Sr. Technology Risk & Controls Assurance Analyst

You have a clear vision of where your career can go. And we have the leadership to help you get there. At CNA, we strive to create a culture in which people know they matter and are part of something important, ensuring the abilities of all employees are used to their fullest potential.
CNA seeks to offer a comprehensive and competitive benefits package to our employees that helps them - and their family members - achieve their physical, financial, emotional and social wellbeing goals.
For a detailed look at CNA's benefits, check out our Candidate's Guide .
Continuous Process Monitoring
The CPM team's goal is to monitor all IT processes and related controls and assure that controls are operating as intended and control failures are identified timely and communicated to key stakeholders for proper mitigation before they pose a risk to the organization. The CPM program has been developed within CNA's first line of defense with the CPM activities embedded within IT processes and management-level controls. The program is implemented for controls in CNA's process risk and control (PRC) framework as identified by control and process owners and other stakeholders.
The program also facilitates audits support for the CNA Technology organization. Regulatory related audits such as SOX, SOC1, HIPPA, NYDFS, State Examiners, OFAC, Privacy laws, etc.
Job Summary
The Sr. Technology Controls Assurance Analyst will support the development, execution, and maintenance of a risk management framework by performing independent assessments of control design, operating effectiveness, and will assist business segments' risk teams in institutionalizing risk management programs. This position will test/audit new and existing Information Technology controls, support audit engagements and will work with multiple process owners to address any noted exceptions while collaborating with Enterprise Risk colleagues.
JOB DESCRIPTION:
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:

• Evaluates designs and operational effectiveness of documented information technology controls by ascertaining alignment between controls and identified risks, and achievement of stated control objectives.
• Completes internal work papers within established timelines and provides appropriate support and justification for testing conclusions, issues and remediation plans.
• Delivers timely and pertinent analysis on control effectiveness results, highlighting areas requiring attention and follows up to ensure consistency with process owners and IT policies and procedures.
• Contributes to risk and control design assessments for information technology systems and processes, as well as risk mitigation and remediation strategies.
• Conduct IT reviews of systems, applications and IT processes. Perform review of IT processes and controls under the oversight of the Director; including identifying areas where technology units should consider changes to improve efficiency. Execute various other reviews of IT management policies and procedures such as change management, business continuity planning/ disaster recovery and information security to ensure that controls surrounding these processes are adequate
• Evaluate IT general computing controls and provide value added feedback. Test compliance with those controls. Coordinate with Sox teams as applicable through support of the audit engagement including but not limited to evidence reviews, control evaluation, exposure checks, remediation actions
• Support Audit Engagement The work will include managing audits, evaluating internal controls, reviewing audit evidences prior to submission to the auditors, communicating audit issues to management, creation of memo supporting audit outcomes, identifying and evaluating emerging areas of organizational risk.
• Applies appropriate risk assessment methodology and framework to policy / control exceptions to ensure risks are properly categorized and reported to management.
• Develops on-going technology risk reporting, monitoring key trends and defining metrics to measure and report on the effectiveness of information technology controls.
• Partners with Information Application Development teams to assist in designing the necessary technical and operational information security controls to ensure that security issues are addressed throughout the project life cycle, as needed .

May perform additional duties, as assigned.
Reporting Relationship
Typically reports to Director or above.
Skills, Knowledge & Abilities

• Firm commitment to staying informed and abreast of emerging IT and information security issues, industry trends etc.
• Solid understanding of IT infrastructure, security and application controls, operating models, methodology and approaches. Expert knowledge of internal auditing, internal controls, risk management and understanding of internal control environments within IT and some business functions.
• Experience with multiple technology domains including aspects of Windows, Mainframe, Unix and/or database administration, software development and networking.
• Ability to effectively communicate with all levels of employees within scope of responsibility.
• Ability to effectively prioritize and execute tasks in a fast-paced environment .

Education & Experience

• Bachelor's Degree required or equivalent work experience.
• Strong knowledge of IT control frameworks such as NIST CSF, ISO, COBIT and regulations in the financial services or insurance industry.
• 5 or more years of work experience in an IT audit capacity. Capable of analyzing complex processes, identifying relevant risks and controls, and designing appropriate control testing procedures.
• IT Risk and Compliance, Audit, or Quality certifications preferred (e.g. CISSP, CISM, CISA, CIA, CRISC, CGEIT, CIAC, ISO, etc.)

LI-JB1
LI-Hybrid
LI-Remote
CNA is committed to providing reasonable accommodations to qualified individuals with disabilities in the recruitment process. To request an accommodation, please contact [email protected] .