Senior Associate, Technology Controls Testing - Enterprise Services Risk

About The Position

Requirements

• High School Diploma, GED or Equivalent Certification
• At least 2 years of experience in Risk Management, Process Management, or Project Management
• At least 2 years of experience in technology, audit, or cyber security risk management frameworks
• At least 1 year of experience working with scripting languages (e.g., Python, SQL, or JavaScript/Apps Script)
• At least 1 year of experience evaluating or implementing controls testing or risk assessment activities

Nice To Haves

• Bachelor's Degree or Military Experience
• Risk Certifications (CRISC, CISM, CRCM, CIPP, CISA, CISSP, ABA Risk Mgmt Certification)
• 3+ years of experience in Risk Management, Internal Audit, or Information Security
• Hands-on experience with cloud risk, governance, and control validation across AWS, GCP, or Azure
• Experience building automated workflows or custom tools within Google Workspace using Apps Script
• Professional certifications such as CISA, CISSP, or Cloud-specific certifications (AWS Certified Solutions Architect, Azure Security Engineer, etc.)
• Experience testing internal controls within a "Continuous Auditing" or "Continuous Monitoring" framework
• Skilled at communicating technical risks to non-technical auditors and cross-functional partners at all organizational levels

Responsibilities

• Multi-Cloud Automated Control Testing: Perform independent control testing activities and document results. Design and execute automated "Tests of Effectiveness" (ToE) for controls across AWS, Azure, and GCP.
• Process Enhancement & Automation: Use code to perform analysis and repeatable tasks. Leverage Google Apps Script and other automation tools to streamline internal audit workflows, documentation, and reporting processes.
• Execute Data & API Integration: Leverage tools (e.g., Python/SQL) to extract and analyze data from cloud APIs. Visualize and create dashboards to support continuous control monitoring.
• Cloud Risk Identification: Maintain a broad understanding of major cloud service providers (AWS, GCP, Azure) and their respective vulnerabilities to identify and escalate critical risks.
• Lifecycle Management: Demonstrate sound program management by documenting and communicating action plans, impediments, and risks to stakeholders.
• Policy Recommendation: Research industry practices and regulatory changes; make recommendations to change policies and control programs to mitigate evolving risks in the cloud.
• Self-Challenge: Effectively self-challenge control programs and escalate risks where appropriate to ensure alignment with Information Security Standards.

Benefits

• Capital One offers a comprehensive, competitive, and inclusive set of health, financial and other benefits that support your total well-being. Learn more at the Capital One Careers website.