Internal Audit Manager, Privacy Risk Management

About The Position

Requirements

• Degree or equivalent and typically requires 7+ years of relevant experience in regulatory and compliance experience, with 5+ years of demonstrated expertise in privacy risk management, preferably in healthcare, law, or Fortune 100 environments.
• Advanced knowledge of data privacy regulations (HIPAA, GDPR, CCPA, etc.), Privacy by Design, and Privacy Impact Assessments.
• Experience auditing third-party/vendor privacy compliance and monitoring regulatory changes.
• Specific knowledge of healthcare laws and regulations.
• Proficiency with digital privacy assessment tools (e.g., OneTrust) and use of artificial intelligence to gain efficiencies.
• Excellent written and verbal communication, negotiation, and collaboration skills.
• Excellent critical thinking and time management skills are a must.
• Strong project and staff management capabilities.

Nice To Haves

• Prior knowledge of Canadian, and U.S. state privacy laws highly desirable.
• Experience developing privacy training and communications for staff and vendors preferred.
• Advanced degree as Juris Doctor, preferred.
• One of the following: Certified in Healthcare Compliance (CHC), Certified Compliance and Ethics Professional (CCEP) required; Certified in Healthcare Privacy Compliance (CHPC), or Certified Information Privacy Professional (CIPP), Certified Internal Auditor (CIA), or CPA, is highly desired.

Responsibilities

• Privacy Risk Audit Leadership: Lead the development and execution of audits for privacy risk management, a Tier 1 McKesson enterprise risk. Champion the integration of Privacy by Design principles into audit planning, execution, and reporting. Actively participate in business unit risk assessments and stakeholder meetings to identify emerging regulatory and compliance exposures, and contribute to internal audit’s risk assessment and audit planning processes.
• Privacy Impact Assessment (PIA) Testing: Audit Privacy Impact Assessments across business units and third-party relationships. Collaborate with stakeholders to identify, test, and remediate privacy risks before they materialize.
• Third-Party/Vendor Privacy Reviews: Audit vendor compliance with privacy and security requirements, including contractual obligations, operational practices, and incident response capabilities. Ensure robust third-party risk management frameworks are in place and regularly reviewed against compliance requirements.
• Regulatory Change Monitoring: Monitor evolving privacy regulations—including HIPAA, GDPR, CCPA, and other global, federal, and state laws—for application within the business and audit function. Ensure audit programs (RACMs) and the regulatory and compliance risk universe are continuously updated to reflect emerging privacy obligations and other compliance requirements.
• Collaboration & Communication: Collaborate with audit leadership, IT Security, Legal, Privacy, and Compliance teams to support integrated risk management under a combined assurance model. Communicate regulatory and compliance risk findings, recommendations, and best practices to key stakeholders and executives. Mentor internal audit staff on privacy risk management and provide updates on emerging privacy and regulatory trends.
• Other Audit Engagements: Manage regulatory and compliance-scoped audits in engagement planning, execution, reporting, and issue monitoring. Stay abreast of risk areas subject to FDA, DEA, State Boards of Pharmacy, CMS, OIG, OCR and DOJ requirements pertinent to McKesson business units. Review and approve final work papers to ensure adherence to department audit Quality Assessment Review standards.