Manager/General Manager – IT General Controls

THE ROLE

This role is focused on evaluating and reviewing IT General Controls (ITGCs) and providing assessments for critical IT areas such as Segregation of Duties (SOD), Access Management, Role Review, and Application Control at the design level. He/She should have a strong understanding of internal controls, access management processes, risk management, and control design frameworks, and will be responsible for ensuring that the organization’s IT systems meet regulatory and compliance requirements.

REPORTING STRUCTURE

Functional Team: IT General Controls, Risk & Internal Control Head

Base Location: GBSI – Mumbai OR Chennai

PURPOSE

The Purpose is to review and evaluate the IT General Controls (ITGCs) and providing assessments for critical IT areas such as Segregation of Duties (SOD), Access Management, Role Review, and Application Control at the design level. They play a crucial role in defining the access control framework, change management control for the varied application that are being used by the organization and instill better governance and internal control from IT applications standpoint.

KEY RESPONSIBILITIES

1) Segregation of Duties (SOD) Review:

• Perform detailed SOD analysis and testing to ensure proper segregation of duties in key business processes.
• Identify potential conflicts in user access roles and recommend corrective actions to mitigate risks related to unauthorized access or fraudulent activities.
• Conduct SOD assessments at the design level, analyzing roles, permissions, and access configurations to confirm compliance with the organization’s internal policies and external regulations.

2) Access Review and Management:

• Perform periodic access reviews, ensuring that user access levels are aligned with job responsibilities and the principle of least privilege.
• Evaluate user provisioning and de-provisioning processes to ensure timely and accurate access changes based on employee role transitions.
• Work with IT and HR teams to conduct audits of access control lists, identify unnecessary access, and recommend actions to minimize security risks.
• Assess the design and configuration of access control mechanisms, ensuring appropriate authentication and authorization controls

3) Role Review and Role Design:

• Conduct role-based access control (RBAC) reviews at the design level to ensure that user roles are properly defined, and access is appropriately restricted based on the role.
• Collaborate with business units and IT teams to validate role definitions and user permissions within critical applications and systems.
• Perform design-level assessments of role-based frameworks to ensure they meet security standards and comply with regulatory requirements.

4) Application Control Review:

• Review and assess application controls at the design level, ensuring that key applications are properly configured to meet security, compliance, and operational requirements.
• Perform walkthroughs of application design to assess the effectiveness of security controls, data integrity, and system functionality.
• Assess controls related to data input, processing, and output within applications to prevent unauthorized transactions, data breaches, or data loss.
• Conduct gap analysis between design-level controls and actual implementation to identify risks or deficiencies in application security.

5) General IT Control and Risk Assessment:

• Evaluate the effectiveness of ITGCs (e.g., access management, change management, data backup, and recovery processes) through detailed reviews and testing.
• Identify and evaluate risks related to the design and implementation of IT controls and recommend improvements or remediation actions.
• Support internal and external audits by providing necessary documentation and evidence of control design and effectiveness.

6) Reporting and Documentation:

• Develop detailed reports documenting findings from SOD, access, role, and application control reviews.
• Provide actionable recommendations for remediation based on identified control weaknesses.
• Maintain and update documentation related to control design and review processes, ensuring alignment with regulatory standards and company policies.

QUALIFICATION & CERTIFICATIONS

• Bachelor's degree in Computer Science, Information Technology, or a related field.
• 5-6 years of relevant experience in IT governance, risk management, or internal auditing, with a focus on ITGCs, SOD, access management, and application control reviews.
• Strong knowledge of control frameworks such as COBIT, ITIL, ISO 27001, and NIST.
• Familiarity with ERP systems and applications, including role-based access control (RBAC) and security configurations.
• Experience with conducting design-level reviews for ITGCs, SOD, access controls, and application security.
• Proficiency in regulatory requirements (e.g., SOX, GDPR, HIPAA) and industry best practices.
• Experience with audit tools and software for testing and documenting ITGCs and controls.
• Strong analytical, communication, and reporting skills.
• Ability to collaborate with cross-functional teams, including business users, IT teams, and auditors.
• Relevant certifications such as CISA, CRISC, CISSP, or similar.
• Familiarity with cybersecurity principles, data protection regulations, and risk management strategies.
• Experience with cloud security and managing access and control in cloud-based environments (e.g., AWS, Azure).