 hContainmentPrivileged session revoked. Service account disabled. Network segments isolated. SOC team in their seventh hour.
- T+30 mFirst detectionSIEM alerted on anomalous privileged-API call. Two earlier alerts in the same lineage had been suppressed during quarter-end change-freeze.
- T-2 moVendor account createdEmergency change for a payment-switch upgrade. Account created with permanent admin scope; the rotation ticket was filed and closed without execution.
- T-9 moLast clean control reviewAsset inventory was last reconciled here. The vendor account did not exist yet. Everything that mattered happened after this date.
Source: Composite reconstruction; identifying details removed.
What each control should have caught
The privileged account should have been just-in-time, not permanent. The asset inventory should have caught the new account in its nightly diff. The change-management process should not have a quarter-end suppression mode for SIEM alerts, ever. The third-party risk register should have re-audited the vendor before any new privileged scope was granted. None of these are exotic; all are in the BB ICT Guideline; none was operating. The institution had paper compliance — a policy document, signed by senior management, citing each of these controls — and operational non-compliance, where the actual systems did not enforce what the policy said. The regulator’s letter was specifically about the gap between the two.
What the regulator’s letter actually focused on
The letter did not lead with the breach. It led with process. The regulator wanted to understand whether the institution had been operating its controls or had merely documented them. The forensic findings were a consequence; the institutional posture was the cause. Three questions dominated the response correspondence: how the privileged account was allowed to exist beyond its authorised window, why the SIEM had a suppression mode in the first place, and what the institution intended to do about the third-party risk register. None of those questions were about the breach itself. The breach was the symptom.
Source: Cloud Digit advisory composite, 2024–2026.
The seven controls that would have stopped it
Phishing-resistant MFA on privileged paths. Just-in-time access with session recording, ticket-bound and time-bound. Asset inventory in one CMDB, refreshed nightly. SWIFT and other regulated environments in their own trust zones. A SIEM that does not have a suppress during change- freeze mode. Quarterly DR exercises that test the on-call rotation, not just the runbook. Annual third-party assessments stored alongside the contract. Each is dull. Each, in this story, is the difference. The institutions that operate all seven do not get the regulator’s letter. The institutions that operate four out of seven get it once a year.
Why this story repeats
The single most common cause of breaches we see in Bangladeshi BFSI is not novel attacker tradecraft. It is the slow accumulation of expedient exceptions — emergency-change accounts, suppression rules, deferred rotations, untracked vendor logins. Each individual exception was defensible at the time it was created. The cumulative effect is a control surface that no longer enforces what the policy says. The work of the security function is, in large part, the work of saying no to the next exception that would otherwise be filed routinely.
The cultural posture that prevents this
The institutions that recover quickly from incidents share three cultural traits. First, the security team is empowered to halt production changes when a control is missing — and uses that authority sparingly enough that nobody questions it when it does. Second, the audit function and the security function meet weekly, share the same control-mapping spreadsheet, and treat each other as allies rather than adversaries. Third, the board’s risk committee has, on its agenda, explicit reviews of the top five controls — not the top five risks. The distinction is consequential.
Read next
- BFSI
Notes from a BFSI Hybrid Migration: An Audit Diary
Eighteen months inside a Tier-1 bank moving from a single-vendor private cloud to a regulated hybrid. The notes I kept, and what they say in retrospect.
- Compliance
Three Letters to Three Regulators
How public cloud actually fits inside the Bangladeshi regulatory frame, written as three pieces of correspondence — to BTRC, to Bangladesh Bank, and to the Data Protection Authority.
- Cloud Strategy
A Letter on the Bangladesh Cloud Economy
Annual letter to the Cloud Digit board on the shape, drivers, and trajectory of the Bangladeshi cloud market. Written in the long-form-thesis style that serious investors actually read.