IT Assurance and Audit Analyst- INTL India
Role details
Job location
Tech stack
Job description
Perform IT control assessments and audit activities across enterprise platforms such as SAP, Salesforce, ServiceNow, and other business-critical systems. Validate the design and operating effectiveness of IT controls through manual testing, evidence review, and control walkthroughs. Conduct assessments against established compliance frameworks including PCI-DSS, ISO 27001, and other relevant security and regulatory standards. Identify control gaps, document findings, and partner with business and technology stakeholders to develop remediation plans. Create, update, and maintain IT policies, procedures, and control documentation as needed to address audit findings and strengthen compliance posture. Manage audit evidence collection and documentation activities, ensuring all evidence is complete, accurate, and audit-ready. Utilize Optro (preferred) or similar GRC platforms such as RSA Archer to manage assessments, track controls, upload evidence, and monitor remediation efforts. Maintain and update risk registers, documenting identified risks, mitigation activities, control owners, and remediation status. Coordinate with cross-functional teams to drive corrective actions, track progress, and ensure timely closure of audit findings. Leverage technical knowledge of IT systems, security controls, and business applications to effectively evaluate compliance and risk across various technology environments. Support multiple concurrent IT assurance, compliance, and audit initiatives while maintaining strong project organization and stakeholder communication., Understanding of control objectives Evidence collection Testing design and operating effectiveness Documentation of results
Strong Answer: "First I understand the risk and control objective, then review the control design, collect evidence such as screenshots, logs, approvals, or reports, perform sample testing, and document whether the control is operating effectively."
- What is the difference between a control deficiency, significant deficiency, and audit finding?
Listen For:
Understanding of risk severity Impact-based thinking Remediation processes
Strong Answer: Candidate explains that findings are documented gaps, deficiencies represent control weaknesses, and severity is determined by business risk and potential impact.
- How have you supported PCI-DSS, ISO 27001, or other compliance assessments?
Listen For:
Hands-on audit participation Evidence collection Control testing Remediation management
Follow Up: "What specific controls did you personally test?"
- If you were reviewing user access controls in SAP, Salesforce, or ServiceNow, what would you look for?
Listen For:
User provisioning/deprovisioning Role-based access control (RBAC) Segregation of Duties (SoD) Periodic access reviews Privileged access management
Strong Answer: "I would review how users are granted access, whether approvals exist, if privileged access is restricted, and whether periodic access reviews are performed and documented."
- How would you determine whether a control is designed effectively but not operating effectively?
Listen For:
Ability to distinguish design vs. operation
Strong Answer: "The control may be documented and appropriately designed, but testing shows it is not consistently performed or evidence cannot be provided."
- Tell me about a time you managed audit remediation efforts.
Listen For:
Ownership of findings Working with technical teams Corrective action tracking Closing findings successfully
Follow Up: "How did you track progress and hold teams accountable?"
- What information would you expect to see in a risk register?
Listen For:
Risk description Impact Likelihood Control owner Mitigation plan Residual risk
Strong Answer: Candidate understands risk management beyond just audit testing.
- Have you used Archer, AuditBoard, Optro, ServiceNow GRC, or another GRC platform? What did you use it for?
Listen For:
Assessment workflows Evidence collection Control management Remediation tracking Risk registers
Red Flag: Only reporting experience with no hands-on involvement.
- A required control does not exist in a business process. How would you address the gap?
Listen For:
Gap assessment Risk evaluation Control recommendations Policy/procedure creation Collaboration with stakeholders
Strong Answer: "I would document the risk, propose a compensating or new control, work with the process owner to implement it, and update supporting policies and procedures."
- What types of evidence would you request to validate the effectiveness of an access review control?
Listen For:
Access review reports Approval records Audit logs Screenshots User listings Evidence of remediation
Strong Answer: "I would review the access review output, check reviewer approvals, validate timing, sample users, and confirm any identified issues were remediated."
Bonus "Deep Dive" Question (Highly Recommended)
"Let's say a quarterly user access review control exists for Salesforce. Walk me through exactly how you would test that control and what evidence you would request."
This one question will quickly reveal whether they have actually performed IT assurance work or have only coordinated audits at a project-management level. A strong candidate should discuss:
Control objective Population extraction Sampling methodology Reviewer approvals Timing of review Evidence retention Exception remediation Documentation of testing results
Requirements
· IT Assurance and general IT audit experience is a plus · Strong understanding of Governance, Risk, and Compliance (GRC) concepts and processes · Familiarity with common security, risk, and compliance frameworks (NIST, ISO 27001, CIS Controls, PCI-DSS or any major security framework) · Experience supporting audit remediation efforts, corrective action tracking, and issue management · Ability to develop and manage project plans, including tracking milestones, dependencies, and deliverables · Strong organizational, documentation, and stakeholder communication skills · Experience coordinating with business and technology teams to collect evidence and drive remediation activities · Ability to work U.S. business hours if possible · Audit-Board(Optro) or RSA Archer experience, but any GRC platform experience is a plus · Experience with audit process automation and efficiency initiatives · Familiarity with ServiceNow, risk registers, and other GRC platforms · Exposure to cloud security, cybersecurity governance, compliance, or third-party risk management programs
Nice to Have Skills & Experience
Optro or Archer preferred
Benefits & conditions
Benefit packages for this role will start on the 1st day of employment and include medical, dental, and vision insurance, as well as HSA, FSA, and DCFSA account options, and 401k retirement account access with employer matching. Employees in this role are also entitled to paid sick leave and/or other paid time off as provided by applicable law.