Senior Information Security Governance, Risk and Compliance (GRC) Specialist

Employment Type: Full-time

Position Overview

The Senior Information Security Governance, Risk and Compliance (GRC) Specialist is a high-impact role that will work with key stakeholders across IT, R&D, and Security to define and implement robust controls (ITGC) and processes specifically for the Sarbanes Oxley Act (SOX). The individual will assist in maturing the program to monitor the effectiveness of controls, mitigate risk, and ensure compliance of technology systems and processes associated with SOX requirements. The individual will liaise with internal and external parties to manage technology-related audits and provide recommendations to improve controls and the overall program. Additionally, the role will also support the Head of Security Governance, Risk, and Compliance (GRC) with GRC-related activities including policy governance, compliance monitoring, customer audits, and risk management.

Essential Duties and Responsibilities

• Lead efforts to test and document IT controls related to financial reporting and SOX, e.g., IT General Controls (ITGCs) and IT Application Controls (ITACs).
• Support and create SOX-ready documentation, including policies and procedures, narratives, flow charts, and control descriptions. Establish repeatable processes to draft SOX-related documentation, e.g., assertions.
• Plan, execute, and manage technology-focused SOX compliance audits, risk assessments, and controls testing. Manage the IT testing schedule and coordinate with IT team members and internal and external auditors.
• Work with the current GRC team and tools to establish a monitoring program to pragmatically assess controls per SOX guidelines. Manage controls and evidence repository and tooling. Conduct periodic reviews to ensure application controls and ITGC are configured across SOX-related systems.
• Work with IT stakeholders to test controls and remediate gaps for existing systems. Project manage control design for new systems and processes, ensuring appropriate internal controls are in place prior to launch.
• Review, assess, and evaluate reported control deficiencies. Define root causes and planned corrective actions in conjunction with IT and business process owners.
• Train process and control owners regarding their responsibility to SOX and other controls.
• Update company leadership on program status and recommendations.
• Support additional Information Security GRC efforts, such as policy governance, compliance monitoring, and risk management.
• Identify opportunities for innovation, including identifying controls that can be automated to ease the adoption and compliance of security controls.
• Ability to communicate with internal stakeholders, external auditors, as well as customers when applicable.

Qualifications and Skills Needed

Education:

• Bachelors in Management of Information Systems or related field.
  • Note: May also consider Associate's Degree based on relevant experience and certifications.
• Relevant Security Certifications Preferred (e.g., CISA, CIA, CISSP).

Experience:

• 5+ years of experience in IT SOX audit.
• Experience working within a “Big 4” or large regional public accounting firm is a plus.
• Knowledge of common information security frameworks and IT controls frameworks, such as ISO/IEC 27001 and NIST.
• Strong working knowledge, understanding, and experience in building, maintaining, and maturing effective IT SOX and Security Governance, Risk, and Compliance functions.
• Understanding of IT SOX and information security risk and compliance management procedures and methodologies.
• Experience leading and promoting risk discussions.
• Prior experience with implementing or using GRC tools.
• Strong learning agility.
• Experience with Oracle EBS is a plus.
• Ability to influence with or without authority.
• Experience working in a global organization with globally dispersed stakeholders.
• Demonstrated ability to establish and leverage key internal and external cross-functional relationships to further accomplish support for compliance, risk management, and governance.
• Excellent communication skills.