Lead - Internal Audit

The Team:

S&P Global is a leader in credit ratings, benchmarks and analytics for the global capital and commodity markets. Reporting to the Audit Director, you will be part of a global and diverse Audit team with coverage for enterprise-wide Applications. The S&P Global Internal Audit function is a global team with auditors located in the U.S., London, India, Tokyo, & Taiwan. The Divisional Technology Audit team is a critical unit of the global audit function and performs audits focusing on S&P Global Technologies (IT Applications and Information Security).

The Impact:

This role will be part of the IT Application audit team, focusing on audit plan management and execution of Technology audits globally. This role will provide you with a companywide perspective of the state of the internal technology environment and act in a trusted advisory capacity.

Whats in it for you:

This role provides extraordinary learning opportunities and interacts with senior management across the Company. If youre right for this role, you will interact, meet and work with several key stakeholders in interesting and meaningful engagements. Youll love this job because it provides new opportunities for professional growth daily. You will leverage cutting edge digital next generation capabilities, including AI and data analytics practices to improve the audit activities. This role will be primarily accountable for S&P Global annual audit plan development and internal audits execution (planning, fieldwork and reporting phases). You will be responsible for performing annual and on-going risk assessment activities focused on Applications, Information and Cyber Security and the associated risks for S&P Global worldwide. The incumbent will be expected to conduct an independent audit and work effectively with members of the Audit Leadership team.

Responsibilities:

• Lead application security audits, ensuring the efficient and timely execution of the approved Audit Plan.
• Conduct comprehensive security audits, including penetration testing, to identify vulnerabilities across applications, infrastructure, databases, operating systems, and cloud environments.
• Execute end-to-end audits in alignment with the annual audit plan, ensuring timely completion.
• Review audit outcomes and results, collaborating with key auditees to agree on remedial action plans and facilitate smooth audit processes.
• Leverage data analytics and automation to enhance the efficiency and quality of audit execution.
• Collaborate with key stakeholders within the divisional technology functions to enhance audit effectiveness.
• Stay informed about best practices in information security audits to ensure continuous improvement.
• Keep abreast of emerging security threats, trends, and technologies to enhance security posture and refine internal audit processes.

What Were Looking For:

• 5+ years of experience handling several technology audits including web applications. Experience with a Big 4 firm would be an advantage.
• Experience in conducting penetration testing using tools such as Burp suite, Metasploit, NMAP, Nessus, etc.
• Exposure to Python programming and awareness of generative AI technologies.
• Knowledge of risk management frameworks and proficient in carrying out in-depth Applications security including configurations.
• Strong knowledge of cloud security and best practices for cloud penetration testing.
• Familiarity with data analytics tools such as Alteryx, Power BI, and Tableau is an advantage.
• Excellent report writing skills
• Strong written and oral communication, approachable style, and well-developed negotiation and listening skills
• Demonstrated experience in strong work ethic, initiative, teamwork, and flexibility in meeting department goals.
• Excellent team collaboration skills to deliver results, innovate and strive for excellence.

Basic Qualifications:

• A Bachelor masters degree in information technology or computer science or related major

Preferred Qualifications:

• Certified Information Systems Auditor (CISA), or Certified Information Systems Security Professional CISSP, CEH, Red Team, or Equivalent.