Job Description:

Position Description:

Performs data-driven, risk-based IT audit assessments of key software systems and applications using Identity and Access Management, Authentication Services, DevSecOps, and Encryption. Reports on technical issues and software solutions to improve the control environment within operating systems - UNIX/Linux, Windows, and Mainframe, Amazon Web Services (AWS), Azure, Openstack, and Google. Identifies and assess technological risks and provides advice to management regarding mitigation of these risks using Datadog, CloudAware, Divvy Cloud, and Cloudability. Enhances existing IT controls and enterprise cybersecurity frameworks within database systems - Oracle, DB2, and SQL Server. Develops automation for assessing controls related to software applications, systems, networks, computer operations, databases, and production support processes using Python, PowerShell, and Java.

• Leads or participates in professional teams to execute technical audit projects.
• Evaluates the design and effectiveness of applications, infrastructure, and cybersecurity controls and processes.
• Identifies and addresses systemic gaps in control environment technology risk management.
• Develops data analytics, and applies leading edge technologies and automated tools to provide management with proper context of potential exposures (to control weaknesses).
• Develops an ongoing trusted advisor relationship with internal clients and Audit business unit colleagues to ensure timely and consistent controls advice.
• Collaborates with business, technology, security, legal, and privacy practitioners to evaluate initiatives that protect employee and customer privacy.
• Collaborates with application developers, system architects, engineers, and security practitioners to perform readiness assessments of pre-production applications and systems.
• Develops and implements strategies to mitigate risks and enhance the overall security posture.
• Communicates emerging issues across technologies and business processes to management and stake holders.
• Leverages audit automation tools in the evaluation of business operations and systems.
• Performs and reviews audit test work by organizing and analyzing data, testing controls and documenting results.
• Applies strategic and data analytics concepts, principles, and techniques to more efficiently and effectively identify control deficiencies.
• Drafts audit reports to provide a clear description of issues identified, related implications to the business or enterprise as a whole and management action plans to resolve the issues.
• Coaches and mentors Analysts and Senior Analysts on the team.
• Plans and executes multiple concurrent IT audits, including reviews of cybersecurity, existing production applications, systems currently being developed, technology infrastructure, and specialized/emerging technologies.
• Works with business and technology management to build an understanding of complex functions in order to assess the design and operating effectiveness of controls.

• Demonstrated Expertise ("DE") coordinating operational and technology risk analysis and assessments of financial applications and processes using data visualization and reporting on Power BI; and identifying technology and operational controls weaknesses incorporating systems accuracy and security weaknesses to mitigate risk by consulting the senior management on risk profile using audit tools built using Python and KNIME.
• DE coordinating and executing risk-based and data-driven audit engagements for large-scale financial service technology platforms on Amazon Web Services (AWS) - including containers (ECS or EKS) and database environments (RDS, Dynamo Db, Oracle on EC2, S3, or Snowflake); and evaluating CIA controls on distributed Java, Oracle, mobile, caching, queueing and messaging frameworks.
• DE evaluating the security and quality control design and effectiveness for Continuous Integration /Continuous Deployment (CI/CD) pipelines and tooling using DevOps and vulnerability scanning platforms - Bitbucket, Github, Jenkins, Artifactory, or Mend; and identifying security gaps in privileged accounts administration, secrets management, branch configurations, and identity and access management using Active Directory, SAML, oAuth, or CyberArk.
• DE evaluating IT General controls by performing control evaluation in adherence to cybersecurity principles and information security standards - NIST CSF, ISO 27001; designing and implementing review of privilege access management, networking, resiliency, data security, change management, and performance monitoring controls using Qualys, DivvyCloud, ServiceNow, SailPoint or Fusion.