Senior IT Audit Analyst

Summary:

The IT Audit Analyst will perform the following responsibilities:

• Perform Systems Control Readiness Assessments – Serve as in-charge auditor or as key audit team member and perform assigned procedures to evaluate control readiness for each key IT general control domains and application controls and help address identified gaps. Effectively communicate audit findings to Audit Leadership, Auditees, and Senior Management.
• Support SOX 404 Compliance – Facilitate business units and key functions’ compliance with established internal controls over financial reporting through effective execution of assigned SOX 404 tests of controls, supervision of internal audit team members and third-party contractors, and proper coordination with management and external auditors. 
• Execute Global Internal Audit Engagements – Serve as in-charge auditor or as key audit team member for IT/cybersecurity audits performed globally. Lead or participate in multiple, concurrent audit projects as assigned. Ensure work quality in alignment with IIA standards. Effectively communicate audit findings to Audit Leadership, Auditees, and Senior Management.
• Participate in special projects as assigned – Special projects may include infrastructure & application security audits, vulnerability assessments, third party risk assessments, data analytics, and other management requests.

Major Duties/Responsibilities:

Perform Control Readiness Assessments (30%)

• Effectively perform assigned procedures to evaluate control readiness for each key IT general controls domain and application controls leveraging working knowledge of ITGC concepts and industry-recognized control standards.
• Effectively communicate with Hershey IT and Business personnel to articulate the objectives of control assessments, obtain required process understandings/documentation, align on identified risks/impact, and positively influence risk remediation via proposed recommendations.
• Update Internal Audit project plans to reflect progress with respect to completion of assigned tasks, resource/timing constraints, and interdependencies to enable delivery of control readiness assessments included within the Audit Plan.
• Effectively identify risks to financial reporting reliability, business disruption, governance, IT security and compliance through the performance of assigned procedures and coordinate with the business to draft recommendations which effectively remediate identified risks.
• Summarize the results of assigned control readiness assessment procedures in a manner which clearly articulates key identified risks/recommended action items for inclusion in executive-level reporting to Senior Leadership utilized to ensure that the company has a robust control environment

Support SOX 404 Compliance (30%)

• Facilitate compliance throughout assigned key business units and functions with standards of internal control over financial reporting promulgated by the Sarbanes-Oxley Act of 2002 through effectively executing assigned SOX 404 tests of controls.
• Evaluate and identify opportunities to automate attribute/substantive/controls testing capabilities to achieve increased audit coverage and efficiency.
• Execute quarter and annual management assistance and External Audit support requests and testing requirements.
• Provide technical support to end users of the SOX 404 Application (Workiva).

Perform Vulnerability, Infrastructure & Application Security Audits (30%)

• Participate in Internal Audit’s IT risk assessment to identify high-risk cybersecurity and internal infrastructure/application vulnerabilities which should be incorporated in Audit’s Annual Audit Plan leveraging basic working knowledge of industry-recognized NIST, COBIT, or COSO frameworks and awareness of emerging global IT risk trends. 
• Effectively execute assigned procedures to perform external vulnerability and internal infrastructure/application security assurance reviews leveraging IT audit experience and technical knowledge gained via CISA and/or CRISC certifications.
• Document results of audit procedures in the form of audit working papers which comply with IIA standards.
• Update Internal Audit project plans to reflect progress with respect to completion of assigned tasks, resource/timing constraints, and interdependencies to ensure delivery of Audits in the Annual Plan.
• Effectively identify risks to financial reporting reliability, business disruption, governance, IT security and compliance through the performance of assigned procedures and coordinate with the business to draft recommendations which effectively remediate identified risks.
• Summarize the results of assigned audit procedures in a manner which clearly articulates key identified risks/recommended action items for inclusion in executive-level reporting to Senior Leadership.

Provide Integrated IT Support for Financial & Operational Assurance (10%)

• Effectively execute assigned audit procedures to evaluate and conclude upon the design and operating effectiveness of operating system/database security, user security, segregation of duties, interface security/error monitoring, systems change management, completeness/accuracy of data transmission, and IT risk posture of 3rd party service providers. 
• Document results of audit procedures in the form of audit working papers which comply with IIA standards.
• Effectively identify risks to financial reporting reliability, business disruption, governance, IT security and compliance through the performance of assigned procedures and coordinate with the business to draft recommendations which effectively remediate identified risks.
• Summarize the results of assigned audit procedures in a manner which clearly articulates key identified risks/recommended action items for inclusion in executive-level reporting to Senior Leadership.

Minimum Knowledge, Skills, and Abilities required to successfully perform major duties/responsibilities:  

Technical Skills:

• Knowledge in IT General Controls and Application Controls.
• Experience in IT/cybersecurity audits, system implementation reviews, and/or SOX 404 testing and reporting.
• Proficient working knowledge and experience leveraging COBIT, COSO, and other relevant standards required.
• Experience in SAP, Netsuite and other ERP applications is a plus.

Soft Skills:

• Must be highly principled and of the highest moral and ethical standards.
• Well disciplined, free of bias, able to plan and take action independently, and at the same time maintain good rapport and working relationships with company management at all levels.
• Solid critical thinking and issue resolution skills.
• Exhibits executive presence and garners the respect of superiors, colleagues, and subordinates.
• Proficiency with written and oral communications skills.

Minimum Education and Experience Requirements 

Education: Bachelor's Degree is required, in Accountancy or any related field, CPA/CISA

Experience: Good understanding of ITGC concepts (change management, logical access security and IT operations), application controls required

• Minimum of 5 years direct experience in IT Audit 
• Must have experience in ITGC (IT General Controls – change management controls, access security/security management or IT operations), Application Controls
• Experience in Sarbanes Oxley/SOX Compliance (IT) 
• Must have strong verbal and written English Communication skills with a structured manner of thinking/communication
• Must have strong executive presence and capability to lead presentations with C Suite Level stakeholders across different regions
• Possesses the confidence to establish their authority/credibility to cross cultural and cross functional teams across the globe
• Must be willing to travel at least 3 to 4 times annually for onsite audit projects 
• CPA (Certified Public Accountant) or CISA (Certified Information Systems Auditor) is preferred but not required
• Experience in Data Analytics and Cyber Security related projects are preferred
• Amenable to a mid-shift schedule (2PM to 11PM) and remote work set up