IT Auditor 3
Reporting to an IT Assistant Audit Manager or Audit Manager, this position is responsible for independently conducting increasingly complex IT security performance audits which may involve multiple state agencies, local governments or multiple levels of government. Provides expert level technical services in security for IT cybersecurity audits. May lead audits and projects that include multiple IT audit staff. May be responsible for the entire audit, resource or project, to include but not limited to planning, development of statewide IT testing strategies, conducting and overseeing the implementation of audit methodologies, and audit reporting for state or local government audits.
Audits are conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS) as prescribed by the United States Government Accountability Office, and other applicable laws, regulations, and professional standards.
Audit Scoping and Planning – Work to develop or obtains an understanding of audit objective(s). Responsible for the identification and development of scope.
- Based on audit objective(s), define the information, methodologies and analyses needed to fully address the audit.
- Performs preliminary research and risk assessment to develop an audit plan.
- Identifies the scope and audit methodologies, criteria (leading practices, and industry standards, legal requirements, policy requirements) to develop testing strategies to address the IT audit objectives.
- Ensures planning work complies with applicable industry, SAO requirements and governmental auditing standards.
- Prepares or reviews prepared interview questions to ensure they are clear and logically related to the purpose of the audit and interviews client and vendor personnel to obtain information related to planning the audit, understanding the IT environment, security, systems and processes.
- Ensures staff assignments are clear, logical, and complete, and have accurate time estimates based on the established SAO process and according to all applicable policies and procedures.
- Reviews assignments with staff to ensure there is a clear understanding of the work to be performed.
- Adjusts the planned work when it is no longer feasible or relevant. Identifies and informs supervisor of opportunities to cut tasks that are duplicative or no longer relevant, or where the task will take significantly longer or shorter than anticipated.
Conduct Fieldwork – leads audit assignments in Cybersecurity.
- Performs new and increasingly complex cybersecurity audits
- May develop data analyses that address audit objectives.
- Conducts fieldwork in a timely, efficient, and effective manner and ensures that all audit issues are satisfactorily addressed.
- May support application and general control reviews, common system reviews, and centralized testing for sections of large or complex IT audits.
- Leads meetings with clients for audits of leading security practices and/or state standards.
- Evaluates IT environments, security, systems, processes to identify risk and measure related program impact, implementation of controls, effectiveness, and efficiency.
- Assists staff auditors with general testing, technical testing and administrative controls and communicating their results.
Audit Review/Documentation – Develops and reviews documentation and work papers prepared by project team to ensure are complete and accurate and meet GAGAS standards.
- Prepares accurate documentation and working papers for all audit work accomplished, overall conclusions reached and recommendations for improvement of any deficiencies noted. Ensures documentation includes sufficient and appropriate evidence necessary to provide a reasonable basis to support findings and conclusions.
- Reviews audit workpapers prepared by assigned staff for quality, completeness, accuracy, and compliance with governmental audit standards.
- Evaluates the accuracy, validity, and reliability of information or data obtained from audit clients.
- Reviews the work of technical IT security vendors to ensure documentation is complete and accurate.
- Ensures all coaching notes have been thoroughly addressed and in a timely manner.
- Ensures sufficient and appropriate evidence is included to provide a reasonable basis to support findings, conclusions and statements of fact.
Results and Reporting – Develops audit resources, findings, results, reports and client recommendations using language and terminology appropriate to the audience.
- Identifies and develops audit resources, results, reports and recommendations using language and terminology appropriate to the audience and supported by audit work papers to ensure all conclusions and statements of fact are supported by sufficient and appropriate audit evidence.
- Prepares and/or reviews written results, findings or reports related to information technology to support performance, accountability, or financial audit reports which meets national and professional standards.
- Prepares audit findings, ensuring they accurately reference to the audit workpapers, objective(s), and all appropriate elements have been included.
- Discloses deficiencies which are often difficult and/or sensitive issues and recommends improvements to the management.
- Prepares reports that are effectively organized, grammatically, logically and structurally sound, indexed to audit workpapers, and that use accurate and unambiguous language so that the reader clearly understands the complex information being delivered.
Client / Vendor Relations – ensures clients and vendors feel that they are treated professionally, fairly, respectfully, and in a cooperative spirit, and understand that while our statutory authority is to independently audit their operations, we are working with them to help them best serve the public.
- Conducts meetings with clients for audits of leading security practices and/or state standards.
- Works with audit clients and client vendors to gain an understanding of systems, applications, and security programs and to communicate results including participating in and leading meetings with state and local government leadership.
- Work with SAO vendors to coordinate testing and understanding of systems, applications, and security programs.
- Conducts meetings with various levels of client management during the course of the audit.
- Coordinates and may handle communication with entities when conflict arises.
