IT GRC SOX Specialist Regulatory Frameworks

The IT GRC Sox Specialist will support the IT GRC team in embedding effective IT governance risk and compliance across the organisation. The initial primary focus will be on SOX IT General Controls (ITGC) and IT Application Controls (ITAC) design operating effectiveness and on scaling an enterpriseready IT control framework.

The role partners closely with IT Security Finance Internal Audit and External Audit to ensure controls are well designed consistently operated appropriately evidenced and continuously improved. The position will drive a pragmatic auditready control environment across core platforms and services (including Oracle and Salesforce) and will support broader regulatory and assurance initiatives where applicable (e.g. EU AI Act).

Governance Risk and Compliance

• Lead the implementation and ongoing operation of the IT control framework aligned to SOX and other relevant regulatory and assurance requirements.
• Own IT scoping for SOX (systems applications infrastructure interfaces key reports and outsourced services) in partnership with Finance and Internal Audit.
• Maintain and manage the inventory of IT risks controls control owners testing frequency evidence requirements and framework mappings (SOX internal policy enterprise risk register).
• Ensure timely collection of highquality evidence demonstrating effective control operation meeting audit standards for completeness integrity and traceability.
• Act as a primary point of contact for Internal Audit External Audit and other GRC teams; coordinate walkthroughs testing support and audit requests.
• Define and maintain IT GRC scope and boundaries within the Four Lines of Defence model clarifying ownership across IT Security Compliance Risk and Audit.
• Prepare audit submissions management responses and materials for senior leadership and risk committees.
• Operate the IT risk radar collecting and assessing risks across IT and reporting trends key risks and residual risk exposure.
• Develop maintain publish and deliver training on IT policies standards and procedures; define and monitor KPIs and KRIs.
• Measure compliance with IT policies and coordinate remediation activities validating closure evidence.
• Drive continuous improvement initiatives to mature IT GRC capabilities including automation of control evidence collection where feasible.
• Track process improvement and remediation action plans including owners milestones and delivery through to completion.

SOX / Regulatory Control Areas (Initial Focus)

• IT General Controls (ITGC): Access management (joiner/mover/leaver) privileged access change management and IT operations.
• IT Application Controls (ITAC): Automated and configurationdependent controls supporting financial reporting including Oracle and Salesforce.
• Key Reports / IPE: Standards for report completeness and accuracy access controls and change management over report logic.
• Deficiency Management: Lead root cause analysis remediation and compensating control design and retesting planning.

• Minimum 5 years experience in IT audit IT risk IT compliance SOX IT controls or a combined GRC/assurance role.
• Proven handson experience designing operating and managing SOX ITGC and where applicable ITAC.
• Strong understanding of how IT risks and control failures impact financial reporting and transaction flows.
• Demonstrated experience producing reviewerready documentation for audits (risk and control matrices narratives process flows test evidence).
• Handson experience managing internal and external audit interactions including endtoend evidence coordination.
• Ability to document explain and coach others on business process system mapping and evidencing expectations.
• Working knowledge of major frameworks and standards such as COSO COBIT ISO 27001 and NIST and the ability to rationalise overlaps.
• Strong understanding of access governance segregation of duties privileged access change management and IT operations controls.
• Highly effective written and verbal communication skills with the ability to influence stakeholders across IT Finance and Audit.
• Strong Microsoft Office skills including Outlook Excel PowerPoint Teams and SharePoint.

• ISACA (or equivalent) certification such as CISA CISM or CGEIT.
• Experience using risk and GRC tooling particularly Riskonnect; exposure to ServiceNow GRC Archer or AuditBoard is advantageous.
• Experience estimating remediation costs distinguishing between oneoff project costs and recurring operational expenditure.
• Familiarity with enterprise systems such as Oracle and Salesforce including access configuration audit logging reporting and integrations.
• Experience supporting broader regulatory initiatives beyond SOX (e.g. operational resilience or emerging digital regulations).
• People leadership or coaching experience including mentoring junior colleagues or developing direct reports.