THIS ROLE IS RESPONSIBLE FOR ASSISTING THE CREDIT UNION AND ITS LEADERS IN ASSESSING THE EFFECTIVENESS OF INFORMATION TECHNOLOGY (IT) AND SECURITY CONTROLS AND BEST PRACTICES, INCLUDING DEVELOPMENT AND MAINTENANCE OF THE IT AUDIT RISK ASSESSMENT AND EXECUTION OF THE IT AUDIT PLAN, UNDER THE OVERSIGHT OF THE VICE PRESIDENT (VP) OF INTERNAL AUDIT. THIS ROLE IS NOT REMOTE AND EXPECTED TO WORK AT OUR BEAVERCREEK CORPORATE HEADQUARTERS. 

1. Develop test procedures and conduct risk based internal audits using common controls framework according to the current audit schedule. This includes preparing work papers and performing tests to assess the design and effectiveness of controls. Ensures proper policies, procedures, risk mitigation activities, and operating controls are followed. Reports gaps in policies, procedures, and operating controls to leadership to ensure member impact and risk is mitigated. (40%)
2. Prepare and report audit results and recommendations to senior leadership, the Information Security Officer (ISO) and members of the Audit Committee. (20%)
3. Develop and maintain the IT audit risk assessment and audit universe under the oversight of the VP of Internal Audit. This includes identifying audit and organizational risk, linking the risk universe to internal controls framework and making recommendations for audit scope and planning. (10%)
4. Perform follow-up audits or testing to validate corrective action or changes to controls. (10%)
5. Provide management with guidance on IT risk management matters, including infrastructure, security and industry standards. (5%)
6. Perform periodic reviews of IT management practices and procedures including change management, business continuity, disaster recovery, vendor management, access and information security to ensure policy and procedural controls are adequate. (5%)
7. Assist external auditors and examiners in their review of IT controls. (5%)
8. Develop, build and implement tools to analyze data and improve audit efficiency and effectiveness. (5%)

Required Skills

1. Bachelor’s Degree, preferably in information systems, computer science or related field or equivalent experience in information systems or IT audit.
2. Comprehensive understanding of internal control environments within the IT function and general IT controls over financial systems.
3. Working knowledge of IT examination standards including those found in FFIEC IT Examination Handbook, FFIEC Cybersecurity Assessment Tool (CAT), PCI-DSS Assessment and NCUA Examiner Guide Chapter 6.
4. Working knowledge of cybersecurity frameworks including the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF) and Center for Internet Security controls (CIS).
5. Industry certification is required, e.g. Certified Information System Security Professional (CISSP), Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM).
6. Advanced interpersonal and written communications skills, including the ability to communicate effectively with both technical and non-technical audiences.

Required Experience

1. Bachelor’s Degree, preferably in information systems, computer science or related field or equivalent experience in information systems or IT audit.
2. Comprehensive understanding of internal control environments within the IT function and general IT controls over financial systems.
3. Working knowledge of IT examination standards including those found in FFIEC IT Examination Handbook, FFIEC Cybersecurity Assessment Tool (CAT), PCI-DSS Assessment and NCUA Examiner Guide Chapter 6.
4. Working knowledge of cybersecurity frameworks including the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF) and Center for Internet Security controls (CIS).
5. Industry certification is required, e.g. Certified Information System Security Professional (CISSP), Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM).
6. Advanced interpersonal and written communications skills, including the ability to communicate effectively with both technical and non-technical audiences.