Internal Audit Manager, Regulatory and Compliance

About The Position

Requirements

• Degree or equivalent and typically requires 7+ years of relevant experience in regulatory and compliance experience, with 5+ years of demonstrated expertise in privacy risk management, preferably in healthcare, law, or Fortune 100 environments.
• Advanced knowledge of data privacy regulations (HIPAA, GDPR, CCPA, etc.), Privacy by Design, and Privacy Impact Assessments.
• Experience auditing third-party/vendor privacy compliance and monitoring regulatory changes.
• Specific knowledge of healthcare laws and regulations.
• Proficiency with digital privacy assessment tools (e.g., OneTrust) and use of artificial intelligence to gain efficiencies.
• Excellent written and verbal communication, negotiation, and collaboration skills.
• Excellent critical thinking and time management skills are a must.
• Strong project and staff management capabilities.

Nice To Haves

• Prior knowledge of Canadian, and U.S. state privacy laws highly desirable.
• Experience developing privacy training and communications for staff and vendors preferred.
• Advanced degree as Juris Doctor, preferred.
• One of the following: Certified in Healthcare Compliance (CHC), Certified Compliance and Ethics Professional (CCEP) required; Certified in Healthcare Privacy Compliance (CHPC), or Certified Information Privacy Professional (CIPP), Certified Internal Auditor (CIA), or CPA, is highly desired.

Responsibilities

• Lead the development and execution of audits for privacy risk management, a Tier 1 McKesson enterprise risk.
• Champion the integration of Privacy by Design principles into audit planning, execution, and reporting.
• Actively participate in business unit risk assessments and stakeholder meetings to identify emerging regulatory and compliance exposures, and contribute to internal audit's risk assessment and audit planning processes.
• Audit Privacy Impact Assessments across business units and third-party relationships.
• Collaborate with stakeholders to identify, test, and remediate privacy risks before they materialize.
• Audit vendor compliance with privacy and security requirements, including contractual obligations, operational practices, and incident response capabilities.
• Ensure robust third-party risk management frameworks are in place and regularly reviewed against compliance requirements.
• Monitor evolving privacy regulations-including HIPAA, GDPR, CCPA, and other global, federal, and state laws-for application within the business and audit function.
• Ensure audit programs (RACMs) and the regulatory and compliance risk universe are continuously updated to reflect emerging privacy obligations and other compliance requirements.
• Collaborate with audit leadership, IT Security, Legal, Privacy, and Compliance teams to support integrated risk management under a combined assurance model.
• Communicate regulatory and compliance risk findings, recommendations, and best practices to key stakeholders and executives.
• Mentor internal audit staff on privacy risk management and provide updates on emerging privacy and regulatory trends.
• Manage regulatory and compliance-scoped audits in engagement planning, execution, reporting, and issue monitoring.
• Stay abreast of risk areas subject to FDA, DEA, State Boards of Pharmacy, CMS, OIG, OCR and DOJ requirements pertinent to McKesson business units.
• Review and approve final work papers to ensure adherence to department audit Quality Assessment Review standards.