Principal - SC&H Group
Scott Heflin is a Principal in the Risk Management practice where he focuses on Information Technology audits, information security, regulatory compliance reviews, and SOC audits and reporting. Client relationship management is a key priority for Scott, where he ensures that his practice area exceeds client expectations and continually strives for excellence at all times.
Scott also focuses his effort in the field by performing complex test procedures, building new methodologies, and sourcing business development. His clients range from small, private companies to Fortune 50 global organizations in the technology, energy, distribution, financial services, and biotech industries. Additionally, Scott works with many local government entities and government contractors in managing IT risks and related controls.
Currently Scott leads numerous outsourced and co-sourced internal audit projects that include IT risk assessments, IT audit plan development and execution, IT controls reviews, IT infrastructure reviews, and customized IT application reviews. He also manages SOC 1 and SOC 2 audits, and has nearly 15 years of experience performing IT regulatory compliance reviews including SOX 404, VITA Security Assessments, GLBA, GISRA, and FISCAM.
Prior to joining SC&H, Scott worked in the Information Risk Management practice of a global accounting firm and worked on numerous high-profile projects. He held a critical role in one of the largest financial restatement processes in history by analyzing and re-running various queries to test the veracity of database files and download processes utilized in the MCI WorldCom re-statement. Throughout his career Scott has assessed major ERP applications (PeopleSoft, SAP, Oracle, etc.), mainframes environments, commercial off-the-shelf (COTS) software, and internally developed systems.
Scott holds a B.B.A. in Computer Information Systems from James Madison University. He is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), has earned the Certification in Risk Management Assurance (CRMA), and is certified in Risk & Information Systems Control (CRISC). He is a member of the Information Systems Audit and Control Association (ISACA) and the Institute of Internal Auditors (IIA), where he serves on the Public Relations Committee.
In his spare time, Scott volunteers with his church doing local fundraisers and working within the community. He also enjoys playing golf, beach volleyball, mountain biking, and spending time with his family.