Information Technology Auditor

The IT and Information Security Compliance Staff Auditor will be responsible for supporting maintenance of the IT Risk Control Matrix, performing Sarbanes Oxley (SOX) IT General Controls (ITGC) and Information Security compliance controls across all divisions and various technology platforms including SAP and other third-party hosted systems. Besides SOX, IT and Information Security Compliance Staff Auditor maybe assigned controls and required to perform tasks for other compliance programs like ISO 27001, CMMC, GDPR and regional statutory audit programs as necessary.

The Staff Auditor must be familiar with the SOX ITGC control framework, ISO 27001, NIST 800-53, COBIT, and NIST Cyber Security Framework, and, assessing and testing different aspects of Information Security and SOX ITGC controls including Change Management, Logical Access, Program Development and Computer Operations in all technology layers Application, Database, Operating System and Network. Knowledge and experience with ISO27001, NIST 800.53, NIST 800.171, CMMC is desirable plus.

Responsibilities

Job responsibilities include but not limited to,

Manage timely performance of control assessments, review of control supporting evidence as second line

of defense

Actively assist in annual IT Risk Assessment including the following: identification of all systems supporting

key financial processes; assessment of controls (general and application) for key financial systems;

assessment and/or development of test procedures, including assessment of control testers.

Maintain IT Risk Control Matrix to document all key financial systems, controls and testing procedures.

Ensure proper accounting of SOX documentation for ITGC to include IT Risk Control Matrix, ITGC Process

Narratives, ITGC testing, issue evaluation and reporting.

Identify opportunities and support automation in process and ITGC controls to improve the efficiency.

Support coordination and perform testing and evaluation of IT systems and controls for SOX compliance

in a predominately SAP environment.

Support ISO 27001 certification evidence gathering and audit support

Support efforts for ITGC training and documentation as needed.

Work collaboratively with the IT teams and business units in remediating control deficiencies

Evaluate third party SSAE 18 (SOC 1) and/or SOC 2 reports for compliance to system control requirements.

Make recommendations for enhancement of IT system controls and process improvements.

Work on projects to implement IT risk and control / compliance requirements for new systems.

Provide timely and complete communications within the IT department, Internal Audit and Compliance

including identification of ITGC issues and exceptions.

Serve as liaison to internal and external auditors for ITGC testing and other compliance initiatives.

Ability to work on multiple projects, balancing a mix of resources, due dates and requirements.

Develop and foster effective working relationships within IT at each of the Divisions as well as key

Business, Internal Audit and Compliance personnel.

Work collaboratively with necessary stakeholders and teams for GDPR compliance and implementation.

Work closely with owners of the Access Control, Release Management, Change Management and Vendor

Management processes to ensure compliance with the ITGC Framework.

As assigned, perform a review of assigned SDLC key control deliverables and advise Project Managers on

SDLC risks and controls.

Audit projects for SDLC and key control compliance.

Besides the above responsibilities and duties, this position may require to take up additional

responsibilities as assigned.

Skills/Requirements

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The

requirements listed below are representative of the knowledge, skill, and/or ability required.

Bachelor's or Master's Degree from a regionally accredited four-year college or university in Computer

Science, Business, Accounting or related field and 5+ years of relevant experience in IT Audit/Compliance;

or equivalent combination of education and experience.

In-depth knowledge of business processes as well as process controls and risks and an understanding on

how this relates to the IT environment and audit procedures.

Big 4 IT Audit background or Fortune 100 companies (with SAP ERP) experience is a plus.

One or more of the following is desired:

o Certified Information Systems Auditor (CISA)

o Certified Internal Auditor (CIA)

Understanding of IT control frameworks and standards such as COBIT.

Performed and led IT general computing controls risk / SOX / compliance process including updates to the

annual testing, test execution, review of test results, recommending solutions to gaps and addressing

gaps with control owners.

Broad knowledge of IT infrastructure and architecture of computer systems as well as exposure to a

variety of platforms such as operating systems, networks, databases and ERP systems.

Experience with SAP's ECC, BW, SCM, PI/PO, TM and BOBJ applications and services.

Experience with SAP's GRC Access Control tool along with Segregation of Duty (SOD) analysis and sensitive

administrative T-Codes and privileged user access is a plus.

Experience with project management.

Proven experience in navigating complex organizations, creative problem solving and effective

relationship management.

Work collaboratively with cross-functional teams

Ability to translate complex technical topics into easy to understand concepts and the ability to manage

escalations and communications.

Strong verbal and written communication skills with ability to effectively communicate with peers and

executive leadership.

Strong leadership and time management skills. Specific skills include facilitating change, driving

operational excellence, and striving for continuous improvement.