IT Control Testing Specialist, Europe

Leads and executes the enterprise risk management framework in accordance with the divisional implementation plan. Provides oversight and guidance to the enterprise, division, and subdivision through the creation and application of standard and customized content, reporting and business analytics.

Role Summary

Vanguard is seeking a diligent and technically astute IT Control Tester (S2) to join our Technology Risk function in Manchester. This role is fundamental to maintaining trust with our clients and regulators by providing assurance on the technology control enviornment. You will be responsible for the end-to-end lifecycle of IT control assurance, from planning and executing tests to advising on control design. You will play a pivotal role in implementing our European IT control testing framework and future-proofing our control environment against a dynamic landscape of current and emerging regulations, including the EU's Digital Operational Resilience Act (DORA), the EU AI Act, and evolving data privacy frameworks.

This position is ideal for a professional with a strong background in IT audit or risk who is eager to take on a hands-on role in a complex and ever-evolving regulatory environment.

Key Responsibilities

• Test Planning & Scoping: Develop and maintain the annual IT control testing plan. Define the scope, objectives, timing, and methodology for each control test based on risk assessments and regulatory requirements.
• Control Evaluation & Execution: Execute detailed walkthroughs and testing of key IT general controls (ITGCs) and application controls identified in the Risk and Control Self-Assessment (RCSA) to validate their design and operating effectiveness.
• Framework Implementation & Enhancement: Drive the implementation and continuous improvement of the IT Control Testing Framework across our European entities, ensuring alignment with global standards and local regulatory nuances.
• Control Library & Regulatory Watch: Proactively monitor the regulatory landscape and translate requirements from current and emerging technology regulations into tangible, testable controls. Key regulations include, but are not limited to:
  • Operational Resilience & Cybersecurity: DORA and FCA Operational Resilience rules (SYSC), intra-group and third party oversight controls
  • Data Privacy & Governance: GDPR, UK GDPR, and the EU Data Act.
  • Emerging regulations: The EU AI Act, CTP.
• Advisory & Partnership: Partner with technology owners, developers, and project teams to provide proactive advice on control design and implementation for new systems, applications, and infrastructure changes.
• Issue Management & Reporting: Clearly document test results, manage findings in the Governance, Risk, and Compliance (GRC) platform, and collaborate with stakeholders to develop robust and timely remediation plans. Prepare clear, concise reports on the IT control posture for senior management and risk committees.
• Stakeholder Collaboration: Liaise effectively with First Line of Defence (business and IT), Global IT Controls testing team, and Third Line (Internal Audit) to ensure a coordinated and comprehensive approach to assurance activities.

• A minimum of 3-5 years of experience in IT Audit, IT Risk Management, or Technology Control Testing within the financial services or a similarly regulated industry with preferred Big 4 experience .
• Strong practical knowledge of IT control frameworks, such as COBIT, NIST Cybersecurity Framework, and ITIL.
• Strong working knowledge of key regulations governing technology and data in financial services, such as Sarbanes-Oxley (SOX), GDPR, DPA and the DORA. Demonstrable understanding of the impact of major emerging regulations like the EU AI Act.
• Demonstrable experience testing controls across key IT domains, including cybersecurity, cloud environments (AWS/Azure), DevOps, change management, access management, and IT operations.
• Hands-on experience using GRC platforms (Archer) for control management and testing.
• Bachelor's degree in Information Technology, Cybersecurity, Computer Science, or a related field.

• Professional certification such as CISA (Certified Information Systems Auditor), CRISC (Certified in Risk and Information Systems Control).
• Direct experience in the asset management sector.
• Experience performing readiness assessments for new or upcoming regulations.
• Excellent communication skills, with the ability to articulate complex technical issues to both technical and non-technical audiences.