Sr. IT Compliance Analyst_

Lexington

**POSITION FEATURES:**

This is a remote position in Eastern Time Zone.

**PURPOSE AND SCOPE** :

The Sr. IT Compliance Analyst plays a crucial role in supporting Digital Technology & Innovation (DTI) by managing IT global audits (SOX, Internal, External), IT controls, and issue management programs on a global scale. As a core member of the Governance, Risk, and Compliance (GRC) team, this position is integral to maintaining robust IT-related processes. Reporting to the Senior Director, Global DTI, the IT Compliance Analyst drives critical audit program management, annual IT control testing, monitoring, metrics, and ensures compliance across the enterprise.

**Sr. IT Compliance Specialist - IT Focus:**

+ **Audit Lifecycle / Program Support:** Manage and support global IT audit programs, including internal and external audits, through all phases: communication, scoping, documentation requests, control testing, fieldwork, management response, metrics, and issue remediation. Function as a compliance knowledge resource for IT general systems and controls.

+ **Relationship Management:** Develop and maintain relationships with IT leadership, teams, and business stakeholders through open and frequent communication. Partner with auditees and internal/external auditors to facilitate audit processes.

+ **Control Testing and Assurance:** Prepare for IT audits by conducting control testing and assurance activities. Support control owners in reviewing access to applications and systems for appropriateness. Update control testing procedures to gather sufficient evidence for audit observations. Verify that control designs (TOD) meet business objectives and support SOX audits.

+ **Control Performance and Enhancement:** Perform IT control testing (ITGC and ITAC) to ensure control performance aligns with compliance objectives (TOE). Identify opportunities to enhance internal controls cost-effectively, addressing IT infrastructure, systems, applications, security, operations, and processes. Follow up on audit observations and issues until remediation evidence is obtained.

+ **Frameworks and Compliance:** Maintain control designs for frameworks such as NIST CSF, NIST 800, ISO-27001, SOX, HIPAA, & GDPR. Apply sound judgment in evaluating controls. Challenge IT customers on risk identification and control adequacy. Stay current on best practices and guidance for achieving security compliance.

+ **Collaboration and Communication:** Oversee and communicate the portfolio of IT-related audits and issues. Collaborate with DTI, Global Internal Audit, and Information Security to ensure consistent communication of controls and risks. Promote security best practices across all business units and departments.

+ **Knowledge and Compliance:** Maintain strong knowledge of control frameworks and IT best practices. Build and sustain strong relationships with personnel across all business units. Adhere to the Code of Business Conduct and all applicable company policies, procedures, local, state, and federal laws and regulations. Preferred experience as a former Big 4 IT auditor or in IT risk management within the Financial Services industry. Proven experience in IT governance, risk, and controls, including governance frameworks. CISA, CISSP, CRISC, or other relevant certification(s) desired.

**PRINCIPAL DUTIES AND RESPONSIBILITIES:**

+ Responsible for facilitating IT management’s documentation updates and completion of management assessment for all in-scope FMC IT processes.

+ Work with IT compliance management to ensure appropriately designed controls are implemented for all in-scope entities and divisions and perform testing to validate their operating effectiveness throughout the fiscal year.

+ Facilitate regular meetings with IT management to plan the documentation updates and testing of SOX IT controls.

+ Analyze SOX testing results, making recommendations to facilitate management’s remediation and/or identification of mitigating controls for all FMC IT deficiencies.

+ Responsible for performing and facilitating access certifications of financially significant systems, including segregation of duties testing.

+ Supports IT compliance management as the principal interface with the external auditor IT Audit function and the FMC IT functions regarding SOX IT matters.

+ Assists management in preparing periodic SOX 404 reporting to the FMCKGaA SOX 404 Steering Committee.

+ Performs the annual SOX 404 scoping exercise to determine if there are any changes to IT data centers, applications or related processes which should be considered to determine what is in scope for SOX 404 purposes.

+ Perform IT control assessments of any new entities, divisions and processes deemed material to the financial reporting process or in the scope of the external audit. Work with local IT management to develop and implement IT general controls where required controls are not met and define remediation for deficient controls. Communicate SOX control requirement where necessary.

+ Provide regular updates to the IT compliance management and leadership regarding the status of the SOX testing plans, the issues identified, and the decisions regarding the solutions to address the identified problems.

+ Maintains current knowledge regarding changes to SOX compliance regulations and ensures that FMC adjusts methodologies in response to the changes by issuing guidance and instructions to the appropriate IT stakeholders and personnel. Determines and recommends improvements to current risk management controls as needed.

+ Leads implementation of major special projects and initiatives related to auditing automation software and applications to manage governance tasks and SOX financial reporting functions such as SAP GRC Process Control and Access Control software.

+ Manage SAP role provisioning software including monitoring for new SAP roles, preventing the creation of inherent SOD issues, training and assigning new role approvers, and reviewing and addressing SAP requests with SOD violation ensuring appropriate compensating controls.

+ Strong knowledge of and experience with FSA, SOX and COSO IT requirements

+ Other duties as assigned.

**PHYSICAL DEMANDS AND WORKING CONDITIONS:**

+ The physical demands and work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

+ Remote position in EST preferred

**SUPERVISION:**

+ None

**EDUCATION** :

+ Bachelor’s degree in information systems, computer science or business

+ Certified Information Systems Auditor (CISA) or CRISC preferred

**EXPERIENCE AND REQUIRED SKILLS:**

+ 5 – 8 years’ IT Audit/SOX IT experience within an external firm or relevant IT Audit experience within private industry; or a Master’s degree with 3 years’ experience; or a PhD without experience; or equivalent directly related work experience.

+ Strong organizational/communication skills and PC proficiency.

+ Experience in dealing with various levels of management.

+ SAP/ PeopleSoft/ Data Centers/ Enterprise/ ERP.

+ Knowledge of COSO, CoBit or NIST control models preferred.

+ Must be able to work with senior level management in a very independent manner.

**EO/AA Employer: Minorities/Females/Veterans/Disability/Sexual Orientation/Gender Identity**

**Fresenius Medical Care North America maintains a drug-free workplace in accordance with applicable federal and state laws**