Full Job Description
We are seeking an experienced IT Controls Lead to be a part of the Global Financial Controls IT pillar, which covers SOX, SOC 1 and SOC 2 controls across a complex, regulated financial services organization.
This role combines strategic program leadership with hands-on control testing expertise, including IT General Controls (ITGCs) and application controls (ITACs), as well as working knowledge of business process controls. The Lead is responsible for ensuring SOC reporting is accurate, complete, and audit-defensible, while also validating the effectiveness of controls through independent testing and technical review.
The role operates as a trusted authority on SOC standards, control design, testing methodologies, and audit positioning-expected to independently challenge conclusions, validate testing approaches, and influence outcomes across internal stakeholders and external auditors.
Key Responsibilities
• Serve as a senior subject matter expert for SOX and SOC governance, including scoping strategy, control advisory, and reporting standards.
• Establish and maintain control inventories, risk mappings, and report structures.
• Define expectations for control descriptions, frequency, evidence quality, and audit defensibility across the program.
• Evaluate system, process, and organizational changes for potential impact.
• Perform and/or oversee independent testing of IT General Controls (ITGCs) (access management, change management, computer operations, etc.) and IT Application Controls (ITACs) and automated controls.
• Evaluate both control design and operating effectiveness, including, sampling methodologies and population completeness, evidence inspection and re-performance where required, validation of system-generated reports and data dependencies.
• Identify, document, and evaluate control exceptions, including root cause and risk implications.
• Provide authoritative interpretation of SOX/SOC standards, AICPA guidance, and auditor expectations.
• Define and challenge testing approaches, population scoping, and evidence sufficiency.
• Assess complex or ambiguous scenarios and determine impact on SOC control objectives, Report disclosures, Auditor conclusions, etc.
• Coordination with Audit Services and Technology Risk & Control.
• Act as a primary counterpart to external auditors (e.g., KPMG).
• Lead or oversee walkthroughs, testing discussions, and issue resolution.
• Review and challenge auditor testing procedures and sampling approaches, identified exceptions and proposed conclusions, and draft SOC report language and disclosures.
• Oversee SOC and SOX related issues, including exceptions and control deficiencies.
• Evaluate whether audit findings, technology risks, or control failures impact external reporting.
• Advise management on risk-based remediation strategies and prioritization.
• Ensure management responses are clear, accurate, and audit-ready.
• Align SOC, SOX and ITGC testing approaches to create consistency in control narratives, testing methodologies, and evidence expectations.
• Resolve discrepancies in control interpretation or testing outcomes.
• Support broader control environment rationalization and standardization.
• Influence senior stakeholders and control owners without formal authority.
• Provide guidance on control design improvements, evidence expectations, and testing readiness.
• Translate complex technical and audit issues into clear executive-level messaging.
• Identify opportunities to strengthen control design and completeness risk coverage.
• Stay current on SOC guidance, IT control testing practices, and regulatory expectations.
Required Qualifications
• 8-10+ years of experience in SOC reporting, IT audit, IT risk, or control testing
• Deep expertise in:
- SOX, SOC 1 and SOC 2 frameworks
- ITGCs, ITACs, and business process controls
- Control design and operating effectiveness testing
• Demonstrated experience performing or overseeing end-to-end control testing.
• Ability to challenge testing approaches and auditor conclusions with strong technical rationale.
• Strong understanding of technology environments and data flows supporting control execution.
• Exceptional written and verbal communication skills.
Strongly Preferred Qualifications
• Prior Big 4 experience (SOC reporting or IT audit)
• Experience in financial services / regulated environments
• Direct involvement in:
- SOC report drafting and review
- Management assertions and auditor language
• Familiarity with SOX, COSO, NIST, and ITGC frameworks
• Professional certifications: CPA, CISA, CISSP
Working Model: Hybrid (#LI-Hybrid)
We have a balanced hybrid working model to ensure you get the flexibility you need, and the successful candidate will spend their time between working in the office and working from home.
Salary Range:
$85,900 - 145,900 USD
Salary range is a good faith estimate of base pay. Northern Trust provides a comprehensive benefits package including retirement benefits (401k and pension), health and welfare benefits (medical, dental, vision, spending accounts and disability), paid time off, parental and caregiver leave, life & accident insurance, and other voluntary and well-being benefits. Northern Trust also provides a discretionary bonus program that may include an equity component.
