IT Audit & Compliance Manager

PG 15-16 (Depending on Experience)

Position Summary :

The IT Audit & Compliance Manager is responsible for coordinating and supporting all IT audit compliance activities, including—but not limited to—Sarbanes-Oxley (SOX) requirements. As the central liaison between the IT organization and internal/external auditors, this position ensures that IT controls are designed, documented, and operated in alignment with established audit standards and regulatory obligations.

This role also involves proactive identification of potential risks and implementation of cybersecurity best practices to protect both financial and non-financial systems.

This position ensures that the IT organization maintains ownership of its controls in alignment with, Audit standards and requirements. By actively ensuring and safeguarding the efficiency and security of both financial and non-financial IT systems, the IT Audit & Compliance Manager supports a robust control environment that meets regulatory expectations and advances organizational goals.

Key Responsibilities :

• Act as the primary coordination point within IT for SOX and other IT audit activities, collaborating with both internal and external audit teams.
• Facilitate communication of IT-specific control requirements, testing schedules, and documentation needs.
• Ensure IT ownership of controls by providing comprehensive input on design and operation, while aligning with Audit standards and requirements.
• Collaborate with auditors to understand IT-related findings and recommended remediation actions stemming from SOX, cybersecurity, or other audits.
• Work closely with IT teams to prioritize and complete remediation efforts, ensuring alignment with audit timelines.
• Partner with Audit, which maintains the central repository of IT-related deficiencies, to help track their status and escalate any risks or delays to relevant leadership.

Ongoing IT Control Support :

• Assist in reviewing and refining IT control documentation based on Audit guidance and regulatory requirements.
• Monitor changes in IT systems or processes that could impact control design or audit scope, communicating those changes to Audit.
• Oversee SAP GRC, including monitoring access to sensitive transactions and ensuring compliance with the Firefighter access process, promptly addressing any issues with unauthorized or inappropriate use.
• Promote a culture of compliance by sharing best practices for effective control operation and documentation throughout IT.

Proactive Risk Identification & Mitigation :

• Continuously assess the IT environment for emerging risks and vulnerabilities, including those outside the traditional financial scope (e.g., new technologies, evolving cyber threats).
• Develop and recommend preventive measures or process improvements to mitigate identified risks before they materialize into audit issues or security incidents.
• Lead proactive initiatives that reinforce IT control robustness and reduce the likelihood of non-compliance.

Cybersecurity Assurance :

• Coordinate and conduct internal assessments to ensure that all systems—beyond just financial ones—are adequately protected in line with prior cyber, SOX, and other audit recommendations.
• Validate that existing IT security measures and controls meet or exceed recommended standards, escalating any gaps or vulnerabilities for remediation.
• Collaborate with IT security teams to align cybersecurity efforts with SOX and other regulatory frameworks, ensuring holistic protection and compliance.

Policies, Procedures, and Documentation:

• Collaborate with IT stakeholders to develop, update, and maintain clear, consistent policies and procedures for all IT compliance requirements.
• Ensure documentation standards meet Audit expectations and accurately reflect current operations.
• Support business process owners in understanding how changes to IT systems or processes affect documented controls.

Training and Awareness:

• Develop and deliver training programs to help IT staff and business stakeholders understand IT-related audit requirements and their roles in control execution.
• Promote awareness campaigns on IT compliance and cybersecurity best practices.

Stakeholder Managemen t:

• Partner with IT leadership, business unit leaders, and functional teams to embed IT-related audit considerations (including SOX) into strategic and operational decisions.
• Ensure that compliance priorities are well understood and adequately resourced across the organization.

Metrics and Reporting :

• Define, track, and report on key performance indicators (KPIs) and key risk indicators (KRIs) related to the IT control environment (e.g., number of open deficiencies, audit testing coverage).
• Provide regular updates to management and ITLT on the status of IT controls, remediation efforts, and cybersecurity initiatives.

Systems and Tools :

• Collaborate with Audit to oversee or assist with tools and software that support IT control documentation, testing, and reporting.
• Advocate for technology solutions that streamline compliance and strengthen the IT control environment.

Required Skills and Knowledge :

• For an IT Audit & Compliance Manager, both technical and interpersonal skills are vital to effectively lead and coordinate the organization’s audit and compliance efforts.

Technical Skills:

IT Controls & Frameworks :

• Deep knowledge of IT General Controls (ITGCs), application controls, and relevant frameworks (e.g., COSO, COBIT, NIST).
• Practical experience implementing and testing controls in areas such as change management, access management, and system operations.

Audit Methodologies & Standards :

• Familiarity with auditing standards (e.g., PCAOB for SOX, ISACA guidelines) and the ability to align IT controls with these standards.
• Hands-on experience collaborating with internal or external auditors (Big Four experience is often a plus).

Regulatory & Compliance Knowledge :

• Understanding of Sarbanes-Oxley (SOX) compliance, especially Section 404 for IT controls.
• Experience with other relevant regulations (GDPR, HIPAA, PCI-DSS, etc.) depending on the industry.

SAP GRC & Other GRC Tools :

• Proficiency in SAP GRC for monitoring sensitive transactions and overseeing Firefighter access.
• Familiarity with Governance, Risk, and Compliance (GRC) platforms used for documentation, testing, and reporting of controls.

Cybersecurity Fundamentals :

• Baseline knowledge of cybersecurity frameworks (ISO 27001, NIST CSF) and best practices for safeguarding both financial and non-financial systems.
• Incident response and vulnerability management awareness to identify and escalate security gaps.

Data Analysis & Reporting :

• Ability to analyze logs, metrics, and audit findings to spot patterns, trends, or control weaknesses.
• Competency in reporting tools (e.g., Excel, Power BI) for creating dashboards, KPIs, and metrics.

I nterpersonal (Soft) Skills :

• The ability to work seamlessly with cross-functional teams (Finance, Legal, Security, Operations) and external auditors.
• Diplomatic communication when negotiating timelines, responsibilities, and remediation efforts.

Effective Communication :

• Clarity in explaining complex IT control requirements and audit findings to non-technical stakeholders.
• Concise reporting of key issues, risks, and remediation progress to senior leadership and committees (e.g., ITLT, Audit Committee).

Influence & Leadership :

• Confidence and credibility to champion compliance priorities and escalate issues when necessary.
• Ability to gain buy-in across various organizational levels, from engineers to executives.

Adaptability & Problem-Solving :

• A flexible approach to navigate changing regulations, evolving technologies, and shifting business priorities.
• Root-cause analysis skills to address recurring control weaknesses or security incidents.

Strategic Thinking & Business Acumen:

• Awareness of how IT compliance efforts intersect with broader business objectives.
• Capability to propose solutions or process improvements that enhance both compliance and efficiency.

Proactive Mindset:

• Forward-looking approach to identify potential risks and implement preventative measures.
• Initiative in driving continuous improvement rather than only reacting to audit findings.

Experience:

• 5-10 years’ experience in similar roles/industry
• Courageous
• Trustworthy
• Inclusive and Collaborative
• Business Savvy
• Operational Excellent