Overview

The Office of Audit and Compliance (OAC) serves as a proactive partner and trusted advisor to University management and departments to assess and support the mitigation of risks that may have a significant impact on the achievement of the University’s objectives. The goal of the OAC is to promote a culture of risk and compliance awareness at the institution through the services it provides. OAC seeks an experienced candidate with high professional and ethical standards who will provide quality Information Security and IT Operations assurance and advisory services to the University. 

Position Summary:

Reporting to the Associate Director, IT Audit (Associate Director), the Senior Information Security Assurance Analyst (Senior Auditor) will be responsible for independently planning, executing, developing, and communicating value added results of information security and IT operations assurance and advisory engagements to senior management.  The Senior Auditor will assist the Associate Director in procuring service providers for co-sourced audit projects and supervising their performance and deliverables to clients.  As a member of the University’s Information Technology Audit team, the Senior Auditor will support key strategy and planning activities related to the annual risk assessment and IT audit plan for the University.  In addition, the Senior Auditor should have a desire for continued career growth and a passion for learning new and emerging technologies to enable collaboration with the Associate Director in pursuit of continued innovation of the University’s IT audit function.

Responsibilities

The key responsibilities of this position will be to:

• Strategy and Leadership Support
• Assist the Associate Director with the strategy and planning of the annual risk-assessment and the IT audit work plan for the University.
• Execute annual risk assessment interviews with senior executives and other managers throughout the University; assess risk and analyze results.
• Identify, evaluate, and recommend value added technology tools for OAC operations and internal audit projects.
• Build relationships with key campus constituents and network with colleagues from other Universities to share information on industry risks and leading practices.
• Assist with Trustee and Senior Management presentations as required.
• Support the progressive development of senior auditor IT audit knowledge, skills, and abilities by identifying key learning opportunities and developing value added training materials.
• Keep current with developments in relevant technologies and IT audit methodologies.
• Perform special projects as required.

Service procurement, engagement planning, supervision, and communication

• In partnership with the Associate Director, develop and execute Request for Proposals (RFP) in accordance with University procurement practices including the definition of requirements and evaluation criteria, identification of potential suppliers, review of proposal, and recommendation of selection.
• Partner with University clients and manage the execution of professional services on co-sourced projects and deliver value added outcomes.
• Plan and execute all aspects of risk-based audit and advisory projects by partnering with the client department management to define the scope and objectives, project resource requirements, identify needs for specialized skills, timing and budgets.
• Prepare and present audit and advisory project reports that communicate complex information security and IT operations concepts to a diverse group of institutional constituents including Deans and Vice Presidents, summarizing observations, recommendations, and management responses. Ensure that projects have value-added results and are completed on time.

Executing Information Assurance and Advisory Projects 

• Perform information security and IT operations audits and/or advisory services including but not limited to the following: information security, vulnerability management, application controls, network infrastructure, databases, operating systems, IT general controls, pre and post system implementation, Information Technology Infrastructure Library (ITIL) based processes, systems development lifecycle, dev ops, system interfaces, third party vendor provided Software as a Service, Platform as a Service, and Infrastructure as a Service, disaster recovery, physical security, incident response, and disaster recovery/resiliency planning.
• Critically apply insights and knowledge of IT and information security to enable clients to solve complex institutional problems, while effectively managing risks.
• Design detailed audit work programs (in many cases customized for the environment), conduct interviews, document and analyze processes and apply critical thinking to evaluate risks and controls and assess the results of audit testing. Create detailed workpapers that substantiate audit findings in accordance with Institute of Internal Auditors (IIA) professional standards.
• Plan and lead meetings with campus clients of all varying levels of seniority such as planning, opening, periodic status, and closing meetings communicating highly complex information security concepts.
• Evaluate audit findings/advisory results, determine root causes, and develop substantive leading practice informed, value-added recommendations based on feasible solutions discussed with management.
• Partner with OAC senior auditors on financial and operational projects with IT requirements and control evaluation, as needed.
• Follow IIA and other relevant standards in conducting audits and advisory projects.

Qualifications

Essential Qualifications: 

• High ethical standards representative of Princeton University’s commitment to excellence.
• 5+ years of experience in, IT audit, IT management, information security analysis, and/or systems assurance. Relevant system administration and more generalized IT operations experience may be considered.
• Demonstrated ability to analyze technology systems and processes with strong attention to detail, apply critical thinking skills, and use sound business judgment in the application of auditing principles, University policies, and business practices.
• Excellent project management skills and demonstrated ability to achieve audit objectives on multiple, complex projects running
• Strong analytical, problem solving, time management, and interpersonal
• Excellent communication skills, including proven ability to prepare and present clear and concise reports to stakeholders and articulate complex and/or technical issues.
• Superior judgment, diplomacy, and discretion in handling sensitive information.
• Demonstrated skills and experience in some of the following:
• Information system testing techniques including the use of automated assessment tools.
• TCP/IP based network architecture and corresponding security design and enabling technologies such as next generation firewalls, IPS/IDS, routers, and switches.
• Microsoft Windows, Mac OS, and Linux operating systems, Active Directory, LDAP, Office365/Exchange, Microsoft SQL Server, Oracle Database systems, VMWare, Citrix, and SharePoint.
• Configuration management and automation technologies such as Ansible Tower or Puppet.
• Third party cloud offerings such as Amazon Web Services and Microsoft Azure and software as a service vendor assessments and ongoing monitoring (e.g., System and Organization Control reports).
• Knowledge of one or more information security frameworks including the NIST Cyber Security Framework, NIST 800-171, HITRUST, ISO 27000 series, and the CIS Controls.
• Self-motivation, initiative, and broad thinking.
• Current CISA or CISSP certification, or a commitment to pursue either.
• BA/BS or an advanced degree in information systems, business, or a related field. 

Preferred Qualifications:

• Advanced degree in information systems, business, or a related field.
• CISA, CISM, CISSP, CRISC, ITIL Foundation Certified, or other relevant certification.
• Knowledge of University operations and/or experience in higher education, especially focused on unique risks associated with academic departments and research.
• Experience selecting and implementing a data analytics software platform.
• Experience managing projects co-sourced with professional services firms.
• Knowledge of Large-scale ERP systems such as PeopleSoft, internal and external penetration testing, web application scanning/testing, social engineering, secure software development methodologies and enabling technology tools.
• Familiarity with Internet of Things (IoT) devices, industrial control systems (ICS) and supervisory control and data acquisition (SCADA). 

Princeton University is an Equal Opportunity/Affirmative Action Employer and all qualified applicants will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity or expression, national origin, disability status, protected veteran status, or any other characteristic protected by law. EEO IS THE LAW