- Addresses all requests for information from audit clients or others in a timely and thorough fashion.
- Understands how the roles, products and services of our work unit relate to and impact those of client and vendors.
Bachelor's degree in business, public administration, computer science, information systems or other related field. Four years Audit experience including 2 years as an IT Auditor. Demonstrated proficiency such as related Certification (e.g., CISA, GSEC, CISSP, Masters in Cybersecurity etc.).
Preferred professional IT experience and government performance or accountability audit experience.
Competencies (knowledge, skills, and abilities and behaviors):
The ideal candidate has experience with governments, performance auditing and/or accountability auditing and technical knowledge associated with cybersecurity.
IT Audit Technical Knowledge
- Able to identify large and/or complex security risks and recognize the potential effect on the audit and make IT security recommendations to address the risk;
- Understand technical IT vulnerabilities or weaknesses and explain the nature of and impact of those weaknesses to technical and non-technical entity staff, audit staff and executive management;
- Understand and be able to describe key concepts and results of an IT security audit and its impact on performance audits;
- Demonstrates knowledge of principles, leading practices and other potential criteria sources;
- Recognizes high-risk areas in all types of audit assignments including IT security;
- Apply SAO audit policies and governmental audit standards to audit engagements.
- Demonstrates the ability to identify what's important and not important in the context of their work and the audit as a whole;
- Recognizes and can describe relevant patterns, discrepancies, missing pieces, trends or interrelationships in data and situations;
- Demonstrates professional skepticism and does not accept assertions without corroboration. Identifies and resolves incomplete, inaccurate or conflicting information;
- Develop innovative ideas that provide solutions to all types of challenges;
- Recognizes when there are problems or potential areas for improvement, assesses their effect, and determines whether they are significant.
- Ability to present audit results and recommendations to local and state government executives, legislative bodies and national associations;
- Ability to discuss IT audit criteria, processes, results and risks with technical and non-technical entity staff;
- Consistently provides meaningful input and feedback on important work products designed to convince users, management, executive and legislative bodies to implement IT recommendations or process changes;
- Clearly documents results of testing demonstrating the completeness, accuracy and reliability of the data;
- Proactively initiates communication across the team's functional roles (e.g. CAATs, systems and cybersecurity) and agency in a manner that supports effective integration of audit efforts and builds positive relationships;
- Actively listens and is forthright in all communications to help enhance understanding;
- Successfully adapts to diverse personalities and communication styles;
- Effectively document information gained through audits in both technical and non-technical language to facilitate use of work products by other SAO auditors;
- Effectively express ideas and information of a technical nature, using language that is appropriate to both the complexity of the topic and knowledge and understanding of the audience;
- Effectively listen, process and respond to verbal description of technical problems and communicate solution;
- Effectively communicates the results of the technical work in a clear, specific, balanced, and unbiased manner;
- Uses standardized rules of language regarding spelling, punctuation, grammar, word usage, structure and composition;
- Organizes and effectively displays technical information so that it is meaningful to the receiving party.
- Independently and assisting others to collect, evaluate and interpret a broad range of data, either electronic, written, statistical or narrative form;
- Independently and assisting others to group and sort data and see underlying principles, patterns or themes in an array of related information;
- Identifies trends, performance history, benchmarks, and best practices. Seeks assistance when necessary;
- Accurately synthesizes verbal and written material. Can identify and resolve conflicting or obviously inaccurate or incomplete responses or data.
Benefits of Working fo the State of Washington and the State Auditor's Office (SAO)
As a full-time State employee you accrue vacation (12-22 days per year) and sick leave (1-day per month). Full-time employees are entitled to 11 paid holidays. You and your family members are covered by medical (including vision), dental and basic life insurance. As a new employee you will have the option of two employer contributed retirement programs to enroll in. We also offer paid training programs, flexible schedules and shared commuter options.
As a Washington State employee you will also enjoy other benefits and discounts from various companies. Here are a few:
- WGU Washington is proud to offer a special discount for Washington state employees. As a Washington state employee, you are entitled to a 5 percent discount on our already affordable tuition rates for your first two terms!
- Discounts on phone services through Verizon, AT&T and Sprint.
- Ability to take advantage of the Home Use Program, allowing you to get selected Microsoft software at a reduced price.
To be considered, applicants must submit a completed application.
Degrees awarded outside the United States must include a credential evaluation report.
If you are a US Veteran and would like to apply for Veteran's Preference, attach a copy of Form DD214 military record showing honorable discharge.
Questions may be directed to the applications unit at email@example.com.
The office of the Washington State Auditor is an equal opportunity employer. Persons with a disability who need assistance in the application or testing process, or who need this announcement in an alternative format may call (360)725-5385 or via the telecommunications relay service by dialing 7-1-1.