The Director, SOX Program Management Office (PMO) leads the company’s Sarbanes-Oxley compliance program end-to-end and serves as the single accountable management owner for the design, documentation, and operating governance of Internal Control over Financial Reporting (ICFR) across both business processes and technology. The Director also owns the company’s NAIC Model Audit Rule (MAR) ICFR program for statutory financial reporting, operated as an integrated extension of SOX given the substantial overlap in controls, processes, and evidence. The role reports directly to the Controller and partners closely with the CFO, Internal Auditors, External Auditors, CIO, and the parent company’s Corporate SOX function to deliver an effective, efficient, and risk-aligned controls program in support of management’s assertions under Section 302 and 404 of Sarbanes-Oxley and Section 16 of the NAIC Annual Financial Reporting Model Regulation (Model #205).

Independent testing of controls will be performed by an independent and separate function. The Director is responsible for the program, the framework, and the partnership with control owners; the Director is not responsible for performing or directing independent testing.

This role is positioned as a function within Finance with strong governance lines into IT and business process owners.

Function

Accountability for SOX / ICFR

Process & Control Owners (Finance, Claims, Underwriting, Actuarial, IT, etc.)

Design, consistently execute, and self-attest to controls; own remediation of identified deficiencies.

SOX PMO (this role)

Owns the SOX program: scoping, risk assessment, control framework, documentation standards, deficiency aggregation, and reporting.

Internal Audit

Independent testing of ICFR and separate independent audit of test results

• Own the annual SOX program lifecycle for the entity, including scoping, planning, execution oversight, control automation and optimization efforts, deficiency evaluation, certification support, and year-end conclusion.
• Maintain alignment with the parent company’s consolidated SOX program, including conformity with corporate methodology, scoping thresholds, and reporting cadences, while tailoring execution to the carrier’s P&C business model.
• Define and continuously improve the SOX operating model, including roles, RACI, calendar, key milestones, and intersection points with External Audit, Internal Audit, and IT.
• Drive program efficiency through control rationalization, automation, continuous controls monitoring, and AI-enabled documentation and review.

• Lead the annual SOX risk assessment covering financial statement materiality, qualitative factors, fraud risk, and significant accounts and disclosures.
• Determine in-scope entities, locations, processes, applications, and service providers (including SOC reliance) using a documented, defensible methodology.
• Maintain SOX risk and control inventory, Key and non-Key designations, and accuracy of ownership, related systems and reports, etc.
• Drive continuous updates where applicable due to changes in process, system, volumes, and/or accounting guidance.  

• Own the framework, documentation standards, and quality of business process flowcharts and risk-and-control matrices (RCMs).
• Partner with process owners across Finance, Actuarial, Claims, Underwriting, Premium, Reinsurance, Treasury, and Tax to ensure controls are well-designed, properly documented, and operating as intended.
• Apply heightened rigor to Management Review Controls (MRCs), addressing precision, evidence of review, criteria, and outlier follow-through consistent with PCAOB expectations.
• Review controls over the financial close such as journal entries, account reconciliations, and disclosure committee processes.
• Govern the entity-level control (ELC) and COSO framework.

• Own the IT general controls (ITGC) framework in partnership with IT leadership, covering logical access, change management, computer operations, and SDLC for in-scope systems (policy administration, claims, billing, general ledger, reserving, reinsurance, data warehouses, and reporting).
• Drive standards for automated application controls, system-generated reports, and Information Produced by the Entity (IPE), including completeness and accuracy validation.
• Govern the SOC reliance program for in-scope service providers: bridge letter monitoring, CUEC evaluation, and gap remediation.
• Support cloud, RPA, and AI/agentic system controls evaluation as the technology footprint evolves; coordinate with the AI governance and TPRM functions on emerging risks.

