The role provides independent and objective assurance and advisory support to enhance organizational effectiveness and risk mitigation. The role evaluates the reliability and effectiveness of risk management, governance, and internal control processes across financial, operational, strategic, information technology, compliance, and investigation audits. The position tests and evaluates financial records, transactions, processes, and systems for SOX compliance with applicable laws, policies, and agreements. The role works collaboratively with internal compliance functions and external auditors to identify gaps, anticipate risks, and strengthen controls. The role reports audit findings, risks, and actionable recommendations to management to support informed decision-making and continuous improvement.
Sarbanes Oxley (SOX) Control Design and Testing (~60 – 70%):
Perform all aspects of the Company’s SOX-404 compliance program for IT including maintining the risk and controls matrix, providing control training, performing control walkthroughs and testing IT controls throughout the year and closely aligning with the external auditors. Areas of focus include:
RCM: Working with IT management and the external auditors, proactively maintain and update RCM for all IT controls, ensuring that Company has appropriate and properly definced controls to address risks and ensuring that the RCM is updated for process and system changes and to address changes in risks.
IT General Controls (ITGCs): Test the Company’s controls around logical access, change management, and computer operations for all in-scope IT systems and related infrastructure.
SoD: Ensure the Company has effective controls to identify and address segregation of duties (SoD) conflicts and periodically test the operating effectiveness of the SoD controls.
Sarbanes Oxley (SOX) Control Design and Testing (~60 – 70%):
Perform all aspects of the Company’s SOX-404 compliance program for IT including maintining the risk and controls matrix, providing control training, performing control walkthroughs and testing IT controls throughout the year and closely aligning with the external auditors. Areas of focus include:
RCM: Working with IT management and the external auditors, proactively maintain and update RCM for all IT controls, ensuring that Company has appropriate and properly definced controls to address risks and ensuring that the RCM is updated for process and system changes and to address changes in risks.
IT General Controls (ITGCs): Test the Company’s controls around logical access, change management, and computer operations for all in-scope IT systems and related infrastructure.
SoD: Ensure the Company has effective controls to identify and address segregation of duties (SoD) conflicts and periodically test the operating effectiveness of the SoD controls.
Logical Access: Ensure the Company has appropriately designed logical access controls and test the operating effectiveness of these controls, including testing and approval of access prior to granting access, including the recertication of access and role to permissions on a semi-annual basis.
Change management: Ensure the Company has appropriately designed change management controls and test the operating effectiveness of these controls, including testing and approval of changes, including emergency changes, and developer access to production enviornments.
IT Application Controls (ITAC): Identify and test the automated or semi-automated controls embedded within the Company’s IT systems (e.g. automated calculations, 3-way matching) and interfaces between systems (internal systems and with external partners) and test their configuration and operating effectiveness.
Key Reports: Identify and test key reports, including configuration and SQL code, relied on by the business to perform and execute SOX Business Process Controls to ensure reports are complete and accurate.
SOC Reports: Identify and review S OC reports for key thirs parties relied upon for the key controls to evaluate the report’s opion, Completementary User Entity Controls (CUECs), Completementary Subservice Organixation Controls (CSOC), Defieciencies, and possible gaps between the control desgin and operating effectivness of the Business and the Service Organization. Test the effectiveness of the SOC reviews performed by the business owners.
Non-IT Testing: Perform testing of selected Business Process controls or cycles as assigned by Internal Audit management.
Coordinate external auditors: Serve as the central liaison with the external auditors to facilitate SOX testing and control walkthroughs and to stay aligned on risks, deficiencies and remediation.
Provide Control Training: Provide new hire and periodic refresher training on IT control requirements to SOX control owners to ensure control expectations are understood.
Document and Communicate Results: Document all test results and findings in the Optro system and ensure deficiencies are communicated effectively and timely to control and process owners.
Remediation: Work with control owners to design and implement remediation for control deficiences and regularly follow-up to ensure that remediation is implemented effectively and on-time.
IT System Implementations, Operational Audits and Control Advisory (~30 – 40%):
Support the Company’s non-SOX priorities, including new system implementations, operational audits and control advisory work and stay closely aligned with the IT team to identify risks and changes and support IT initiatives.
IT Team Liason: Stay closely aligned with the IT team to identify emerging risks and changes to IT systems and controls and update Internal Audit management on risks and changes.
IT System Implementations: Shadow new IT system implementations, including the in-process SAP implementaiton, to help with the design and implementation of new controls and to test the effectiveness of the controls and implementaiton, including change management, project management and compliance with Amneals System Development Lifecycle (SDLC) policy.
Operational Audits: Perform operational audits as assigned, including audits of IT infrastructure controls, cloud security, disaster recovery, and backup processes. Also support operational audits of non-IT areas, including business processes and compliance audits, as assigned. May require the travelling to the location.
Audit Reporting/Communication: Document audit statuses, findings, and recommendations for use in internal audit reports and presentations. Keep consistent communication with internal management and external auditors to stay aligned on control and deficiency statuses.
Control Advisory: Proactively identify and recommend improvements to IT policies, controls and processes. Work closely with management to develop action plans and monitor progress, and ensure compliance with company policies, procedures, and regulatory requirements.
Analyze data anomalies: Use data analytics to identify system transaction errors, operational bottlenecks, and potential fraud risks.