- New York, NY, USA
- Permanent, Full time
AVP, IT Risk and Controls
Location: New York, NY, USAMoody's IT Risk Management is looking for an Assistant Vice President, who will be aligned to the IT Risk function and manage the IT Controls Program. This is a position requiring a strong background in IT Controls practices along with solid communication and organization skills.
The ideal candidate must be very motivated and willing to take on challenges, be able to multi-task and needs to have the ability to work independently with minimal oversight. The candidate must have a deep understanding of the IT Control landscape and should be able to articulate complex information through reports, dashboards and presentations that tell a story.
Functional responsibilities include:
- Ensure that controls are sufficiently designed, documented, and evidenced to satisfy risk, audit and regulatory objectives:
- Build security control and risk scorecards, metrics, and reporting capabilities in GRC to support assessment of security compliance and risk posture.
- Independently execute audit activities of moderate to high complexity including IT technical audits, pre & post implementation consulting engagements, integrated audits, and Sarbanes Oxley (SOX) 404 testing.
- Utilize SOX and IT Risk experience to support audits and regulatory projects.
- Coordinates efforts across multiple departments to ensure SOX compliance requirements are met within required deadlines.
- Direct cross-organization/ business unit Controls Working Group and operational teams to address security controls and compliance, coordinate exception evaluations, and track risk remediation activities, temporary exceptions, and control status and ownership.
- Advocate, coach and highlight the impact of IT policies, standards, procedures and initiatives to promote, support and enhance security controls and negotiate resolutions of issues which arise during deployment and implementation of IT Controls and related practices.
- Enable continuous technology compliance by maintaining up to date controls, coordinating controls testing and monitoring, identifying and escalating control non-compliance.
- Serve on a team which is Moody's IT (MIT) central point of contact for internal and external audit and regulatory activities:
- Assist in organizing and preparing MIT responses to regulatory and audit requests including drafting of talking points and presentations on topics such as control design/execution and strategic risk mitigation programs.
- Regularly liaise with Moody's Compliance, Audit and Legal functions to proactively monitor pending and proposed legislation and upcoming reviews in order to adequately prepare for and adapt to new or heightened expectations.
- Track remediation on reported audit and regulatory observations to ensure timely and comprehensive resolution; on a regular basis, issue reports to IT leadership as to current state.
- Minimum 7+ years of experience in IT Risk Management, Information Security and/or IT Audit, preferably within the financial services industry or a consulting organization.
- Strong Sarbanes-Oxley and COBIT Framework familiarity.
- Understand key IT and automated business processes and perform testing of the design and operating effectiveness of controls within those processes (General IT Controls and Automated Business Controls).
- BS or BA degree, preferably in technology, business or equivalent.
- Relevant certifications, such as CISSP, CRISC, CISA, CISM, are a plus.
- Control program execution and reporting management through a Governance Risk and Compliance solution.
- Must be comfortable with reporting directly to management in the New York office headquarters and working with team members across multiple continents and countries.
- Experience managing an ISO-27002 or NIST aligned security program.
- Experience programmatically assessing and managing security risks associated with vendors, confidential and personal data, critical IT assets, technology projects, and business initiatives.
- Demonstrated leadership in GRC tool selection, deployment and management and in GRC workflow definition and automation.
- Experience coordinating across business units, audit, compliance and legal teams to provide outside entities with technology evidence, documented exceptions, mitigating controls, and/or remediation activities underway to verify technology compliance.
- Strong presentation skills involving large and of varying IT background audiences; ability to adjust message and filter details based on audience.
- Must have experience working with multiple teams and stakeholders to coordinate SOX related activities in a timely manner
- Proven ability to work within a large enterprise that spans multiple continents, is governed by change management and has a tiered support model
Moody's is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, sex, gender, age, religion, national origin, citizen status, marital status, physical or mental disability, military or veteran status, sexual orientation, gender identity, gender expression, genetic information, or any other characteristic protected by law. Moody's also provides reasonable accommodation to qualified individuals with disabilities in accordance with applicable laws. If you need to inquire about a reasonable accommodation, or need assistance with completing the application process, please email firstname.lastname@example.org.. This contact information is for accommodation requests only, and cannot be used to inquire about the status of applications.
For San Francisco positions, qualified applicants with criminal histories will be considered for employment consistent with the requirements of the San Francisco Fair Chance Ordinance. For New York City positions, qualified applicants with criminal histories will be considered for employment consistent with the requirements of the New York City Fair Chance Act. For all other applicants, qualified applicants with criminal histories will be considered for employment consistent with the requirements of applicable law.
Click here to view our full EEO policy statement. Click here for more information on your EEO rights under the law.
Candidates for Moody's Corporation may be asked to disclose securities holdings pursuant to Moody's Policy for Securities Trading and the requirements of the position. Employment is contingent upon compliance with the Policy, including remediation of positions in those holdings as necessary.