SENIOR ANALYST, IT SOX COMPLIANCE
The Senior Analayst, IT Sox Compliance is responsible for participating in the planning and management of the identification and testing of Information Technology (IT) controls to ensure a strong internal control environment and compliance with regulatory requirements and corporate policy. Routine communication to IT and business control owners of the status of the IT internal control environment is a critical component of this position.
2. ESSENTIAL RESPONSIBILITIES:
- Execute and document testing of internal Information Technology (IT) controls in support of SOX compliance for in-scope applications, operating systems and databases including security, change management and infrastructure controls.
- Support the development of new testing automations through the GRC platform, or similar tool-sets, to automate the IT internal controls testing (i.e. SOX quarterly controls, data analytics) and the direct gathering of data from the in-scope servers.
- Identify risks and evaluate deficiencies, working with internal control owners to determine appropriately remediation activities.
- Communicate test results and prepare written documentation/reports as it relates to SOX, disclosing all significant deficiencies to management. Where appropriate, communicate recommendations.
- Monitor remediation plan execution around existing control findings through the deficiency closed phase
- Participate in on-going compliance process improvement initiatives by identifying low risk controls and opportunities for control automation and continuous control monitoring
- Provide assistance to ViacomCBS internal and external auditors in completion of the annual audit and quarterly reviews
- Perform customary administrative tasks and responsibilities
- Other assignments or special projects as requested by management
3. DECISION MAKING/ACCOUNTABILITY
4. KNOWLEDGE, SKILLS & EXPERIENCE:
- Work involves the application of moderately complex procedures and tasks that are quite varied. Independent judgment is often required to select and apply the most appropriate of available resources. Decisions are made on both routine and non-routine matters with some latitude, but are still subject to approval. Ongoing supervision is provided on an "as needed" basis.
- No supervisory or direct people management responsibilities. May provide occasional work guidance, technical advice and training to staff.
- No significant budgetary or other financial accountability
- Three to five years of information technology and audit experience (general information technology, application, and infrastructure controls) within a public accounting, and/or internal audit function
- Three or more years of experience with internal controls evaluation, COSO, COBIT, ITIL, ITGCC, and SOX 404 requirements including the phases of planning, evaluation, documentation, testing and remediation.
- Demonstrated proficiency of information technology auditing control disciplines including a solid foundation in security and one or more relevant areas of technical specialization (application development, change management, or operations)
- Working knowledge of:
o Oracle Database Administration, Security Administration and e-Business Suite (a plus) Auditing
o Windows Operating System and Active Directory Security including Users and Groups, Group Policy, Domain Structures, Security and Auditing
o UNIX / Linux Operating System Security, including Users and Groups, System Configurations, File Permissions, Privileged Accounts, Password Controls, Security and Auditing
- Ability to think analytically; communicate complex issues, and develop control recommendations
- Effective written and verbal communication skills with the ability to present control analysis and recommendations with clarity and professionalism
- Demonstrated track record of integrity, effective communication, commitment to teamwork, innovation, and excellence
- A BA or BS Degree or equivalent in Information Systems, Accounting, Finance, Business, or related field
- Professional Certification is preferred (CISA, CISSP, SSCP, CPA, or equivalent)