Senior IT Auditor

Ethos is a leading life insurance technology company on a mission to protect families by democratizing access to life insurance and empowering agents at scale. With its robust three-sided technology platform, Ethos is transforming the life insurance experience for consumers, agents, and carriers alike. Ethos offers instant, accessible products and a seamless online process that requires no medical exams and just a few health questions; it eliminates traditional barriers, making it easier than ever for everyone to protect their families. Ethos is redefining how life insurance is bought, sold, and underwritten.

The Senior GRC Analyst is responsible for supporting the organization's information security governance, risk, and compliance activities. This role involves ensuring that the organization’s security policies, procedures, and practices are aligned with regulatory requirements, industry standards, and best practices. The ideal candidate will have a strong understanding of information Security & Privacy principles, Third Party Vendor Risk management, ITGC & SOC2 audit controls, and the ability to communicate complex security issues to various stakeholders.

• Evaluate the design and effectiveness of IT governance frameworks to ensure compliance with SOX 404 and organizational objectives.
• Ensure alignment of IT controls with business objectives and regulatory requirements.
• Perform independent assessments of the IT control environment to identify gaps in the governance structure.

• Lead the end-to-end execution of IT General Controls (ITGC) testing across domains including Logical Access, Change Management, and IT Operations.
• Perform walkthroughs and testing of Automated Application Controls and Manual-Dependent Controls to ensure system-generated data is reliable.
• Assess Segregation of Duties (SoD) within key ERP systems and financial applications, identifying and validating mitigating controls where necessary.
• Execute rigorous testing of Information Produced by Entity (IPE) and Information Used in Control (IUC) to ensure completeness and accuracy.
• Perform SOC 1 and SOC 2 Type II report evaluations, specifically mapping Complementary User Entity Controls (CUECs) to internal control environments.
• Identify, document, and communicate control deficiencies (SD/MW) to stakeholders and track remediation efforts to completion.

• Assist in the annual Top-Down Risk Assessment (TDRA) to define the scope of the IT SOX program.
• Conduct targeted pre-implementation reviews for new systems or significant process changes to ensure "security by design" and auditability.
• Partner with business and IT process owners to provide technical expertise on control design and process optimization.
• Stay current on PCAOB trends and emerging IT audit methodologies to improve audit efficiency.

• Maintain comprehensive and accurate workpapers related to SOX compliance, meeting "reperformance" standards.
• Prepare and present audit findings and executive summaries on the organization's compliance status to senior management.
• Ensure all documentation is in compliance with Internal Audit standards and external auditor expectations.

• Bachelor’s degree in Accounting Information Systems (AIS), Management Information Systems (MIS), Finance, or a related field.
• Experience: 4-5+ years of direct experience in IT Audit, preferably within a large-scale corporate environment or a professional services firm.
• Technical Expertise: Extensive experience in ITGC testing, SOX 404 requirements, and testing of automated business process controls.
• Strong understanding of IPE/IUC requirements and the ability to validate data integrity from source to report.
• Proficiency in auditing diverse environments (e.g., AWS/Azure cloud, SAP, Oracle, or SQL databases).
• Extensive experience in SOC Report analysis with hands-on expertise in interpreting SOC 1 Type II Bridge Letters and CUECs.
• Excellent communication skills, with the ability to convey technical control deficiencies to financial controllers and process owners.
• Certifications: Relevant certifications such as CISA (required), CISSP, CPA, or CIA are highly desirable.