IT and Information Security Compliance Staff Auditor
Pulau Pinang
Permanent
Full-time
21 days ago
Position: IT and Information Security Compliance Staff Auditor Job Description The IT and Information Security Compliance Staff Auditor will be responsible for supporting maintenance of the IT Risk Control Matrix, performing Sarbanes Oxley (SOX) IT General Controls (ITGC) and Information Security compliance controls across all divisions and various technology platforms including SAP and other third-party hosted systems. Besides SOX, IT and Information Security Compliance Staff Auditor maybe assigned controls and required to perform tasks for other compliance programs like ISO 27001, CMMC, GDPR and regional statutory audit programs as necessary. The Staff Auditor must be familiar with the SOX ITGC control framework, ISO 27001, NIST 800-53, COBIT, and NIST Cyber Security Framework, and, assessing and testing different aspects of Information Security and SOX ITGC controls including Change Management, Logical Access, Program Development and Computer Operations in all technology layers - Application, Database, Operating System and Network. Knowledge and experience with ISO27001, NIST 800.53, NIST 800.171, CMMC is desirable plus. The IT and Information Security Compliance Staff Auditor will have direct reporting responsibility and accountability to the IT Management and will work closely with Information Security, IT, Business Compliance and Internal Audit teams. Responsibilities Job responsibilities include but not limited to, Manage timely performance of control assessments, review of control supporting evidence as second line of defense Actively assist in annual IT Risk Assessment including the following: identification of all systems supporting key financial processes; assessment of controls (general and application) for key financial systems; assessment and/or development of test procedures, including assessment of control testers. Maintain IT Risk Control Matrix to document all key financial systems, controls and testing procedures. Ensure proper accounting of SOX documentation for ITGC to include IT Risk Control Matrix, ITGC Process Narratives, ITGC testing, issue evaluation and reporting. Identify opportunities and support automation in process and ITGC controls to improve the efficiency. Support coordination and perform testing and evaluation of IT systems and controls for SOX compliance in a predominately SAP environment. Support ISO 27001 certification evidence gathering and audit support Support efforts for ITGC training and documentation as needed. Work collaboratively with the IT teams and business units in remediating control deficiencies Evaluate third party SSAE 18 (SOC 1) and/or SOC 2 reports for compliance to system control requirements. Make recommendations for enhancement of IT system controls and process improvements. Work on projects to implement IT risk and control / compliance requirements for new systems. Provide timely and complete communications within the IT department, Internal Audit and Compliance including identification of ITGC issues and exceptions. Serve as liaison to internal and external auditors for ITGC testing and other compliance initiatives. Ability to work on multiple projects, balancing a mix of resources, due dates and requirements. Develop and foster effective working relationships within IT at each of the Divisions as well as key Business, Internal Audit and Compliance personnel. Work collaboratively with necessary stakeholders and teams for GDPR compliance and implementation. Work closely with owners of the Access Control, Release Management, Change Management and Vendor Management processes to ensure compliance with the ITGC Framework. As assigned, perform a review of assigned SDLC key control deliverables and advise Project Managers onSDLC risks and controls. Audit projects for SDLC and key control compliance. Besides the above responsibilities and duties, this position may require to take up additionalresponsibilities as assigned. Skills/Requirements To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Bachelor's or Master's Degree from a regionally accredited four-year college or university in Computer Science, Business, Accounting or related field and 5+ years of relevant experience in IT Audit/Compliance; or equivalent combination of education and experience. In-depth knowledge of business processes as well as process controls and risks and an understanding onhow this relates to the IT environment and audit procedures. Big 4 IT Audit background or Fortune 100 companies (with SAP ERP) experience is a plus. One or more of the following is desired: o Certified Information Systems Auditor (CISA) o Certified Internal Auditor (CIA) Understanding of IT control frameworks and standards such as COBIT. Performed and led IT general computing controls risk / SOX / compliance process including updates to theannual testing, test execution, review of test results, recommending solutions to gaps and addressinggaps with control owners. Broad knowledge of IT infrastructure and architecture of computer systems as well as exposure to avariety of platforms such as operating systems, networks, databases and ERP systems. Experience with SAP's ECC, BW, SCM, PI/PO, TM and BOBJ applications and services. Experience with SAP's GRC Access Control tool along with Segregation of Duty (SOD) analysis and sensitiveadministrative T-Codes and privileged user access is a plus. Experience with project management. Proven experience in navigating complex organizations, creative problem solving and effective relationship management. Work collaboratively with cross-functional teams Ability to translate complex technical topics into easy to understand concepts and the ability to manage escalations and communications. Strong verbal and written communication skills with ability to effectively communicate with peers and executive leadership. Strong leadership and time management skills. Specific skills include facilitating change, driving operational excellence, and striving for continuous improvement. Show more Show less