Senior IT Auditor

We are seeking a bright and talented individual with an IT/IS, IRM, GRC, Cloud and Cybersecurity background, and a strong desire to provide internal IT/OT audit services in an energetic and challenging environment.

This role interacts with senior management, department business unit Subject Matter Experts (SME) and a professional auditing team and affords the privilege of being a part of the corporate risk management and internal audit function and team in a critical and highly visible industry. Moreover, this role participates in leading technical areas and functions, cyber security, energy markets, project management, risk management, control activity and monitoring, governance and compliance, and the technology driving the business from an audit, risk assessment and advisory standpoint.

Reporting to the Senior IT Audit Manager, this role will plan, perform and report on audits of system development projects and IT application systems, infrastructure and support functions, including all aspects of ISO New England's cyber security processes and NERC Critical Infrastructure Protection (CIP) compliance and other related operational standards, requirements and agreements. Additionally, participate in external audit support activities, annual audit planning and risk assessment activities and special projects, which includes the use of the ArcherIRM platform-Audit Management and Issues Management modules, and data mining/data analysis tools, etc.

What we offer you:

• Hybrid work schedule with 2 days/week onsite
• 5% - 10% travel may be required
• Flexible work schedule, base salary plus bonus program, professional development and tuition reimbursement, enhanced 401k and financial planning, wellness programs with onsite gym, eligibility for Public Service Student Loan Forgiveness (PSLF), access to business networks & more, all in a stable and supportive work environment!

How you will make an Impact

• Perform full audit lifecycle project work (end-to-end) for System Development Lifecycle (SDLC), IT, Cyber Security, application systems, infrastructure (on-premise, cloud and hybrid) and support functions, processes and related control environments, which may include Energy Management Systems (EMS), Market Systems and Corporate Systems areas, and NERC CIP compliance, etc.
• Participate and assist with the risk assessment process, audit planning, plan, lead and conduct meetings, carrying out post-audit project and activity work and perform detailed audit fieldwork for IT related areas of business operations audits. Provide guidance and supervision to external consultants and/or summer interns when assigned
• Participate in activities in support of external audit engagements, including the SOC 1 Type II engagement IT controls testing, auditing of participant activities (IT cyber security and Energy Management System support reviews at New England Local Control Centers) and cyber security related audits of vendor TPRM and SCRM control functions
• Participate in special projects as necessary and in support of internal audit process efficiency, e.g., ArcherIRM, etc.
• Participate in annual audit risk assessment, presentation and audit planning activities
• Help with IT training and development of audit staff, particularly in areas of specific technical expertise

What we are looking for

• Bachelor's degree in one of the following majors/areas: Information Systems, Cyber Security, Accounting, Business Administration or a related discipline or equivalent education/experience is required
• Must have the ability to be a quick study and be receptive to and of new technologies, and new technological methodologies through course attendance, coaching, mentorship and technology readings/materials and applied discipline
• Must enjoy research for the purpose of identifying and reporting risks, and must be proficient in audit report writing-design, formatting, structure, quality-condition, criterion, cause, effect and recommendation
• Must have a strong understanding of risk management, IT risks, internal controls concepts, audit planning, management, evidence and reporting processes, and auditing techniques and principles
• 3 to 5 years of experience and/or exposure to technical fields and disciplines, e.g., IT areas including application development (monolithic, microservices), virtualization and containerization, networking, cloud architectures, API security, IdAM, DR/BCP, vulnerability and patch management technologies and security, CI/CD, DevOps and DevSecOps concepts, understanding of programming languages and development patterns, e.g., Rudy, Perl, Python, JavaScript, Java, GoLang, Bash, PowerShell, etc., file format and data interchange formats, e.g., JSON, computer operations, operating system platforms-Windows and Unix/Linux, technical infrastructure and cyber security
• Strong analytical, interpersonal, oral and written communication skills, professional, Team and Business Agility oriented
• Proficiency using Microsoft Windows 10/11 and Office productivity and collaboration tools, such as the Microsoft Office Professional suite, SharePoint, Jira Confluence, Network and Security Management tools, and Process Management tools
• Understanding of IT Security, Cybersecurity, Governance, Risk and Compliance frameworks, standards, programs and best practices, i.e., NIST, NIST RMF, CIS, ISO 27001, NERC CIP, COBIT 5, COSO, ISO/IEC 27002, ITIL, FedRAMP, etc.

Desired not required

• Graduate degree in business administration, accounting or auditing or a technical discipline such as engineering, information systems or computer science is desirable
• ISO and/or utility experience is highly desirable
• Experience and knowledge in using automated risk management and audit tools such as the ArcherIRM Tool and data mining/data analysis tools are desirable
• Certified Information Systems Auditor (CISA), Certified Public Accountant (CPA), Certified Internal Auditor (CIA) or similar professional designation is desirable. Other technical designations related to governance, risk and compliance (GRC), cybersecurity, information systems security and project management fields such as the Certified Information Systems Security Professional (CISSP), Certified Information Security Management (CISM), Certified in Risk and Systems Controls (CRISC),Certified Cloud Security Professional (CCSP), Certified Security Software Lifecycle (CSSLP), Project Management Professional (PMP), PMI-Agile Certified Practitioner (PMI-ACP), and PMI-Risk Management Professional (PMI-RMP) designation or the SANS Global Information Assurance Certification (GIAC) designations are also desirable.

• ISO New England Inc., One Sullivan Road, Holyoke, Massachusetts, United States of America