SOX Audit Analyst

Job Description

Support the Governance, Risk, and Compliance (GRC) program with a focus on SOX (ITGC/ITAC), audit readiness, third-party risk management (TPRM), and ongoing compliance activities. This role partners with control owners across IT, Security, Procurement, Legal, Finance, and business teams to collect evidence, document controls, coordinate assessments, track remediation, and maintain GRC records so audits and vendor assurance processes run smoothly.

Key Responsibilities

SOX support (ITGC/ITAC)

Support the SOX IT program by assisting with scoping, control walkthrough scheduling, evidence requests, and audit calendar tracking.

Collect, validate, and organize audit evidence for ITGC and ITAC areas such as access management, change management, operations, backups, logging, and job scheduling.

Maintain PBC trackers, ensure evidence meets auditor expectations, and follow up with control owners to close gaps.

Assist with control testing activities (for example sampling support, documentation review, evidence tie-out) under direction of GRC or IT Audit leadership.

Control documentation and maintenance

Draft and maintain control narratives, procedures, and control matrices, ensuring traceability between risks, controls, and requirements.

Support periodic control reviews, update process flows, and help keep policies and standards aligned to current practices.

Identify opportunities to standardize and streamline evidence collection, including reusable evidence packs.

Issue management and remediation tracking

Log findings, observations, and control gaps in the GRC system, and track remediation plans, due dates, and status updates.

Coordinate with control owners to gather remediation evidence and support retesting cycles.

Maintain an exception process (where applicable) by collecting approvals, documenting compensating controls, and tracking expiration dates.

Third-party risk management (TPRM)

Coordinate vendor risk assessments end-to-end: intake, scoping, questionnaire distribution, evidence requests, and follow-ups with vendors and internal stakeholders (Procurement, Legal, Security, and business owners).

Perform initial reviews of vendor security documentation (examples: SOC 1/SOC 2 reports, ISO certificates, pen test summaries, security policies) and summarize key risks, gaps, and compensating controls for review.

Maintain vendor risk records in the TPRM/GRC tool, including inherent risk ratings, residual risk notes, approvals, and re-assessment schedules.

Track remediation commitments (for example POAMs), validate closure evidence where applicable, and support periodic re-evaluations.

Support contract and onboarding workflows by ensuring required security and privacy artifacts are collected and recorded (for example DPAs, security addenda, data flow summaries), partnering with Legal as needed.

Maintain third-party inventory data quality: system access, data types handled (PII/PHI/PCI), integrations, sub-processors, and criticality tiering.

Compliance activities beyond SOX

Support other compliance and assurance efforts (examples: ISO 27001, SOC 1/SOC 2, NIST, PCI, privacy obligations) by gathering evidence and maintaining documentation packages.

Assist with internal readiness activities for external assessments by maintaining audit artifacts, trackers, and evidence repositories.

Metrics, reporting, and GRC tooling

Maintain dashboards and trackers for audit status, open issues, vendor assessment status, overdue items, and evidence completeness.

Update the risk register entries, control library records, and audit artifacts in the GRC platform (examples: ServiceNow GRC, Archer, AuditBoard).

Help improve data quality in the GRC system through consistent naming conventions, tagging, and document control.

Success Measures (first 3 to 6 months)

Evidence is submitted on time, complete, and in auditor-ready format with fewer back-and-forth requests.

Vendor assessments are completed within agreed SLAs, with clear documentation of risk decisions and approvals.

SOX and audit trackers are accurate and kept current, and open issues have current status and due dates.

Control documentation reflects current processes and is easy for auditors and control owners to follow.

We are a company committed to creating diverse and inclusive environments where people can bring their full, authentic selves to work every day. We are an equal opportunity/affirmative action employer that believes everyone matters. Qualified candidates will receive consideration for employment regardless of their race, color, ethnicity, religion, sex (including pregnancy), sexual orientation, gender identity and expression, marital status, national origin, ancestry, genetic factors, age, disability, protected veteran status, military or uniformed service member status, or any other status or characteristic protected by applicable laws, regulations, and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or recruiting process, please send a request to [email protected] learn more about how we collect, keep, and process your private information, please review Insight Global's Workforce Privacy Policy:

Skills and Requirements

2+ years of experience in GRC, IT audit, SOX compliance, risk management, or third-party/vendor risk.

Working knowledge of SOX ITGC concepts and common domains (access, change, operations).

Familiarity with vendor assurance artifacts (SOC reports, ISO certs, security questionnaires) and basic security/privacy concepts.

Strong documentation skills and attention to detail (process narratives, evidence indexing, version control).

Ability to work cross-functionally and follow up professionally with internal teams and external vendors.