Rishabh Arora
“I audit compliance for a living. So I built the platform I wished my clients had.”
I have led 100+ SOC 2 audits and currently manage 30–40 parallel audits as Client Engagement Manager at A-LIGN. I've turned that frontline regulatory experience into House of GRC: a complete, free toolkit of assessment calculators, policies, and a flagship agentic SOC 2 platform named Veris AI.
Readiness was a black box.
In leading over a hundred compliance audits, I watched the exact same story play out again and again. The gap was never the auditor's final finding — it was the fact that internal engineering teams had absolutely no idea where they stood before the audit fieldwork actually started.
Readiness checkups were either locked behind expensive, manual consultancy retainers or flattened into simple spreadsheet checklists that missed actual technical system boundaries.
So I started building the software tools I wished my own clients had at their disposal. What began as a series of simple calculators soon turned into an integrated, end-to-end framework catalog and platform: House of GRC.
Meet Veris AI.
Our flagship agentic compliance engine. Four specialized AI agents that autonomously prep your infrastructure, policies, and logs so you walk into audits fully ready.
Veris AI Workspace
Agentic SOC 2 Readiness with automated boundary analysis and controls matching.
ATLAS
Scopes your Trust Services Criteria (TSC) boundary based on your cloud architecture.
THEMIS
Drafts complete, auditor-ready policy manuals customized for your engineering stack.
VERITAS
Verifies and scores evidence files, verifying checklists before submitting to your auditor.
AEGIS
Guards security posture by continuously monitoring vendor and risk registers.
House of GRC Toolkit.
Veris AI is our flagship product workspace. House of GRC is the umbrella that holds it — including our entire catalog of free compliance tools and reference guides.
Self-Assessment
Scenarios engine mapping Trust Services Criteria boundaries with instant scoring and gap lists.
Policy Generator
Interactive engine to customize and draft complete policy manuals and export in editor formats.
Framework Mapper
Map common security controls from SOC 2 criteria to ISO 27001:2022 and federal standards.
21 Framework Guides
Deep guides for security frameworks (SOC 2, ISO 27001, HIPAA, GDPR, ISO 42001, CMMC).
GRC Jobs Board
Curated feed of remote and global security compliance and IT audit vacancies.
Regulatory News
Real-time aggregated compliance news regarding security bulletins, CERT-In, and AI acts.
Coding the controls.
I built this entire 30-route platform solo during nights and weekends, utilizing AI as a high-velocity pair-programmer.
GRC domain expertise is my engineering moat. Because I understand the requirements of auditors in detail, I am able to draft the precise compliance rules and write the code that enforces them.
Domain Expertise
We start with real regulatory requirements and field experience.
AI Pair-Programming
Write, refactor, and compile complex web structures at speed.
One Prompt at a Time
Break down large requirements into atomic functional additions.
Auditor Code Review
I manually audit and test every single line before it ships.
Backed by real experience.
From advisory audits for tech enterprises to first-line defensive controls inside global payment gateways.
Lead 100+ audits and manage 30–40 parallel SOC 2 compliance engagements. Act as the primary technical point of contact across the full audit lifecycle.
Supervised teams of 15+ staff and senior GRC consultants, conducting quality reviews, establishing scoping baselines, and assuring deliverables.
Planned and executed SOC 2, FISMA, and FedRAMP security audits. Leveraged automated tools (Vanta, Drata) to reduce compliance client overhead.
Designed test plans and conducted logical access & change management validation for PayPal's ITGC SOX framework.
Conducted SOC 1, SOC 2, and SOX IT audits for Fortune 500 tech systems. Directed SOC 2 readiness for blockchain, crypto-wallet, and investment firms.
Six Tested Domains
SOC 2 Type I & II
Managed 100+ audits. I know where engineering teams lose weeks on evidence collection, how controls break, and how to prep in under 90 days.
ISO 27001
Certified ISMS Lead Auditor. Gap analysis, Stage 1/2 preparation, and Annex A control mapping. Coordinates ISO framework alignment with SOC 2 boundaries.
FedRAMP & FISMA
NIST SP 800-53 Rev 5 federal security controls mapping, SSP preparation, and continuous monitoring (ConMon) guidelines for government vendors.
SOX ITGC
Tested IT General Controls from within PayPal's FLOD logical access, change authority and operations. I know exactly what auditors test during fieldwork.
Cloud Security
CCSK and AWS certified. Cloud infrastructure IAM review, boundary segmentation, encryption keys, and log aggregation checks.
AI Governance
ISO 42001 Lead Auditor. Annex A AI-specific operations scoping, algorithmic safety boundaries, and risk registers under the EU AI Act framework.
Credentials & Certifications
Let's talk.
Whether you need to organize a full SOC 2 engagement, complete a readiness scoping call, or explore custom dashboard capabilities — let's schedule a meeting.