• Own the carrier’s annual MAR program under the NAIC Annual Financial Reporting Model Regulation (Model #205), Section 16, including Management’s Report of Internal Control over Financial Reporting for the statutory financial statements.
• Operate MAR as an integrated extension of SOX: leverage the same control inventory, evidence, walkthroughs, and GRC tooling wherever the underlying control achieves both objectives; isolate and govern the statutory-only delta.
• Maintain the MAR scoping rationale for statutory-specific accounts and assertions, including loss and LAE reserves on a statutory basis, premium deficiency, reinsurance recoverable and Schedule F provisioning, investment valuation under SAP, surplus, and the RBC inputs that flow from controlled processes.
• Prepare Management’s Report of Internal Control over Financial Reporting and supporting documentation for inclusion in the statutory audit package filed with the domestic Department of Insurance.
• Monitor NAIC and state DOI guidance for changes to MAR thresholds, scope, and reporting expectations, and adjust the program accordingly.

• Partner with Internal Audit for deficiency intake and evaluation process: aggregation, severity assessment (deficiency, significant deficiency, material weakness), and disposition tracking.
• Partner with control owners to develop outcome-based remediation plans, monitor milestones, and confirm management readiness for retest by Internal Audit.
• Maintain the deficiency log of record and ensure timely communication to the Controller, CFO, and Audit.

• Serve as management’s primary management point of contact for the External Auditor on SOX matters: walkthroughs, control selections, PBC requests, deficiency discussions, and reliance decisions.
• Facilitate reliance discussions between External Audit and Internal Audit when applicable.

• Operate the quarterly and annual sub-certification process supporting CEO/CFO 302 and 404 certifications.
• Prepare materials for the Controller, CFO, and Head of Internal Audit, including program status, scope changes, deficiency trends, and remediation health.
• Maintain SOX program documentation in the GRC platform (AuditBoard) as the system of record, with clean lineage from risk to assertion to control to owner to evidence.

• Lead, coach, and develop a high-performing SOX PMO team across business and IT ICFR domains.
• Build technical depth and continuous education on PCAOB, SEC, and emerging technology controls.
• Foster a culture of candor, ownership, and continuous improvement aligned with the Controller’s values.

• 10-12+ years of progressive experience in ICFR, SOX program management, public accounting, or financial controls leadership, including time in a Big Four or large national public accounting firm.
• Bachelor’s degree in Accounting, Finance, Information Systems, or related discipline.
• Active CPA in good standing.
• Demonstrated ownership of an end-to-end SOX program for a SEC registrant or a subsidiary of a SEC registrant, including 302/404 certification cycles.
• Deep working knowledge of COSO 2013 Internal Control — Integrated Framework, PCAOB AS 2201, and SEC interpretive guidance on ICFR.
• Working knowledge of the NAIC Model Audit Rule (Model #205), including Management’s Report of Internal Control over Financial Reporting for statutory filings, and the practical integration of MAR with a SOX program.
• Working knowledge of ITGC frameworks and IT-dependent controls, with the ability to partner with IT control specialists.
• Track record of partnering effectively with External Auditors and managing audit issues to resolution.

• Property & Casualty insurance industry experience, including familiarity with statutory accounting, loss reserves, premium recognition, reinsurance, and investment accounting.
• Hands-on experience with AuditBoard (SOXHUB) or comparable GRC platforms (Workiva, AuditBoard, Archer, ServiceNow GRC).
• Additional certifications: CIA, CISA, CISM, or CFE.
• Experience driving control rationalization, automation of controls, and use of AI/analytics to scale SOX execution.
• Familiarity with NAIC, NYDFS, and state DOI expectations as they relate to internal controls and corporate governance disclosures (e.g., CGAD).

#LI-SS1

Annual Salary

The above annual salary range is a general guideline. Multiple factors are taken into consideration to arrive at the final hourly rate/ annual salary to be offered to the selected candidate. Factors include, but are not limited to, the scope and responsibilities of the role, the selected candidate’s work experience, education and training, the work location as well as market and business considerations.