Information Security Auditor III

At R3, we are committed to providing our clients with best-in-class solutions for all of their IT needs. We are relentless in our pursuit of excellence and dedicated to providing our clients with unsurpassed quality, service, and value day in and day out. As we continue to grow and innovate, we are seeking passionate and dedicated individuals to join our team. If you’re ready to join our mission of setting the standard for IT excellence, we are seeking an energetic, self-motivated Information Security Auditor III (Senior), IT Risk and Compliance with experience leveraging industry standards to perform internal audits for R3 and their clients.

As a member of the Quality & Compliance (Q&C) team, you will focus on audits of critical technology functions including cloud-based technology implementations, security controls, and cybersecurity risks. This position requires an individual who can liaise with key stakeholders at all levels, as well as critical functional teams such as IT, Cybersecurity, HR, Finance, Sales, Legal, Contracts, supply chain, and others to identify and manage information security standards and best practices that govern cybersecurity for any given client.

Responsibilities:

• Execute major components of audits and security control assessments, including critical technology functions, cloud-based infrastructure, emerging technology, cybersecurity, risk management, application, and third-party management, as well as lead small to medium size audits.
• Perform assessments of IT controls using industry-standard guidance and leading best practices such as NIST 800-171, CMMC, FedRAMP, ISO/IEC 27001, FISMA, etc.
• Schedule and conduct interviews and discussions with a variety of stakeholders, including IT and Cybersecurity technical engineers and administrators, and other key functional team members.
• Identify, gather, review, and analyze documents and artifacts to assist in IT controls testing such as system security plans, SOPs, audit logs, configuration scans, and vulnerability scans.
• Evaluate the implementation and effectiveness of IT controls using provided artifacts against federal requirements, industry guidance, and leading best practices.
• Document the results of IT controls testing in a consistent and high-quality manner that would allow others to review and understand the results.
• Establish and maintain good auditee relations during engagements. Communicate or assist in communicating the results of some audit projects to management via written reports and oral presentations.
• Summarize and communicate IT controls assessment results to a variety of client stakeholders, including senior leadership.
• Understand and analyze known IT control weaknesses, identify root causes, and develop detailed remediation plans.
• Develop and maintain SSP and POAM documentation for in-scope environments, and applicable policies, processes, and procedures.
• Provide subject matter expertise to internal and client personnel on a wide range of matters relating to IT security and assurance.
• Work with technical teams and clients to remediate findings related to information systems, networks, and data, determining technical solutions and recommendations for implementation.
• Perform risk assessments of business units and technology operations, design and execute audit procedures to verify the effectiveness of existing controls, identify and define issues, review and analyze evidence, and document auditee processes and procedures.
• Review and provide feedback on audit workpapers to achieve clear, organized, and complete documentation to support work performed.
• Coordinate with others and proactively take on additional work.
• Deliver appropriate, succinct, and organized information, tailoring communication style to audience.
• Manage assessments independently on time, within budget.
• Effectively communicate information, issues, and audit progress to teammates and clients.
• Perform various aspects of engagement administration, including hours and budget tracking.
• Provide periodic on-the-job coaching and direct supervision over less experienced associates.

Ideal Teammate:

• You have a broad understanding of context and implications (e.g., financial, legal, reputational) of the various types of risk affecting the business and critical technology functions.
• You are a critical thinker who seeks to understand the business and its control environment.
• You believe insight and objectivity are core elements to providing assurance on the effectiveness and efficiency of R3’s and clients’ governance, risk management, and compliance processes.
• You possess a relentless focus on quality and timeliness.
• You adapt to change, embrace bold ideas, and are intellectually curious. You like to ask questions, test assumptions, and challenge conventional thinking.
• You are a firm believer that a rich understanding of data, innovation, and technology will only make you a better auditor. This will require leveraging the power of data analytics and furthering your technical expertise.
• You are a teacher. You do the right thing and lead by example. You have a passion for coaching and investing in the betterment of your team and clients.

Qualifications:

• U.S. Citizen (Federal client requirement)
• Bachelor’s degree in in Information Technology/Security, Computer Science, Information Systems Management, or related field, or the equivalent combination of training, certification, education, and experience.
• Demonstrated ability and working knowledge of frameworks and standards such as NIST 800-171, NIST 800-53, FISMA, FedRAMP, and/or CMMC
• 8+ years of demonstrated knowledge and experience in IT risk and controls through IT audits, IT controls assessments, IT security reviews, and information security audits including areas such as application security, network security, cyber security, vulnerability management, third-party risk assessments, data protection, access management, etc.), or cloud computing controls (design, operation, risk management, auditing) or a combination
• 5+ years of demonstrated experience with tools and technologies in support of performing assessments and audits
• 3+ years of experience in managing audit engagements, project management, or a combination
• Experience auditing cloud computing (Microsoft preferred) and controls
• Demonstrated knowledge of traditional and emerging technology domains, including cybersecurity, cloud, infrastructure, networking, data management, integration strategies, IT operations, IT risk management, and IT governance

Preferred Qualifications:

• CISSP, CISA, or CISM certification strongly preferred; other auditing and/or security certifications such as CCA, CCP, CIPP, CDPSE, CRISC, CGEIT, etc. desired
• Familiarity with other compliance frameworks such as SOC 2, PCI-DSS, ISO/IEC 20000-1, ISO/IEC 27001, HIPAA, HITRUST, OMB Circular A-123, or similar internal control assessments

Why join our winning team?

• Competitive wages to reflect your experience and skills.
• Comprehensive medical, dental, and vision insurance plans to keep you and your family healthy.
• 401(k) with company match to help you plan for the future.
• Flexible time off policies to ensure you maintain a healthy work-life balance.
• Opportunity to give back to our community with (paid) volunteer time off.
• We offer many remote opportunities, allowing you to work wherever you want.
• We are committed to creating a positive impact on society and contributing to a better world--we're involved in our community and encourage our employees to do the same.
• We are reshaping the industry and the way it thinks about technology and service.
• We strive to be better and encourage our employees to do the same by offering training incentives and bonuses to help you and your career grow.
• The opportunity to be a part of an amazing team.

R3 is an equal opportunity employer. It has been and will continue to be a fundamental policy of R3 to not discriminate on the basis, of race, color, religion, gender, gender identity, pregnancy, marital status, sexual orientation, age, national origin, alienage or citizenship status, veteran or military status, disability, medical condition, genetic information, or any other characteristic prohibited by federal, state, and/or local laws. This policy applies to all aspects of employment, including hiring, promotion, demotion, compensation, training, working conditions, transfer, job assignment, benefits, and termination.