Lead Information Security and Privacy Auditor and Risk Analyst (Detroit)

GENERAL SUMMARY:

The Lead Information Security and Privacy Auditor and Risk Analyst functions as a highly skilled internal control and risk consultant responsible for leading internal privacy, security, risk and IT audits and assessments coordinating external privacy, security, risk and IT audits and assessment, providing risk education and project consulting services on behalf of the HFHS including all of its subsidiaries to mitigate risk and assess the control environment of each auditable unit.

The position conducts mandate, regulatory, statutory, vendor, legal, financial, and operational audits and assessments for operations including business processes and IT. The position requires technical and operational knowledge of information security, audit and risk best practices, as well as, legal and regulatory compliance requirements that impact privacy and security or introduce risk for the enterprise. The position will support HFHS as well as its subsidiaries.

The candidate must have the ability to develop work with minimal supervision, maintain and report against a work plan, as work progresses give appropriate updates and status reports, given scope and objectives and serve as a point of contact and liaison with internal and external auditors, assessors, vendors and clients and assist other staff members.

PRINCIPAL DUTIES AND RESPONSIBILITIES:

• Conduct internal audits, risk assessments and reviews on behalf of the corporation to identify issues and risks that could lead to operational, regulatory, compliance or strategic losses within the HFHS enterprise.
• Lead, coordinate and assist with the planning of risk and audit efforts to ensure successful and timely completion of assignments. Communicate issues, risks, audit results, and recommendations in a clear and concise manner to appropriate levels of operating, IT, and management staff.
• Train, educate, supervise, and assist in evaluating new and lower level IT audit and risk staff. Facilitate project risk assessments and lessons learned sessions.
• Maintain working knowledge of information technology, risk, audit, security and privacy practices, tools, processes and requirements.
• Effectively applies audit and risk methodologies as derived from standards for the professional practice of internal and information technology auditing (i.e. Institute of Internal Auditors (COSO), the Information Systems Audit & Control Association (COBIT), National Institute of Standards and Technology (NIST), BASEL, Information Standards Organization (ISO) and the Project Management Institute) as applicable to HFHS, its subsidiaries and vendors (e.g. HAP, CCS, Midwest) and provides recommendations to improve the control environment.
• Suggest improvements to audit and risk methodologies, policies, and procedures. Prepare, complete, and peer review audit work papers in a timely manner.
• Drives customer satisfaction surveying processes, fulfills client due diligence requests including the completion of questionnaires covering a wide variety of topics related to security, technology, privacy, business continuity and IT Recovery, risk, and networking; prepares supporting documentation packages to augment HFHS responses; creates custom packages in fulfillment of client special requirements.
• Provides project and strategy advisory services and supports the risk management program by executing assessments and conducting risk exception and acceptance practices.
• Coordinates vendor risk management activities by collaborating with other areas on third-party due diligence efforts in fulfillment of new and recurring Vendor Management risk assessments, audits and due diligence.
• Assists Director in the development, communication and performance of annual IT Risk Assessment covering specific topics as required for SOC and PCI Compliance audits; collaborates with Senior IT personnel to perform a comprehensive IT risk assessment; tracks progress and provides support for risk remediation efforts.
• Assists Director in the development, communication and performance of “periodic access reviews” on systems, network, and applications (logical) access; Creates preliminary “gap” reports showing findings and recommends actions to resolve issues.
• Responsible for maintenance of the standardized risk and Audit questionnaire and assessment processes for audits and assessment done against HFHS and its subsidiaries by third parties. Performs annual reviews of HFHS policies, procedures, diagrams, flow charts and related documentation used for due diligence, audits, and RFP’s; Collaborates with subject matter experts and technical writers to ensure documentation is accurate and kept current.
• Collaborates with HFHS Procurement and Compliance departments on third-party due diligence efforts in fulfillment of new and recurring Vendor Management risk assessments and due diligence.
• Represents HFHS and its subsidiaries on various internal and external committees and boards.
• Acts as the subject matter export and administrator of the enterprise GRC tool.
• Other duties may be assigned.