The IT Risk and Controls Analyst / Auditor is responsible to lead, develop and maintain the IT risk and compliance management strategy.
Develops and maintains policy, standards, processes and procedures to assess, monitor, report, escalate and remediate IT risk and compliance related issues.
Works collaboratively with corporate compliance, information technology, internal auditing and corporate risk management and various technical teams in the design and implementation of audit, risk assessment and regulatory compliance practices for IT.
Plans and executes IT audits and the IT SOX compliance program. The IT Risk and Controls Analyst/Auditor will also lead the technical aspects and data analytic support for operational audits.
This position requires strong management skills, a solid presentation aptitude, articulate communication capabilities, and an exceptional ability to work collaboratively with information systems management along with company leaders throughout the organization.
ESSENTIAL DUTIES & RESPONSIBILITIES:
Compliance, Controls and Audit
Prepare audit programs and procedures and conduct assigned audits with minimal guidance and direction from management;
Gather and analyze data to give objective and informed opinions regarding the accuracy and reasonableness of audited areas;
Identify audit risks and control weaknesses with respect to Sarbanes-Oxley Section 404 (SOX) and HITECH and other applicable regulations compliance;
Ensure that IT controls are correctly identified and documented. Perform control testing and re-testing as necessary with specific focus on those processes, systems, and applications that have financial impact and/or that generate financial transactions and that contain Protected Health Information (PHI);
Use professional judgment to assess the materiality of findings, and recommend corrective actions to improve compliance. Participate in the generation of creative and executable strategies;
Determine the impact of control failures, and ensure that either appropriate mitigating factors exist or that remediation plans address the failure;
Communicate audit results, prepare reports and discuss findings with affected management;
Create and maintain all SOX, HITECH and other regulatory programs related documentation, including risks and controls, policy and procedure, gap analyses, process certifications, internal control test plans, results and other reports and artifacts;
Participate in and/or lead meetings involving internal audit, management, audit consultants, external auditors and/or other constituents;
Collaborate with staff responsible for creating new systems to ensure that appropriate controls are embedded in the new systems;
Maintain working knowledge of COBIT framework, PCAOB pronouncements, general IT control processes and best practices;
Proactively promotes enhancement of technology-related internal controls awareness and training across IT and business units;
Risk Management (Assessment, Remediation, Security, BCP/DR)
Review the duties, responsibilities and permissions within various applications and systems to assess whether segregation of duties is adequate to ensure effective internal control;
Conduct periodic risk assessments of IT systems including recommendations for risk mitigation strategies;
Perform or coordinate periodic security assessments and tests to identify weaknesses in security systems and procedures to ensure the company’s networks, systems and data are appropriately secure;
Provide guidance to IT department and business units on the development, maintenance and enhancement to business continuity plans and IT disaster recovery plans. Ensure plans are effective and periodically tested;
Provide guidance and enforcement to IT operations and engineering to ensure standard operating procedures and process adhere to and address security requirements;
Develop and publish meaningful risk-related metrics (training, corrective action plans, project compliance reviews, and other compliance areas);
Reports promptly any suspected or potential violations to laws, regulations, procedures, policies and practices, and cooperates in related investigation;
Facilitate risk (security, compliance, controls, change management) awareness and training activities;
Maintain knowledge of current and emerging technology, regulatory landscape and IT auditing practices through continuing professional education;
Ability to develop and/or maintain Microsoft Access Databases;
Perform data analytics/mining using Microsoft Access and/or SQL;
Perform special projects as assigned by management;
Other duties as assigned.
Information Systems Audit and Control Association - 2 years ago
Air Methods has built its reputation on a commitment to quality patient care and safety in aviation operations. Since 1980, we have been...