IT Audit professional with over four years of broad experience in performing ITGC internal controls as part of financial audits, internal and operational audits, risk assessments, and audit readiness. Conducted IT audit projects such as compliance testing for Sarbanes-Oxley (SOX), OMB Circular A-123 audits, and Service Organization Control (SOC) SAS 70 / SSAE 18 reviews, using frameworks such as COBIT, PCI DSS, FISCAM, FISMA, and NIST 800-53. Demonstrated expertise in NIST publications, FISMA guidance, the Risk Management Framework, security audits, vulnerability assessments, security lifecycles, and vulnerability management. Recognized for the ability to conduct, report, and manage detailed assessments, including POA&M (Plan of Action and Milestones) in vulnerability management. Possesses exceptional organizational and interpersonal skills that transcend departmental boundaries, while maintaining strong communication and translating technical information into easily understandable language for management, peers, and users.
· Performed federal compliance and financial audits, including developing audit programs, conducting audits, preparing workpapers and audit reports using FISCAM methodology, FISMA metrics, and NIST SP 800-53 controls.
· Experienced in conducting application controls and IT General Controls (ITGC) as part of financial statement audits, risk assessments, attestation engagements, and compliance audits using COSO, COBIT, and PCI DSS frameworks across commercial sectors.
· Built and maintained strong client relationships to enhance satisfaction and collaborated with client management and staff at all levels to deliver effective audit services.
· Designed and implemented a kickoff template to streamline the distribution of artifacts and documentation via SharePoint for audit purposes
· Developed a standard operating procedure (SOP) for Audit Request (AR) processes to ensure consistency and efficiency in audit workflows.
· Conducted FISCAM and FISMA-based security risk assessments for various government contractors and application systems. Responsibilities included conducting interviews, testing, inspections, preparing assessment reports and recommendations, and delivering out-briefings in accordance with NIST 800 series guidelines.
· Performed risk assessments on enterprise technologies, products, services, and operations in alignment with frameworks such as ISO/IEC 27001, ITIL, COBIT, NIST, PCI DSS, and CSA Cloud Security principles.
· Engaged clients in remediation discussions to address past security vulnerabilities. Experienced in application control audits and Financial Improvement and Audit Readiness (FIAR) assessments for federal agencies.
· Conducted comprehensive, risk-based security assessments of cloud-hosted, vendor-managed, and third-party environments, focusing on areas such as risk management, physical security, IAM, encryption, DLP, secure development, incident management, security infrastructure, and policy compliance.
· Collaborated with vendor oversight teams to ensure appropriate tiering of vendors based on the sensitivity of the data accessed.
· Developed a vendor risk-ranking methodology, optimizing the level of effort required for each assessment based on risk level.
• Managed the vendor risk management program, overseeing the overall vendor risk portfolio, relationship management processes, governance, compliance standards, and performance tracking. Conducted due diligence reviews for vendor onboarding, annual reassessments, and terminations, ensuring timely and efficient completion of risk and control assessments and documentation reviews.
• Performed security assessments of new and existing third-party service providers to ensure compliance with regulatory and audit requirements. Reviewed third-party attestation artifacts, including SSAE 18, SOC 1, SOC 2, penetration test reports, and ISO 27001 certifications.
• Ensured the First Line of Defense effectively managed enterprise risks related to third-party risk management, enterprise data, identity and access management (IAM), artificial intelligence, property, and procurement—aligned with the Risk and Control Self-Assessment (RCSA) framework.
• Collaborated with the Technology Gating Committee to align initiatives with the strategic objectives of the Information Security department.
• Utilized eGRC tools such as RSA Archer and Jira and monitoring platforms like Security Scorecard to categorize and track risk issues. Deployed vendor questionnaires tracked remediation progress and flagged non-compliance issues for secure and prompt stakeholder communication.
• Reviewed and updated Third-Party Risk Management (TPRM) information security procedures and work instructions to align with evolving business and compliance needs.
• Monitored and tracked vulnerabilities identified in vendor penetration tests, ensuring remediation efforts met industry-standard timelines for critical, high, and moderate risk issues.
• Communicated third-party security findings and risk insights to internal stakeholders, facilitating a clear understanding of associated risks, recommended mitigating controls, and required remediation actions.
• Focused on executing a principle-based risk management strategy aligned with internal policies and industry best practices.
Partnered with First Line leadership, Enterprise Risk Management (ERM), and Internal Audit
· Assisted senior auditors in IT audit engagements across infrastructure and application layers.
· Collected and analyzed audit evidence, performed walkthroughs, and documented test results.
· Assisted with SOX ITGC and PCI DSS control testing for retail and finance clients.
· Helped develop audit checklists and supported internal reviews of endpoint and network controls.
· Participated in internal phishing simulations and basic assessments of security awareness programs.
· Assisted senior auditors with internal and external IT risk assessments; conducted gap analyses against industry standards and provided recommendations for mitigation.
· Responsible for reviewing the internal control environment to ensure the design, implementation, and monitoring of control points are efficient and effective, including risk assessments, audit plans, audit programs, and audit reports.
Developed and maintained effective working relationships with the external auditors and global Controllership teams, including the Global Internal Controls Team
Program Oversight Regulatory & standards Compliance Strategic Risk Management Documentation and Reporting Leadership and Management Verifications and Validations Process Improvement Program Development Teamwork and Collaboration Policy and Audit Reviews Operations Analysis Analytical & Problem-Solving Skills Client Relationship Management
Technical Skills:
Risk & Compliance Frameworks IT Audit Assessment TPRM Enterprise GRC & Monitoring Tools Mainframe AWS Cloud Splunk Security Domains Microsoft Office Suite Microsoft Project RMF Implementation NIST SPs – 800 series ACL IDEA SAP JIRA Audit Documentation & Reporting