IT Assurance and Audit Analyst- INTL India

Insight Global
Atlanta, United States of America
yesterday

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Compensation
$ 19K

Job location

Atlanta, United States of America

Tech stack

Audit Trail
Business Software
Cloud Computing Security
Control Objectives for Information and Related Technology (COBIT)
Information Technology Audit
PCI Data Security Standards
Role-Based Access Control
RSA (Cryptosystem)
Salesforce
SAP Applications
Screenshots
User Provisioning Software
IT General Controls (ITGC)
Information Technology
RSA Archer Platform
CIS Benchmarks
ServiceNow

Job description

Perform IT control assessments and audit activities across enterprise platforms such as SAP, Salesforce, ServiceNow, and other business-critical systems. Validate the design and operating effectiveness of IT controls through manual testing, evidence review, and control walkthroughs. Conduct assessments against established compliance frameworks including PCI-DSS, ISO 27001, and other relevant security and regulatory standards. Identify control gaps, document findings, and partner with business and technology stakeholders to develop remediation plans. Create, update, and maintain IT policies, procedures, and control documentation as needed to address audit findings and strengthen compliance posture. Manage audit evidence collection and documentation activities, ensuring all evidence is complete, accurate, and audit-ready. Utilize Optro (preferred) or similar GRC platforms such as RSA Archer to manage assessments, track controls, upload evidence, and monitor remediation efforts. Maintain and update risk registers, documenting identified risks, mitigation activities, control owners, and remediation status. Coordinate with cross-functional teams to drive corrective actions, track progress, and ensure timely closure of audit findings. Leverage technical knowledge of IT systems, security controls, and business applications to effectively evaluate compliance and risk across various technology environments. Support multiple concurrent IT assurance, compliance, and audit initiatives while maintaining strong project organization and stakeholder communication., Understanding of control objectives Evidence collection Testing design and operating effectiveness Documentation of results

Strong Answer: "First I understand the risk and control objective, then review the control design, collect evidence such as screenshots, logs, approvals, or reports, perform sample testing, and document whether the control is operating effectively."

  1. What is the difference between a control deficiency, significant deficiency, and audit finding?

Listen For:

Understanding of risk severity Impact-based thinking Remediation processes

Strong Answer: Candidate explains that findings are documented gaps, deficiencies represent control weaknesses, and severity is determined by business risk and potential impact.

  1. How have you supported PCI-DSS, ISO 27001, or other compliance assessments?

Listen For:

Hands-on audit participation Evidence collection Control testing Remediation management

Follow Up: "What specific controls did you personally test?"

  1. If you were reviewing user access controls in SAP, Salesforce, or ServiceNow, what would you look for?

Listen For:

User provisioning/deprovisioning Role-based access control (RBAC) Segregation of Duties (SoD) Periodic access reviews Privileged access management

Strong Answer: "I would review how users are granted access, whether approvals exist, if privileged access is restricted, and whether periodic access reviews are performed and documented."

  1. How would you determine whether a control is designed effectively but not operating effectively?

Listen For:

Ability to distinguish design vs. operation

Strong Answer: "The control may be documented and appropriately designed, but testing shows it is not consistently performed or evidence cannot be provided."

  1. Tell me about a time you managed audit remediation efforts.

Listen For:

Ownership of findings Working with technical teams Corrective action tracking Closing findings successfully

Follow Up: "How did you track progress and hold teams accountable?"

  1. What information would you expect to see in a risk register?

Listen For:

Risk description Impact Likelihood Control owner Mitigation plan Residual risk

Strong Answer: Candidate understands risk management beyond just audit testing.

  1. Have you used Archer, AuditBoard, Optro, ServiceNow GRC, or another GRC platform? What did you use it for?

Listen For:

Assessment workflows Evidence collection Control management Remediation tracking Risk registers

Red Flag: Only reporting experience with no hands-on involvement.

  1. A required control does not exist in a business process. How would you address the gap?

Listen For:

Gap assessment Risk evaluation Control recommendations Policy/procedure creation Collaboration with stakeholders

Strong Answer: "I would document the risk, propose a compensating or new control, work with the process owner to implement it, and update supporting policies and procedures."

  1. What types of evidence would you request to validate the effectiveness of an access review control?

Listen For:

Access review reports Approval records Audit logs Screenshots User listings Evidence of remediation

Strong Answer: "I would review the access review output, check reviewer approvals, validate timing, sample users, and confirm any identified issues were remediated."

Bonus "Deep Dive" Question (Highly Recommended)

"Let's say a quarterly user access review control exists for Salesforce. Walk me through exactly how you would test that control and what evidence you would request."

This one question will quickly reveal whether they have actually performed IT assurance work or have only coordinated audits at a project-management level. A strong candidate should discuss:

Control objective Population extraction Sampling methodology Reviewer approvals Timing of review Evidence retention Exception remediation Documentation of testing results

Requirements

· IT Assurance and general IT audit experience is a plus · Strong understanding of Governance, Risk, and Compliance (GRC) concepts and processes · Familiarity with common security, risk, and compliance frameworks (NIST, ISO 27001, CIS Controls, PCI-DSS or any major security framework) · Experience supporting audit remediation efforts, corrective action tracking, and issue management · Ability to develop and manage project plans, including tracking milestones, dependencies, and deliverables · Strong organizational, documentation, and stakeholder communication skills · Experience coordinating with business and technology teams to collect evidence and drive remediation activities · Ability to work U.S. business hours if possible · Audit-Board(Optro) or RSA Archer experience, but any GRC platform experience is a plus · Experience with audit process automation and efficiency initiatives · Familiarity with ServiceNow, risk registers, and other GRC platforms · Exposure to cloud security, cybersecurity governance, compliance, or third-party risk management programs

Nice to Have Skills & Experience

Optro or Archer preferred

Benefits & conditions

Benefit packages for this role will start on the 1st day of employment and include medical, dental, and vision insurance, as well as HSA, FSA, and DCFSA account options, and 401k retirement account access with employer matching. Employees in this role are also entitled to paid sick leave and/or other paid time off as provided by applicable law.

Apply for this position