About The Position

We are seeking a seasoned GRC Analyst to build, lead, and mature our IT Governance, Risk, and Compliance program. This is a pivotal role where you will be the primary architect of our new Sarbanes-Oxley (SOX) IT controls framework and will be responsible for establishing and leading the company's annual internal IT audit program. This is a technical, hands-on role. You will not only design the control framework but also be expected to dive directly into our diverse systems (from SaaS platforms like Oracle Netsuite and Salesforce to CI/CD tools like Jenkins and Github) to verify configurations, analyze access controls, and retrieve audit evidence. You will be responsible for designing and implementing a unified control framework that is both compliant and practical, bridging the gap between high-level financial reporting principles (COSO) and granular IT governance practices (COBIT) . This position is critical for establishing a resilient, transparent, and scalable control environment to support our growth and mature our IT governance function. This role works closely with key stakeholders, including SaaS owners, Legal, Finance, CorpIT, Security Engineering, as well as external auditors. This is a high-impact position with a clear path for growth into team leadership for the right candidate.

Requirements

  • Bachelor's Degree (or equivalent) in Information Technology, Computer Science, IT Audit, or a related field.
  • 2 - 5 years of progressive experience in IT Audit, IT Risk Management, or IT GRC.
  • Demonstrable, hands-on experience in building, implementing, and/or managing a SOX 404 IT controls program is essential.
  • Expert-level knowledge and practical implementation experience with COSO (for ICFR) and COBIT (for ITGCs).
  • Strong understanding of other frameworks like ISO 27001, Cyber Trust Mark, CCF, NIST, and PCI-DSS is also required.
  • Deep experience in managing and responding to external audits, particularly SOC1.
  • Demonstrate a strong understanding of modern authentication and authorization protocols (e.g., SSO, OAuth, SAML).
  • Understand Identity and Access Management (IAM) concepts, including roles, privileges, permissions, and the difference between default/built-in vs. custom accounts/groups.
  • Be technically proficient enough to navigate the configuration settings of diverse systems to find evidence.
  • Understand IT operations concepts, including batch jobs, incident management, and the use of ticketing systems (like Jira) and audit trails as evidence.
  • Proven ability to manage complex projects, drive milestones, and lead cross-functional initiatives.
  • Exceptional communication and presentation skills. Must have the ability to translate complex technical control requirements (the 'how') into business-friendly language (the 'what' and 'why') for stakeholders and leadership.
  • Ability to operate independently, think strategically, and effectively represent the GRC program across the organization.

Nice To Haves

  • An aptitude for and keen interest in learning new technologies. We are a heavy user of GenAI and automation tools like n8n; a candidate who is comfortable and willing to build their own GRC automation workflows (e.g., for evidence collection) to bridge gaps pending a formal GRC tool, would be at a significant advantage.
  • Professional certifications such as CISA, CRISC, CISM, or CGEIT are highly preferred.

Responsibilities

  • Lead the development, documentation, and implementation of the SOX IT RACM Program.
  • Proactively drive the IT control maturity milestones, advancing the program from an ad-hoc (Level 1) to a defined (Level 2) and implemented (Level 3) state.
  • Architect a unified control framework for both internally built and SaaS-based systems, ensuring all controls are mapped to both COSO principles and COBIT processes.
  • Lead control harmonization efforts by analyzing multiple frameworks (including ISO 27001, Cyber Trust Mark, and CCF) to identify common controls and streamline our compliance ambitions.
  • Establish and lead the company's annual internal IT audit program. This includes developing the annual risk-based audit plan, performing and managing internal audits and assessments to evaluate the effectiveness of controls, and ensuring that all internal audit results are documented and re-usable for external audits.
  • Act as a hands-on technical GRC expert. This includes: Independently navigating in-scope systems (with temporary admin rights as needed) to find configuration settings, review access (roles, permissions, groups), and validate controls directly. Analyzing authentication and access management (SSO, SAML, OAuth, IAM) to ensure they are implemented according to policy. Understanding and auditing CI/CD pipelines, batch jobs, and incident management processes, using tools like Jira tickets and system audit trails as artifact evidence.
  • Lead GRC advisory and remediation sessions with SaaS and in-house system owners. You will be responsible for using ITGC evaluations (like the Controls Evidence Templates) to establish a control baseline, clearly communicate surfaced deficiencies, and collaboratively develop mid-term and long-term roadmaps to mitigate all identified risks.
  • Establish and lead risk identification workshops to define and document the IT RACM for all SaaS and all in-scope systems.
  • Collaborate with the Legal and Security teams to contribute to the wider Enterprise Risk Matrix (ERM) and ensure PII/data privacy risks are appropriately identified and controlled.
  • Serve as the primary GRC liaison for all external and internal audits, ensuring audit readiness and effectively communicating the hybrid COSO/COBIT control approach.
  • Lead the "Tool Enablement" objective, including the selection and implementation of a GRC tool.
  • Establish program governance, including a Steering Committee, and provide quarterly PMO updates.
  • Develop and deliver training programs to build and foster a culture of trust, control, and accountability across all business systems.
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service