Job Description

• Develop and maintain a control testing & validation plan aligned to the organization’s technology risk landscape, including scope, frequency, methodology, and sampling approaches.
• Execute control design and operating effectiveness testing across technology domains (e.g., cloud, infrastructure, network, application, SDLC, IAM, logging/monitoring, vulnerability management, backup/DR).
• Create testing procedures and workpapers that are repeatable, audit-ready, and defensible; ensure evidence is complete, accurate, and traceable.
• Perform walkthroughs and interviews with technology stakeholders to confirm control intent, ownership, and implementation details.
• Validate control implementation technically (where applicable) by inspecting configurations, system settings, logs, tickets, and pipeline artifacts (e.g., CI/CD).
• Identify control gaps and root causes, assess risk impact, and provide clear recommendations and remediation guidance.
• Track and validate remediation activities and re-test controls to confirm closure.
• Produce concise reporting (test results, summaries, themes, and metrics) for IRM leadership and customers.
• Support internal/external audits and regulatory inquiries by providing documentation, testing artifacts, and control narratives.
• Continuously improve the control testing program through standardization, automation opportunities, and alignment to evolving technology.

• Cloud governance and security (e.g., AWS/Azure/GCP controls, configuration baselines)
• Identity & access management (SSO, MFA, privileged access, joiner/mover/leaver)
• Network security (segmentation, firewall rule governance, secure remote access)
• Infrastructure and endpoint controls (hardening, patching, EDR)
• Application controls (secure configuration, change management, access controls)
• SDLC / DevSecOps controls (code scanning, approvals, pipeline controls, secrets management)
• Logging, monitoring, incident response integration
• Vulnerability management (scanning, remediation SLAs, exception handling)

• Experience: 5+ years of experience in technology audit, technology risk, or control testing/assurance. Proven experience performing control testing and validation (design and operating effectiveness), including sampling and evidence standards, across a broad spectrum of technology domains.

• Education Bachelor’s degree in Information Systems, Cybersecurity, Information Technology, Computer science or a related field.

• Technical Expertise Ability to translate technical details into clear risk statements, issues, and practical remediation recommendations. Demonstrated strong documentation skills with the ability to produce audit-ready workpapers, test scripts, and results. Strong stakeholder management with the able to work effectively with engineers, control owners, leadership and customers. Knowledge of GRC tooling and workflows.

• Language Skills Excellent stakeholder management and communication skills. Proficient in English for effective communication and coordination.

• Experience Experience as a Technology Auditor at a large professional services firm (e.g., Big 4 or similar) or comparable complex enterprise environment. Familiarity with control frameworks and standards such as COSO, COBIT, NIST, ISO 27001, and/or SSAE 16 requirements.

• Education and Certifications Masters degree in Cybersecurity, Information Technology, Computer Science or a related discipline is preferred. Industry-recognized credentials such as CISSP, CISM, CISA are highly desirable.

• Language Skills Bi-lingual in English and Korean language proficiency is preferred to support global coordination and communication.