Compliance Staff Auditor

 The IT and Information Security Compliance Staff Auditor will be responsible for supporting maintenance of the IT Risk Control Matrix, performing Sarbanes Oxley (SOX) IT General Controls (ITGC) and Information Security compliance controls across all divisions and various technology platforms including SAP and other third-party hosted systems. Besides SOX, IT and Information Security Compliance Staff Auditor maybe assigned controls and required to perform tasks for other compliance programs like GDPR and regional statutory audit programs as necessary.  The Staff Auditor must be familiar with the SOX ITGC control framework, COBIT, and NIST Cyber Security Framework, and, assessing and testing different aspects of Information Security and SOX ITGC controls including Change Management, Logical Access, Program Development and Computer Operations in all technology layers – Application, Database, Operating System and Network. Knowledge and experience with NIST 800.53, NIST 800.171, CMMC is desirable plus.  Bachelor's or Master’s Degree from a regionally accredited four-year college or university in Computer Science, Business, Accounting or related field and 5+ years of relevant experience in IT Audit/Compliance; or equivalent combination of education and experience.  In-depth knowledge of business processes as well as process controls and risks and an understanding on how this relates to the IT environment and audit procedures.  Big 4 IT Audit background or Fortune 100 companies (with SAP ERP) experience is a plus.  One or more of the following is desired:  Certified Information Systems Auditor (CISA)  Certified Internal Auditor (CIA)  Understanding of IT control frameworks and standards such as COBIT.  Performed and led IT general computing controls risk / SOX / compliance process including updates to the annual testing, test execution, review of test results, recommending solutions to gaps and addressing gaps with control owners.  Broad knowledge of IT infrastructure and architecture of computer systems as well as exposure to a variety of platforms such as operating systems, networks, databases and ERP systems.  Experience with SAP’s ECC, BW, SCM, PI/PO, TM and BOBJ applications and services.  Experience with SAP’s GRC Access Control tool along with Segregation of Duty (SOD) analysis and sensitive administrative T-Codes and privileged user access is a plus.  Experience with project management.  Proven experience in navigating complex organizations, creative problem solving and effective relationship management.  Work collaboratively with cross-functional teams  Ability to translate complex technical topics into easy-to-understand concepts and the ability to manage escalations and communications.  Strong verbal and written communication skills with ability to effectively communicate with peers and executive leadership.  Strong leadership and time management skills. Specific skills include facilitating change, driving operational excellence, and striving for continuous improvement.  Manage timely performance of control assessments, review of control supporting evidence as second line of defense  Actively assist in annual IT Risk Assessment including the following: identification of all systems supporting key financial processes; assessment of controls (general and application) for key financial systems; assessment and/or development of test procedures, including assessment of control testers.  Maintain IT Risk Control Matrix to document all key financial systems, controls and testing procedures.  Ensure proper accounting of SOX documentation for ITGC to include IT Risk Control Matrix, ITGC Process Narratives, ITGC testing, issue evaluation and reporting.  Identify opportunities and support automation in process and ITGC controls to improve the efficiency.  Support coordination and perform testing and evaluation of IT systems and controls for SOX compliance in a predominately SAP environment.  Support efforts for ITGC training and documentation as needed.  Work collaboratively with the IT teams and business units in remediating control deficiencies  Evaluate third party SSAE 18 (SOC 1) and/or SOC 2 reports for compliance to system control requirements.  Make recommendations for enhancement of IT system controls and process improvements.  Work on projects to implement IT risk and control / compliance requirements for new systems.  Provide timely and complete communications within the IT department, Internal Audit and Compliance including identification of ITGC issues and exceptions.  Serve as liaison to internal and external auditors for ITGC testing and other compliance initiatives.  Ability to work on multiple projects, balancing a mix of resources, due dates and requirements.  Develop and foster effective working relationships within IT at each of the Divisions as well as key Business, Internal Audit and Compliance personnel.  Work collaboratively with necessary stakeholders and teams for GDPR compliance and implementation.  Work closely with owners of the Access Control, Release Management, Change Management and Vendor Management processes to ensure compliance with the ITGC Framework.  As assigned, perform review of assigned SDLC key control deliverables and advice Project Managers on SDLC risks and controls.  Audit projects for SDLC and key control compliance.  Besides above responsibilities and duties, this position may require taking up additional responsibilities as assigned. Skills/Requirements.