Continuous Process Monitoring

The CPM team’s goal is to monitor all IT processes and related controls and assure that controls are operating as intended and control failures are identified timely and communicated to key stakeholders for proper mitigation before they pose a risk to the organization. The CPM program has been developed within CNA’s first line of defense with the CPM activities embedded within IT processes and management-level controls. The program is implemented for controls in CNA’s process risk and control (PRC) framework as identified by control and process owners and other stakeholders. 

The program also facilitates audits support for the CNA Technology organization. Regulatory related audits such as SOX, SOC1, HIPPA, NYDFS, State Examiners, OFAC, Privacy laws, etc. 

Job Summary

Continuous Process Monitoring (CPM) IT Senior Audit- Consultant will assist in implementing IT controls to meet regulatory, compliance and operational needs of the organization. The consultant leads in monitoring the performance of these controls throughout the year to ensure they meet the agreed upon control objectives and address the necessary risks. The position will be responsible for implementing and reviewing controls periodically as well as providing detailed reports to control and process owners and the IT leadership. The review and monitoring process will result in proposed recommendations and tracking of remediation plans to ensure all pertinent risks are addressed in a timely manner.  To make impactful difference, the results will be driven by taking initiatives, critical thinking, engaging and collaborating with stakeholders and leadership at all levels. The dynamic environment provides opportunities for consistent learning helping realize true potential and career growth.

The consultant will also be responsible with managing and following up on all open audit issues, tracking and reporting on remediation status to the executive leadership. 

Essential Duties and Responsibilities

Performs a combination of duties in accordance with departmental guidelines:

• Conduct IT reviews of systems, applications and IT processes. Perform review of IT processes and controls under the oversight of the Director; including identifying areas where technology units should consider changes to improve efficiency. Execute various other reviews of IT management policies and procedures such as change management, business continuity planning/ disaster recovery and information security to ensure that controls surrounding these processes are adequate.
• Provide Technology staff and Third party vendors appropriate guidance on IT risk management matters, particularly on applications, operations management, strategy and infrastructure security.
• Learn and support tools to analyze results and data to improve audit efficiency and effectiveness, (including for risk assessments). Ultimately be a source for analytics that IT units adopt for continuous improvement and auditing.
• Evaluate IT general computing controls and provide value added feedback. Test compliance with those controls.
• Lead and/or coordinate on SOX and SOC I initiatives with other departments when assigned or needed.
• Serves as a primary driver of the communication of IT CPM change management processes and project management. Develops a systematic methodology for communicating results to ensure that key personnel are informed and can provide feedback. Prepare and report results to executives, process owners and other stakeholders.
• Proactively provides content associated with the education and awareness of policies standards control procedures and IT Operational responsibilities across our organization. Responds to needs and feedback accordingly.
• Detects issues related to the operation of in-scope controls to ensure the effective operation of IT processes and controls for audit purposes. Develops remediation action plans to enable IT Controls & Quality Governance Team to provide attestation of CPM Program Compliance; also responsible for reporting of common control procedures and effectiveness.
• Manage and follow up on open audit issues resulting from audit findings and periodically report and present to the executive leadership on the remediation status of the findings.
• Work closely with key business partners across the enterprise and ensure that second and third line of defense teams are informed of the outstanding risks.

Reporting Relationship

Typically reports to Director or above.

Skills Knowledge & Abilities

• Solid understanding of IT infrastructure, security and application controls, operating models, methodology and approaches. Expert knowledge of internal auditing, internal controls, risk management and understanding of internal control environments within IT and some business functions.
• Experience with multiple technology domains including aspects of Windows, Mainframe, Unix and/or database administration, software development and networking.
• Ability to multi-task on assignments, prioritize and deliver on routine tasks and assigned projects.
• Strong communication and interpersonal skills to work effectively and foster teamwork with peers on project teams and other functional areas inside and outside of IT along with the ability to communicate effectively with technical and non-technical audiences.
• Ability to work with little supervision on assignments requiring technical complexity and confirmation with minimal guidance. Ability to lead meetings with all level of managements.
• Maintain technical competence by ongoing training, seeking development opportunities and applying new knowledge to daily work assignments.

Education & Experience

• Bachelor’s Degree or equivalent with preferable concentrations in Management Information Systems, Computer Science, Information Security, Data Analytics or related discipline.
• Typically 3-5 years of related experience in IT audit, internal audit, IT governance or risk management.
• CISA, CRISC, CGEIT, CISSP certification is a plus.
• Exposure to IT standards (e.g. ISO 27001, PCI-DSS), frameworks (e.g. COBIT, NIST, ITIL), technical systems and emerging technologies.