Most developers rarely think about audits while writing code. Yet in many organizations, the systems engineers build are eventually reviewed by security teams, auditors, regulators, and compliance programs.

When that moment arrives, technical decisions that once seemed minor suddenly become important questions about access control, logging, change management, deployment practices, and operational risk. The systems that work perfectly in production are now evaluated through a completely different lens.

This session explores what actually happens when engineering environments are examined during security and compliance audits.

We will walk through the types of questions auditors ask, the evidence organizations are expected to produce, and how common development practices such as CI/CD pipelines, infrastructure configuration, code repositories, and deployment processes are evaluated during audits. Attendees will gain insight into why certain practices raise red flags and how organizations demonstrate that their systems are secure, well-governed, and operating as intended.

Rather than focusing on specific compliance frameworks, this talk focuses on the real-world intersection between software engineering and governance. Developers will learn how everyday engineering decisions influence audit outcomes and how teams can design systems that are both scalable and audit-ready.

By understanding what auditors actually look for, developers can avoid common pitfalls, reduce friction with security teams, and build systems that stand up to both production demands and compliance scrutiny.