Senior Staff IT Controls, Enterprise Applications

About The Position

Requirements

• 10+ years of experience in IT controls, audit, or enterprise applications governance, with a strong hands-on background operating in the 1st line of defense as a control owner across NetSuite, Workday, and/or Salesforce.
• Deep expertise in SOX 404, COSO, COBIT, and ITGC frameworks, including segregation of duties (SoD) design and remediation across ERP, HRIS, and CRM environments.
• Proven track record leading external audit engagements (Big 4 or equivalent) as the management-side owner, with public company or IPO readiness experience preferred.
• Demonstrated experience building and deploying AI-augmented controls work including agents, LLM-based reviewers, or automated anomaly detection, with the ability to design controls both for and with AI systems.
• Strong judgment on AI risk, including model risk, prompt injection, output validation, and audit trail design, with hands-on familiarity with agentic tooling such as Claude Code, MCPs, or LLM-based evidence pipelines.
• Excellent communicator who can translate complex control concepts for executives, auditors, and engineers, with experience in continuous controls monitoring (CCM) and data-driven assurance approaches.

Nice To Haves

• Relevant certifications (CISA, CISSP, CIA, CPA, or equivalent) and familiarity with adjacent frameworks including SOC 1/2, ISO 27001, NIST CSF, and PCI DSS are a plus.

Responsibilities

• Own ITGC design and operation across enterprise applications — including logical access, change management, SDLC, computer operations, and segregation of duties (SoD).
• Lead the 1st-line control environment for in-scope enterprise applications, partnering with application owners and engineering leads to embed controls into operational workflows rather than bolting them on.
• Drive SoD strategy across ERP, HRIS, and CRM — including role design reviews, conflict remediation, mitigating control design, and ongoing monitoring tooling (e.g., Pathlock, SailPoint, Saviynt, native role analyzers).
• Manage the audit lifecycle as the primary 1st-line liaison with Internal Audit, External Audit, and the SOX PMO — walkthroughs, evidence collection, deficiency remediation, and management responses.
• Build AI-native continuous controls monitoring — including LLM-based evidence review, agentic control testing, and automated anomaly surveillance — to eliminate manual evidence collection, shift controls left, and surface exceptions in near real time.
• Treat AI agents as control operators with the same evidence and validation expectations as human operators.
• Own the controls posture for Gusto's internal AI and automation portfolio.
• Partner with AI-builder teams across the company (Finance & BizOps, GRC, Engineering) to review internal AI use cases, classify by risk category, and ensure controls, evidence trails, and validation travel with the build — not bolted on after launch.
• Be the senior 1st-line owner for "do our internal AI builds meet our control standards?"
• Lead access governance including provisioning/deprovisioning workflows, periodic user access reviews (UARs), privileged access management, and integration with the IGA platform.
• Govern application change management for in-scope systems — approvals, segregation between developers and production, emergency change handling, and release evidence.
• Mature the controls program by leading rationalization initiatives, control consolidation, and the adoption of automated/preventive controls over manual/detective ones.
• Partner cross-functionally with Security/GRC, Legal, Finance/Accounting, People Operations, and Revenue Operations to ensure controls support — rather than impede — the business.

Benefits

• Competitive base pay
• Benefits
• Equity (RSUs)