Sr. IT Risk Compliance Analyst (Audit Programs)
City : Toronto, Ontario, Canada
Category : Full time
Industry : Public Services/Utilities
Employer : Healthcare of Ontario Pension Plan (HOOPP)
Why you’ll love working here:
high-performance, people-focused culture
our commitment that equity, diversity and inclusion are fundamental to our work environment and business success, which helps employees feel valued and empowered to be their authentic selves
learning and development initiatives, including workshops, Speaker Series events and access to LinkedIn Learning, that support employees’ career growth
competitive, 100% company-paid extended health and dental benefits for permanent employees with recent additions to promote inclusive coverage to a diverse employee population. These recent additions include gender affirmation and fertility drug and treatment coverage
membership in HOOPP’s world class defined benefit pension plan, which can serve as an important part of your retirement security
access to an annual wellness reimbursement program for health and wellness-related expenses for permanent employees
virtual fitness, yoga and meditation classes, nutritional consultations and wellness seminars
we offer a hybrid flexible work model that embraces remote work in Ontario for eligible roles
the opportunity to make a difference and help take care of those who care for us, by providing a financially secure retirement for Ontario healthcare workers
The Sr. IT Risk and Compliance Analyst plays an integral role within the IT Audit Programs scrum team in HOOPP’s IT Operational Resilience team, which is part of the IT Security, Risk and Governance group (“SRG”). SRG is one of four groups within the Information Technology (“IT”) Division of HOOPP.
This role exists within a collaborative, cross-functional team of IT GRC professionals who report to the Director, IT Operational Resilience.
The Sr. IT Risk and Compliance Analyst is a champion of IT risk management, Audit Programs and compliance in the organization. This role requires an adaptive, inventive, and accountable member of the Audit Programs scrum team working in partnership with the Product Owner, Technology GRC.
A primary goal of this role is to provide exceptional IT risk management support, advice, and facilitation to optimize HOOPP’s IT risk management processes, and to foster, advocate for, and strengthen HOOPP’s IT risk culture.
The key responsibilities of the Sr. IT Risk & Compliance Analyst include participating and leading activities for the cyclical audit programs (ICFR, Internal Audit, External Audit), and remediation activities.
The Sr. IT Risk & Compliance Analyst will be an active participant in all Audit Programs scrum team ceremonies, taking accountability for work they commit to and ensuring team goals (Strategic OKRs and KTLO goals) are achieved. This role requires both knowledge and leadership skills to understand HOOPP’s business and IT needs for effective risk management, collaborating with various stakeholders including IT, audit, and business teams to maintain and strengthen the value proposition of IT GRC across the organization.
What you will do:
- Participate, coordinate, and support the operation and enhancement of the internal controls over financial reporting (“ICFR”) program
- Participate in coordinating and supporting IT divisions in Internal Audits
- Lead and manage collaboration with ICFR, internal and external audit by advising on evidence collection and automation
- Perform expert assessment on vendor SOC 1 and SOC 2 reports in partnership with IT owners and ICFR
- Provide advisory support and guidance to IT teams to ensure narratives and controls are owned, aligned and in compliance
- Build and maintain expertise on IT controls
- Develop controls and mitigation plans and help drive their implementation, by communicating complex technology risk and controls concepts to stakeholders in IT and across HOOPP teams
- Assist in the quarterly ICFR attestation process for completeness and review the attestations for process changes and management identified deficiencies.
- Assess implications of changes and deficiencies and make recommendations to the IT owners
- Lead and manage collaboration with internal teams to understand their processes, how they manage risks, and respond / advise on their compliance needs and concerns
- Lead and manage the performance of gap assessments for new and existing policies and standards and carry primary responsibility for any other compliance related initiatives that may arise
- Support the creation and maintenance of a technology risk and controls matrix for HOOPP
- Provide regular status updates ensuring stakeholders are aware of progress and roadblocks
- Maintain program documentation including policies, standards, procedures, and guidelines in support of HOOPP's GRC practices and assist in developing further documentation
- Leads others in using analytical tools and solving complex problems related to the development of HOOPP's IT compliance program and validating compliance with applicable internal controls and policies
- Maintain a thorough understanding of technology and GRC practices to assist with IT risk management in a rapidly changing IT environment
- Identify opportunities for IT controls and process improvement through automation.
What you bring:
- Over 5 years of experience in IT Risk & Compliance, IT Audit, and IT Governance.
- Bachelor's degree in Business, Computer Science, Information System, Engineering, or equivalent experience
- In-depth and broad experience with control and risk frameworks, performing compliance and risk assessments, designing controls, and overseeing mitigation projects
- Understanding of risk methodologies, frameworks, and practices – (ISO standards, COBIT, CIS, COSO, NIST, etc.)
- Strong working knowledge of SOX, NI 52-109 and governance and control frameworks (COSO and COBIT)
- A strong understanding of information system risks and ITGCs and end user computing (EUC) controls
- In depth knowledge of and experience in reviewing and evaluating service organizations SOC1/SOC2 reports
- Knowledge of IT applications and systems such as Oracle, SAP, Power BI, AWS, and Microsoft Azure considered an asset
- Ability to identify, understand, document, evaluate and monitor internal controls
- Ability to critically assess the effectiveness of internal controls, make recommendations to improve internal controls and remediate internal control deficiencies through re-engineering control design
- Ability to review and evaluate controls for system implementations
- Industry certifications such as CRISC, CISA, CIA, CGEIT, CISSP, CPA/CA. etc or equivalent experience
- Experience working in an agile environment (software development, infrastructure, and shared services) is an asset
- Strong attention to detail
- Ability to plan, manage multiple priorities and meet deadlines
- Strong verbal and written communication skills, especially communicating across all levels and cross functional teams
- Experience with GRC platform is preferred.
- Independent and results oriented
- Agile mindset
- Collaborative, independent, and forward thinking
- Pays attention to detail
- A team player with excellent interpersonal skills (loyal, empathetic, caring)
- Have sound judgement. Ability to balance ‘efficiency in delivery’ vs. ‘standards/processes’
- A confident decision-maker
- Able to influence in a matrix
- A strong communicator (both written and oral)
- Have superior analytical and issue resolution skills
- A high level of initiative and professionalism
- A willingness to multi-task and be flexible to take on varied responsibilities
- Takes ownership of tasks and drives initiatives through to completion
- Calm and patient under pressure. Thrive in a changing, dynamic environment
- Able to see the big picture while paying attention to important details