Audit the Modern Stack. Without Becoming an Engineer.
Certified GRC Engineer, Auditor Specialty (CGE-AUD)
Engineering went cloud-native a decade ago. Compliance implementation caught up. Audit didn’t. The CGE-AUD is the credential that closes that gap, teaching experienced auditors to read pipelines, sample code-defined controls, and evaluate engineered evidence.
Introducing the CGE-AUD
Certified GRC Engineer, Auditor Specialty
Every modern engagement stalls in the same place: an auditor asks for a screenshot that doesn’t exist anymore, and a Terraform repo sits there unread. Give an experienced SOC 2 practitioner the literacy to read a pipeline, and findings stop slipping through. The CGE-AUD teaches that literacy across seven domains, with about four hours of video and no portfolio to submit.
Study Guide
Comprehensive materials to prep early
Download PDF →
Exam Blueprint
Know exactly what to expect
Download PDF →
Free for Members
Full course + exam included with membership
7
Domains
~4 hrs
Video training
50
Exam questions
No
Portfolio required
What You'll Learn
Seven domains. Each pairs a short technical primer with auditor-specific guidance on how to test it and what bad looks like.
Cloud & Code Literacy for Auditors
Cloud accounts and the shared responsibility model, JSON and YAML, Git repositories, and reading code without writing it. AWS, Azure, and GCP.
Auditing Infrastructure as Code
What Terraform and CloudFormation actually are, reading a module like an auditor, sampling resources from code, and using state and drift as evidence.
Auditing CI/CD Pipelines
Pipeline anatomy in GitHub Actions, GitLab, and Jenkins. Segregation of duties, build logs as evidence, approval gates, and automated security testing.
Cloud-Native Monitoring & Continuous Controls
Testing automated controls instead of point-in-time sampling, drift detection, key security indicators, and CloudTrail, Azure Monitor, and GCP Audit Logs.
Claude Code & AI Tooling for Auditors
Use Claude Code and the Club’s auditor skills to pull configurations, draft test procedures, and analyze JSON evidence, without writing a line of code.
Evidence Evaluation in a GRC-Engineered Org
Evidence quality criteria for automated environments, sampling continuously-generated evidence, workpaper documentation, and the AWS Audit Playbook.
Applied Commercial Audit Scenarios
End-to-end walkthroughs: a SOC 2 Type II of a cloud-native SaaS, ISO 27001 in cloud-native environments, and PCI DSS scoping in the cloud.
The Exam
A knowledge exam, built for auditors. No portfolio to submit.
Certification Exam
- 50questions: 40 multiple choice + 10 scenario-based
- 75 minutes to complete
- 70%passing score (35/50)
Domain Weights
Scenario-Based, No Portfolio
Auditors evaluate, they don’t build. Each scenario question puts a short artifact in front of you (a snippet of Terraform, a pull request description, a CloudTrail event, a build log) and asks you to identify the finding or choose the right test procedure. No coding, no lab setup, no capstone.
What It Measures
20%
Remember
35%
Understand
30%
Apply
15%
Analyze & Evaluate
Online proctored. 14-day wait between attempts, up to three attempts per 12 months.
How CGE-AUD Fits with CGE-P
Parallel tracks, not a ladder.
CGE-P · Practitioner
Certifies the engineers who build automated compliance. Infrastructure as code, policy-as-code, CI/CD, and a real capstone submitted on GitHub.
Explore the CGE-PCGE-AUD · Auditor Specialty
Certifies the auditors who evaluate it. A modern compliance program needs both, and the two credentials share vocabulary, framework references, and the same GRC Engineering maturity model, so engineer and auditor walk into the room speaking the same language.
Keeping Your Cert Active
A three-year cycle. Two paths to maintain your CGE-AUD.
Club Members
Stay active as a GRC Engineering Club member and your CGE-AUD auto-renews across the three-year cycle. No extra steps, no logging hours.
- ✓Automatic renewal with active membership
- ✓No CEU tracking required
- ✓Ongoing access to new courses and content
Non-Members
If you’re not an active club member, maintain your certification by completing 15 CEU hours within the three-year cycle.
- •15 CEU hours per three-year cycle
- •Club events, published writing, or open-source audit tooling
- •Mentorship of new CGE-AUD candidates
Why CGE-AUD?
The gap was never the auditor's intelligence. It was the toolkit.
Built by Practitioners
Taught by AJ Yawn and Abdie Mohamed, working GRC and audit practitioners, not vendors or test-prep companies.
For Auditors, Not Engineers
No coding background, no cloud certs, and no CGE-P required. You learn to read and test, not to build.
AI-Native
The only auditor credential with a full domain on using Claude Code and AI tooling to do real audit work.
Read Real Artifacts
Scenario questions put real Terraform, pull requests, CloudTrail events, and build logs in front of you.
CGE-AUD FAQ
Everything you need to know about the Auditor Specialty.
What is the CGE-AUD?
The CGE-AUD (Certified GRC Engineer – Auditor Specialty) is a standalone credential that gives traditional auditors the technical literacy to audit modern, GRC-engineered organizations. It covers cloud, infrastructure as code, CI/CD pipelines, cloud-native monitoring, AI tooling, evidence evaluation, and applied commercial audit scenarios across seven domains. The goal: audit the modern stack without becoming an engineer.
Who is the CGE-AUD for?
Internal auditors, external (CPA-firm) IT auditors, SOC 2 and ISO 27001 auditors, PCI QSAs, HIPAA and HITRUST assessors, risk assurance professionals, and GRC analysts who now find themselves auditing cloud-native, SaaS-first, DevOps-driven organizations that look nothing like the systems they were trained on.
Do I need a coding background or CGE-P first?
No. The CGE-AUD assumes near-zero prior technical knowledge and teaches the cloud, code, pipeline, and policy concepts an auditor needs from the ground up. It is standalone, with no CGE-P prerequisite. CGE-P and CGE-AUD are parallel tracks: CGE-P certifies the engineers who build automated compliance, CGE-AUD certifies the auditors who evaluate it.
What does the CGE-AUD exam cover?
Fifty questions, 40 multiple choice plus 10 scenario-based, in 75 minutes, with a 70% pass score (35/50). There is no portfolio. Domains are weighted: Cloud & Code Literacy (20%), Auditing Infrastructure as Code (15%), Auditing CI/CD Pipelines (15%), Cloud-Native Monitoring & Continuous Controls (15%), Claude Code & AI Tooling (15%), Evidence Evaluation (10%), and Applied Commercial Audit Scenarios (10%).
How is the CGE-AUD different from CISA?
CISA tests audit and governance knowledge in the abstract. The CGE-AUD tests whether you can read a Terraform module and tell if encryption-at-rest is configured, sample CI/CD build logs as control evidence, and test continuous monitoring controls without asking for monthly screenshots. The gap was never the auditor’s intelligence. It was the toolkit.
How much does the CGE-AUD cost?
The CGE-AUD is free for active GRC Engineering Club members ($9.99/month membership, locked forever for early members). Non-members can purchase exam access for $250, a one-time fee that includes the video training, exam, and certificate.
When does it launch and how do I join the beta?
The CGE-AUD launches July 15, 2026. A beta cohort is recruited from the GRC Engineering Club community ahead of public availability. Join the Club to get on the beta list and earn the credential free as a member.
Auditors, Your Turn to Level Up.
The CGE-AUD launches July 15, 2026. The beta cohort opens soon and seats go to the community first. Join the Club to get on the list and earn the credential free as a member.