IT Auditor 3+ - Cybersecurity Audit (Internal Only)

About The Position

Requirements

• Bachelor's degree and at least two years in IT audit.
• Obtained either a relevant professional certification including but not limited to: Certified Information System Auditor (CISA), General Security Essentials Certification (GSEC), Certified Information System Security Processional (CISSP), or a Master's degree in data analytics, cybersecurity or closely related field.
• Demonstrate an understanding of IT security requirements and best practices.
• Produce qualitative analyses of superior quality.
• Excel at documenting their work; writing results; and presenting their work to audiences ranging from team members to legislative members and staff.
• Demonstrate skill with project management, management control systems, research design, data collection, data analysis, and report writing.
• Develop recommendations that improve IT security and increase accountability.
• Have a functional understanding of public administration and government.
• Effectively communicate verbally and in writing with a variety of audiences, including colleagues, audited agencies, and the public.

Nice To Haves

• Degree in a field applicable to IT security and/or analyzing government programs is strongly preferred.
• Experience with governments, performance auditing and/or accountability auditing and technical knowledge and associated with cybersecurity is preferred.
• Relevant volunteer and/or work experience may substitute for education on a year-for-year basis.
• Needs some assistance with more complex technical tests such as vulnerability scans.
• Occasionally, still needs some assistance drawing accurate conclusions.
• Occasionally, still needs some Security Specialist assistance for new, complex controls.

Responsibilities

• Assist with each part of a cybersecurity audit engagement, from audit planning through final audit presentation.
• Work on other IT audit projects.
• Evaluate a variety of government agencies and local governments.
• Serve on a team and may also manage contractors for portions of their assigned work.
• Assist, develop, lead, and conduct independent cybersecurity performance audits.
• Manage time and projects effectively due to the demanding, time-bound, and important nature of the work.
• Be responsible for overall audit planning through final audit presentation of any size or level of complexity cybersecurity audits.
• Independently lead audits that cover increasingly complex cybersecurity environments, which may involve multiple state agencies, local governments or levels of government.
• Provide expert level technical services in security for cybersecurity audits.
• May lead larger, more complex audits and coordinate the efforts of other auditors to accomplish the overall audit objectives under the direction of an assistant audit manager or audit manager.
• Identify, develop and refine leading practice criteria used by auditors to test state and local government alignment with leading practices.
• Compare and contrast different leading practices and standards, summarize differences and articulate the impact and applicability to the audits of using different standards.
• Understand data with IT security special handling requirements and how the data impact to the audit, and how those special handling requirements overlap with different leading practices.
• Independently coordinate and scope technical testing performed by SAO consultants or SAO IT security specialists in most IT security environments but may need Security Specialist assistance in a more complex and mature IT security environment.
• Conduct and take the lead accurately analyzing most technical testing in moderate to complex environments.
• Independently assess the results of work performed to develop meaningful IT security recommendations.
• Draw accurate conclusions using the information gathered through interviews, observation, security testing and document reviews to determine control alignment and gaps, make recommendations based on audit results for controls in most IT security environments.
• Identify the most significant weaknesses and strengths within the scope of IT security program reviewed.
• Collaborate with team members to ensure optimal IT security recommendations.

Benefits

• Flexible schedules
• Hybrid work environment
• Comprehensive package of health and wellness benefits
• Full benefits package
• Paid vacation, sick leave and holidays
• Growth and development opportunities, including 80+ hours of training each biennium
• Educational and professional certification reimbursements