Compliance Analyst

Position Overview: We are seeking an experienced SOX Compliance & GRC Analyst to lead our SOX IT General Controls program while supporting our broader governance, risk, and compliance initiatives. The successful candidate will ensure compliance with Sarbanes-Oxley regulations, focusing on IT general controls, while harmonizing controls across our expanding compliance portfolio and supporting various security frameworks.

What You'll Do:

SOX IT General Controls (Primary Focus)

• Lead SOX Compliance Program: Conduct thorough assessments of IT general controls to ensure compliance with SOX 404 requirements
• Control Testing & Management: Perform regular management testing of IT general controls, including access controls, change management, data backup, and recovery processes
• Evidence Collection & Automation: Implement automation for evidence collection and conduct self-review of submitted evidence for access management, change management, segregation of duties, and configuration management controls
• System Onboarding: Lead onboarding of new systems to the SOX control environment, ensuring compliance by design
• Audit Coordination: Manage the flow of audit requests, coordinate scope of external testing, and interface with external auditors to represent our SOX control environment

Broader GRC Responsibilities

• Multi-Framework Compliance: Execute external audits and assessments for SOC 1, SOC 2, PCI DSS, ISO 27001, and NIST CSF frameworks
• Cross-Functional Collaboration: Work closely with People Operations, Finance, Legal, IT, and product engineering teams to identify control gaps and integrate control requirements
• Assessment & Testing: Perform periodic assessments and testing of security compliance controls, policies, and standards across multiple frameworks
• Remediation Management: Identify control deficiencies, develop remediation plans, and oversee implementation efforts
• Reporting & Metrics: Prepare detailed reports on compliance status, audit findings, and create metrics to demonstrate compliance progress to senior management
• GRC Tools Implementation: Collaborate on developing and implementing centralized audit evidence repository and GRC tools
• Policy Development: Create and maintain security policies, procedures, and standards
• Training & Education: Develop and deliver training programs on SOX IT control requirements and compliance best practices

Required Qualifications:

• Experience: 4-5+ years of SOX 404 IT General Controls auditing, security governance, risk, and compliance experience
• SOX Expertise: Strong understanding of SOX 404 regulations, IT general controls, and financial systems audit requirements for both on-premise and cloud systems
• Framework Knowledge: In-depth understanding of SOC frameworks, PCI DSS, GDPR, ISO 27001, and relevant regulations
• Cloud Expertise: Strong knowledge of cloud controls and environments, particularly AWS (Azure and Google Cloud experience beneficial)
• Technical Proficiency: Practical understanding of IT security compliance, risk management, access control, network security, and security architecture in cloud environments
• Analytical Skills: Excellent analytical, diagnostic, critical thinking, and project management abilities
• Communication: Ability to clearly articulate technical concepts to both technical and non-technical stakeholders from diverse backgrounds
• Automation Experience: Proficiency in implementing automation for evidence collection and control testing

Preferred Qualifications:

• Education: Bachelor's degree in Information Technology, Computer Science, Accounting, or related field
• Certifications: CISA, CISM, CISSP, CPA, CSA CCSK, ISC² CCSP, or other relevant security certifications
• Framework Experience: Experience with IT control frameworks such as COBIT, NIST, or ISO 27001
• Consulting Background: Experience with Big Four consulting firms
• Unified Controls: Experience developing and implementing unified control frameworks
• Tool Proficiency: Experience with audit and compliance tools and software
• Data Presentation: Proficiency in representing data graphically and creating executive-level reports

Key Success Factors:

• Deep technical understanding of SOX IT General Controls and their relationship to other security frameworks
• Proven ability to lead complex compliance projects from planning through execution
• Strong stakeholder engagement skills with both internal teams and external auditors
• Experience staying current with regulatory changes and integrating updates into daily operations
• Detail-oriented approach with ability to manage multiple priorities and deadlines
• Track record of driving automation and process improvements in compliance programs