Headquartered in the heart of downtown Chicago, CNA is a leading commercial and specialty insurer, offering a diverse range of insurance products including Workers Compensation, Property, General Liability, Professional Liability, Cyber Insurance, Surety, and Warranty. We are one of the world leaders in underwriting non-medical professionals, from lawyers and accountants to architects and management consultants.

Continuous Process Monitoring (CPM) Program

The CPM team’s goal is to monitor all IT processes and related controls and assure that controls are operating as intended and control failures are identified timely and communicated to key stakeholders for proper mitigation before they pose a risk to the organization. The CPM program has been developed within CNA’s first line of defense with the CPM activities embedded within IT processes and management-level controls. The program is implemented for controls in CNA’s process risk and control (PRC) framework as identified by control and process owners and other stakeholders.

The program also facilitates audits support for the CNA Technology organization. Regulatory related audits such as SOX, SOC1, HIPPA, NYDFS, State Examiners, OFAC, Privacy laws, etc.

Job Summary

Information Technology Sr. Specialist – IT Audit and Controls will assist in implementing and monitoring IT controls to meet regulatory, compliance and operational needs of the organization. The Senior Specialist will be responsible with operational and regulatory audit support and collaboration between Technology and Auditors (Internal and External) during an audit engagement. The work will include managing audits, evaluating internal controls, reviewing audit evidences prior to submission to the auditors, communicating audit issues to management, creating of memo supporting audit outcomes, identifying and evaluating emerging areas of organizational risk.

The Senior Specialist leads in monitoring the performance of these controls throughout the year to ensure they meet the agreed upon control objectives and address the necessary risks. The position will be responsible for implementing and reviewing controls periodically as well as providing detailed reports to control and process owners and the IT leadership. To make impactful difference, the results will be driven by taking initiatives, critical thinking, engaging and collaborating with stakeholders and leadership at all levels. The dynamic environment provides opportunities for consistent learning helping realize true potential and career growth.

The Senior Specialist will also be responsible with managing and following up on all open audit issues, tracking and reporting on remediation status to the executive leadership.

Essential Duties and Responsibilities

Performs a combination of duties in accordance with departmental guidelines:

· Provide oversight and coordination of the annual SOC / SOX audit engagement by serving as the liaison and point of contact between Technology, Internal Audit and External Audit. Engagement involves planning, day to day management of audit engagement activities, collaboration with various Technology Groups, Internal Audit, External Audit and Managed Service Providers, status update meetings, reporting and managing exceptions and remediation. Provide management with timely recommendations that reduce risks and monitor progress in implementing controls recommendation

· Conduct IT reviews of systems, applications and IT processes. Perform review of IT processes and controls under the oversight of the Director; including identifying areas where technology units should consider changes to improve efficiency. Execute various other reviews of IT management policies and procedures such

as change management, business continuity planning/ disaster recovery and information security to ensure that controls surrounding these processes are adequate.

· Provide Technology staff and Third party vendors appropriate guidance on IT risk management matters, particularly on applications, operations management, strategy and infrastructure security.

· Evaluate IT general computing controls and provide value added feedback. Test compliance with those controls.

· Serves as a primary driver of the communication of IT CPM change management processes and project management. Develops a systematic methodology for communicating results to ensure that key personnel are informed and can provide feedback. Prepare and report results to executives, process owners and other stakeholders.

· Proactively provides content associated with the education and awareness of policies standards control procedures and IT Operational responsibilities across our organization. Responds to needs and feedback accordingly.

· Detects issues related to the operation of in-scope controls to ensure the effective operation of IT processes and controls for audit purposes. Develops remediation action plans to enable IT Controls & Quality Governance Team to provide attestation of CPM Program Compliance; also responsible for reporting of common control procedures and effectiveness.

· Manage and follow up on open audit issues resulting from audit findings and periodically report and present to the executive leadership on the remediation status of the findings.

· Work closely with key business partners across the enterprise and ensure that second and third line of defense teams are informed of the outstanding risks.

Reporting Relationship

Typically reports to Director or above.

Skills Knowledge & Abilities

· Solid understanding of IT infrastructure, security and application controls, operating models, methodology and approaches. Expert knowledge of internal auditing, internal controls, risk management and understanding of internal control environments within IT and some business functions.

· Experience with multiple technology domains including aspects of Windows, Mainframe, Unix and/or database administration, software development and networking.

· Ability to multi-task on assignments, prioritize and deliver on routine tasks and assigned projects.

· Strong communication and interpersonal skills to work effectively and foster teamwork with peers on project teams and other functional areas inside and outside of IT along with the ability to communicate effectively with technical and non-technical audiences.

· Ability to work with little supervision on assignments requiring technical complexity and confirmation with minimal guidance. Ability to lead meetings with all level of managements.

· Maintain technical competence by ongoing training, seeking development opportunities and applying new knowledge to daily work assignments.

Education & Experience

· Bachelor’s Degree or equivalent with preferable concentrations in Management Information Systems, Computer Science, Information Security, Data Analytics or related discipline.

· Typically a 3+ related experience in public accounting, related industry or field.

· CISA, CRISC, CGEIT, CISSP certification is a plus.

· Exposure to IT standards (e.g. ISO 27001, PCI-DSS), frameworks (e.g. COBIT, NIST, ITIL), technical systems and emerging technologies.

*LI-KC1

Job

 Information Systems

Primary Location

United States-Illinois-Chicago

Organization

 Tech-Quality and Governance