Global Chief Auditor, Technology, Citi

Theresa Grafenstine

As the Global Chief Auditor for Technology at Citi, Theresa Grafenstine oversees a staff of approximately 250 technology auditors – all of whom are required to incorporate a standardized testing program that covers basic principles of information security. Grafenstine also manages a team of more than 30 auditors who specialize in cybersecurity and conduct technical cyber reviews of Citi’s systems globally.

Grafenstine has been a leader in the information system and auditing profession for more than 25 years. Earlier in her career and shortly after becoming a mother, Grafenstine returned to work and found herself tasked with leading an audit that no one else wanted and was unlike any other project she had taken on before: the audit of the new Active Directory for the U.S. House of Representatives.

“I certainly didn't consider myself an IT auditor. How frustrating, unfair and frightening it seemed at the time. However, one of things that I've learned through my career is that it is never easy situations that have the biggest impact. When I give leadership talks, I say one of my leadership rules is you have to ‘know your stuff.’ I wasn't going to be able to effectively do an audit of Active Directory without understanding Active Directory. So, I learned it. It wasn't easy, and it required real dedication to put forward the extra effort, particularly for a new mother trying to balance those responsibilities. But I was successful,” Grafenstine says.

This audit was the start of her path to becoming an IT auditor, to converting that organization into a center of excellence for IT audit within its peer group, and to leadership in the IT security profession. She says, “It wasn't a project that I chose and it wasn't one that was given to me as a reward. But I overcame my fears, didn't complain and tackled the assignment that no one else wanted. As a result, I grew more as a professional in terms of both hard and soft skills and it became one of the projects that I am most proud of.”

Since joining Citi in April 2019, Grafenstine has reinvented the way that Citi audits its cybersecurity functions. In the past year alone, she designed and implemented a new global strategy, which covers all of Citi’s legal entities, for auditing cybersecurity in alignment with the NIST cybersecurity framework for financial services. In addition, she created an internal audit-wide framework for auditing operational resilience and crisis management for Citi, globally.

Previously, she served as Managing Director at Deloitte, where she led the internal cyber audit practice for the financial services industry. There, she also oversaw the management and execution of remediation efforts at the Joint Chiefs of Staff, Immigration Control Enforcement (ICE), and U.S. Coast Guard to address financial and IT general control deficiencies and enable U.S. federal agencies to meet its Congressional mandate for audit readiness. She created and guided implementation of organizational designs of internal audit organizations, including at the Federal Bureau of Investigation (FBI).

She is a Certified Information Systems Security Professional (CISSP) and has served as a member of the board at the American Institute of Certified Public Accountants (AICPA). She served as the non-partisan, appointed Inspector General of the U.S. House of Representatives from 2009 to 2017, where she oversaw a full range of audited areas including cybersecurity, business continuity/disaster recovery, logical and physical security controls, risk assessments, enterprise risk management and more.