Abrigo is seeking a Senior IT Audit & Assurance Analyst to join our IT Risk & Assurance team, leading the execution of SOC audit engagements, IT internal audit coordination, IT internal control testing and monitoring, and risk assessment activities for a fast-paced fintech SaaS company serving community financial institutions nationwide.
This position is remote-primary based in Raleigh, NC, with quarterly on-site team engagements (three days each) and periodic on-site visits during external audit fieldwork (up to three weeks annually). This role reports to leadership within the IT Risk & Assurance Team, within an organization that operates under a security-first model under the Chief Information Security Officer.
What You'll Do:
SOC & External Audit Engagement Management:
- Serve as a primary point of contact for external audit firms conducting enterprise SOC 1 and SOC 2 audit engagements, managing the engagement lifecycle from annual renewal and kickoff through final report issuance
- Manage ad-hoc SOC 1 and SOC 2 audit engagements for newly acquired products not yet in scope of the enterprise SOC reports
- Coordinate document requests, evidence collection timelines, and walkthrough scheduling with internal control owners across the organization
- Evaluate audit artifacts for completeness and accuracy before submission to external auditors
- Communicate preliminary audit findings to management and assist in drafting management responses
IT Internal Audit Coordination:
- Serve as the primary liaison with the external IT internal audit firm, managing document requests, walkthrough scheduling, and audit status reporting for audits aligned with FFIEC IT Handbook standards
- Perform walkthroughs with product teams and internal control owners to assess the IT internal control environment and recommend IT internal controls based on SOC and IT internal audit requirements
- Proactively identify control gaps and recommend remediation strategies to control owners
Risk Finding Management & Control Monitoring:
- Own the full lifecycle of the IT risk finding register, from opening findings through remediation closure, including escalation of overdue findings to management
- Document and process risk acceptance based on control owner feedback
- Perform ongoing monitoring of specific IT internal controls to ensure SOC and IT internal audit readiness throughout the year
- Perform periodic IT internal control testing to validate control design and operating effectiveness
- Conduct periodic risk finding reviews to verify findings were closed appropriately with supporting remediation evidence
Risk Assessments & Policy Coordination:
- Lead annual updates to IT risk assessments, including the FFIEC Cybersecurity Assessment Tool (CAT), NIST CSF control mappings, and CIS Controls risk assessments
- Lead the annual business impact analysis update, evaluating likelihood and impact of potential disruptions to the technology environment
- Coordinate the annual policy update cycle with policy owners, including documenting changes, presenting to the IT Steering Committee, and coordinating management and Board approval
- Perform additional IT risk and assurance duties as assigned to support the team's evolving needs
What You'll Need:
- Bachelor's degree in Information Systems, Accounting, Computer Science, or related discipline; equivalent professional experience may be substituted in lieu of a degree
- 3-6 years of experience in IT audit, IT risk, or IT compliance, such as advisory services at a CPA or consulting firm, IT internal audit at a financial institution, or GRC at a technology company
- Hands-on experience managing or significantly contributing to SOC 1/SOC 2 audit engagements, including evidence collection and walkthrough coordination
- Working knowledge of IT general controls and their application to SOC trust services criteria and/or FFIEC IT Handbook examination standards
- Demonstrated experience performing IT internal control testing and evaluating control effectiveness
- Experience maintaining risk finding registers and managing risk remediation lifecycles
- Familiarity with IT risk assessment frameworks such as FFIEC CAT, NIST CSF, or CIS Controls
- Strong written and verbal communication skills with the ability to interact effectively with external auditors, internal control owners, and management
- Strong organizational skills and the ability to independently manage multiple audit and assurance workstreams in a remote-first environment
- Must be available for quarterly on-site team engagements in Raleigh, NC and periodic on-site visits during external audit fieldwork
Preferred:
- CISA (Certified Information Systems Auditor) or CRISC (Certified in Risk and Information Systems Control)
- Experience in the financial services, banking, or fintech industry
- Experience with FFIEC regulatory examinations or bank/credit union technology audit programs
- Experience with SaaS/cloud environments (AWS, Azure) and understanding of shared responsibility models
- Experience coordinating with outsourced or co-sourced internal audit functions
What You'll Get:
- Market competitive total rewards package
- To be part of the Heart & SOUL of a winning company with an inspiring mission
- The opportunity to Make Big Things Happen
- Competitive salary along with full health benefits with an HSA option
- Flexible PTO and bank holidays
- 401(k) plan and company match
