IT, Cyber and Information Security Audit Executive
Purpose of Job** This role will optimally be located in one of our hubs - San Antonio, Charlotte, Plano, Tampa, or Phoenix. Consideration may be given to remote candidates who could travel onsite 60-75% of the time for the first 2-3 years. **
The VP, Audit Services IT and Cyber Security, leads assurance and advisory services for all aspects of IT and Cyber Security operations. This executive develops, administers, and oversees a risk-based comprehensive audit program which provides the Audit Committee of the USAA Board of Directors, the CEO, subsidiary boards, and members of USAA management with independent, objective assurance services regarding the effectiveness and efficiency of the governance, risk management, and control processes. Oversees the development and administration of long-term strategy and objectives and ensures alignment with Enterprise Audit Plan strategy and objectives. Leads IT and Cyber Security audit staff and oversees audit findings and recommendations regarding key governance, risk management and control processes including, legal and regulatory compliance and regulatory readiness, and the reliability and integrity of financial and operational information. Maintains knowledge of financial services regulations and effectively responds and interacts with regulators.
- Exemplifies USAA’s mission, core values, culture and desired behaviors – including a culture of risk awareness and accountability.
- Hires and develops talent to deliver performance and results – including the identification, development and retention of talent with requisite risk knowledge and capabilities as well as providing leadership and overseeing performance management and staff development activities.
- Accountable for ensuring IT and Cyber Security departments receive sufficient coverage across specific activities as well as affiliated shared services that support these areas. Coverage will require effective coordination across the internal Audit Services teams to ensure appropriate subject matter expertise, scoping, execution and reporting of results.
- Leads design and implementation of the IT and Cyber Security internal Audit Services strategy, considering department’s strategy and complex regulations and regulatory heightened expectations, including how they apply in a matrixed business environment.
- Reviews and directs the development of internal audit IT and Cyber Security testing program and methodology, assures that professional standards are adhered to and that the audit report contains fully supported information.
- Oversees budgeting and execution of the internal audit plan and other related audit projects across IT and Cyber Security.
- Holds self and others accountable to meet commitments by setting and clearly communicating expectations and roles and responsibilities relative to internal audit.
- Communicates, reports on and escalates issues to senior management and the board on the Enterprise’s current and changing risk profile, risk appetite, and emerging risk trends. Is responsible for the creation and updating risk profiles for each auditable entity within their area of support.
- Collaborates with internal audit management to develop and implement internal audit policies, procedures, and best practices. Advises senior management on risk and control issues; reports on business self-assessment results; and provides practical recommendations to ensure risks are appropriately managed.
- Manages ongoing relationships with external auditors, business units, and senior management. Evaluates corrective measures taken to address unresolved matters. Follows up on the progress being made to address unresolved control matters and prepares summary reports to executive management to ensure appropriate action is taken in a timely manner.
- Conducts review of the results of the annual skills assessment and provides recommendations for addressing current gaps in skills.
Technical and Risk Responsibilities
- Assists the USAA Chief Audit Executive in the development of audit standards, governance model, operating policies and procedures for inclusion in the Audit Services Manual and directs implementation of approved changes to maintain an internal audit function and governance model that is consistent and appropriate for the size, complexity and risk profile of IT and Cyber Security.
- Maintains a current knowledge of the USAA standards, mission and strategic mission through discussions with corporate officers and attendance at various management meetings, conferences, and Board of Directors meetings in order to integrate current risks into the audit plan.
- In conjunction with other Audit Services leadership, develops the audit strategy and plan, with emphasis on assurance and advisory services. Advises and collaborates with leadership on effective IT and Cyber Security controls and the regulatory environment.
- Validates annual audit plan for IT and Cyber Security that is prepared based on risk analysis processes. Assists in assigning resources to complete integrated audits and to ensure appropriate audit coverage. Monitors and reports progress on this plan.
- Monitors, independently and objectively, the governance, risk and control environment ensuring trends and emerging issues that could impact operations are considered and communicated to Executive Management and/or Finance and Audit Committees as appropriate.
