Senior IT SOX Auditor
The Senior Analyst Information Technology internal controls role is responsible for supporting IT in managing and assuring operational effectiveness of cybersecurity and compliance controls. The senior analyst provides guidance related to Compliance (e.g., SOX, NIST CSF, etc.) and IT Security (e.g., ISO27001). New implementations as well as operational maintenance of existing business-critical applications will be examined. The role extends to any part of the business that has risk associated with information assets. The senior analyst reports directly to the Manager, IT internal controls.
location: West Chester, Pennsylvania
job type: Permanent
work hours: 9am to 5pm
Principal Accountabilities Are
- Advised technology team on control design and best practices
- Execute testing to validate cybersecurity and compliance policies are be followed
- Conduct assessments/audits to confirm operational effectiveness of IT general controls and identify risk
- Provide risk metrics to management regarding audit performance and findings
- Assist control owners with root cause analysis and track risk management action plan progress
- Guide efforts to create common control framework and uniform compliance reporting standard
- Planning and reviewing the annual review of compliance requirements influencing operations and initiatives in information security, privacy, and IT risk management.
- Performing examination of security controls to determine design and operational effectiveness.
- Planning and reviewing annually the risks influencing the effectiveness of information security, privacy, and Information security risk management.
- Studying risk assessments conducted by the business owners and support functions to incorporate relevant tests in assessment plans.
- Conducting IT controls management testing of controls independent of the audit schedule to save time during audits.
- Communicating with different levels of IT and business leaders on drivers of the information security risk assessment agenda.
- Preparing the communications schedule with all stakeholders - CISO, CIO, CFO, IA, etc.
- Identifying and tracking assessment/audit performance metrics.
- Implementing and supervising the issue tracking and resolution process.
- Reviewing the IT audit risk assessments conducted by the internal audit team members.
- Reviewing third-party attestation and audit reports, and providing feedback to business leaders and risk owners.
- Collaborating with the internal audit team, their agents, and external auditors.
- Monitoring Information Security assessment best practices in the industry to determine opportunities for improvement, including tools and processes.
- Assisting business and support functions in evaluating tools and technology that support the enterprise's risk management approach.
- Providing recommendations to business and IT leaders on practices followed in the industry to mitigate risks. Requirements
- Bachelor's Degree in Business, Accounting, Information Technology, Computer science or other quantitative discipline.
- 5+ years of broad risk, compliance or IT controls experience
- 2+ years of audit/assessment experience with PCI, SOX, NIST CSF, HIPAA, ISO, or other cybersecurity frameworks
- Sound understanding of security principles including logical access controls, change control, least privilege, segregation of duties, computer operations, network security, vulnerability management, and secure coding.
- Broad technical understanding of data management platforms (e.g., IBM DB2, Oracle, Microsoft SQL Server, etc.) and associated data security controls.
- Strong technology acumen and the ability to assess data privacy gaps in products/services design
- Expert understanding of data classification, data protection, and data retention standards and practices.
- Familiarity with common enterprise and web application technologies
- Experience with project management best practices and collaborating with PMO.
- Experience with common information security management frameworks, such as International Organization for Standardization (ISO) 2700x, ITIL, CSC20, COBIT and National Institute of Standards and Technology (NIST) frameworks.
- Expert understanding of data protection regulations and standards (e.g., PCI, Safe Harbor, EU Data Protection Directive, etc.).
- Strong analytical and time management skills
- Ability to maintain a high degree of confidentiality
- Certified Information Security Auditor (CISA)
- PMI Project Management Professional (PMP)
- Payment Card Industry (PCI) Internal Security Assessor (ISA)
- Certified Information Privacy Professional (CIPP) or Certified Information Privacy Manager (CIPM)
- Industry Standard Security certifications including: SANS/GIAC GSNA, ISACA CISM, ISC2 CISSP, and ISC2 CSSLP.
skills: SOX Experience and strong PCI experience.
Equal Opportunity Employer: Race, Color, Religion, Sex, Sexual Orientation, Gender Identity, National Origin, Age, Genetic Information, Disability, Protected Veteran Status, or any other legally protected group status.