- Responsible for elevating high-risk potential control issues during development to avoid potential audit findings and control failures and reducing future risks to the organization.
- Determines, plans and supervises the delivery of the IT and Cyber Security risk-based annual internal audit plan including identifying areas of risk and assigning appropriate risk ratings at the universe and entity level to ensure that critical business areas are reviewed on a recurring basis.
- Establishes and directs all aspects of the internal audit IT and Cyber Security testing program, to include developing and updating the internal audit validation testing methodology, procedures, ongoing assessment of business risks, a risk based annual audit plan, and audit methodology that mirrors current, professional internal audit standards.
- Oversees and approves risk assessments, including emerging risks and top risks associated with the organization’s current material processes, product lines, services, functions. Ensures quality audit work within required completion timeframes of each audit; drives value to the business while reducing the risk in the risk profile. Ensures that audit processes are utilized in identifying control weaknesses and developing recommendations within all divisions and operations of the company. Remains knowledgeable and current with the changing IT and cybersecurity landscape.
- Provides thought leadership to executive management and Finance and Audit Committee related to leading and emerging internal audit and internal control practices and guidance to the business units of audit-related topics focused on strategic, operational, financial and regulatory risks.
- Accountable for the completeness of the audit universe for business areas of responsibility and periodically reviews for potential additions or deletions.
- Periodically reviews and updates the audit plan to consider the risk profile and emerging risk and issues. In addition, evaluates the adequacy of and compliance with policies, procedures, and processes established by the front-line units and Independent Risk Management to ensure ongoing compliance with the Risk Governance Framework.
- Responsible for understanding, assessing and monitoring USAA’s efforts to comply with regulatory enforcement actions, including Consent Orders and MRA’s and ensures appropriate governance structures, policies and standards are designed effectively, in place and operating effectively.
- Assesses compliance with financial regulations and controls by executing audit program steps; testing general ledger, account balances, balance sheets, income statements, and related financial statements; examining and analyzing records, reports, operating practices, and documentation.
- Drives delivery of the internal audit work on time, within agreed upon budget, and in accordance with audit methodology, regulatory standards and the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.
- Responsible for effectively managing all aspects of the IT’s and Cyber Security’s internal audit work that is outsourced which evaluates the adequacy of and compliance with policies, procedures and processes established by the 1st and 2nd line of defense and provides technical and strategic direction to audits and investigations which are sensitive or complex in nature.
- Coordinates internal Audit Services programs with other audit, compliance and operational and risk management units, Corporate Investigations, the outside independent auditor and regulatory examiners to minimize duplication of effort.
- Leads quality audit work within required completion timeframes of each audit and participates in annual risk assessment processes; drives value to the business while reducing risk in the IT’s or Cyber Security’s risk profile.
- Assists the Chief Audit Executive in creating reports of audit results as required and delivering/communicating them to executive management and Risk committees as required by the USAA, Finance & Audit Committee charters. In addition, identifies and escalates to the USAA, Board’s Finance & Audit Committees significant control weaknesses and strengths related to complying with the policies, standards and procedures.
- Ensures that the audit processes are utilized in identifying control weaknesses and developing recommendations within all divisions and operations of the company.
- Evaluates internal controls to ensure the identification of significant accounts, processes, assertions and risks, documentation of significant processes and the identification and evaluation of the control design, the performance of tests and controls and the overall assessment of financial reporting and internal controls.
- Supports external auditors by coordinating information requirements
- Conducts validation testing and reviews to ensure that the recommended corrective actions to audit and regulatory identified issues are completed, sustainable and effective, and continues to evaluate the appropriateness of management’s corrective actions in response to issues identified.
- Provides periodic briefings and reports on the risk management audit activities and the organization’s adherence to regulatory requirements and enforcement to the executives and board committees and councils.
- Provides independent assurance to the board of directors and senior management on the effectiveness of the design, implementation and execution of the core business processes and risk management framework (including risk profile, risk appetite, and compliance practices).
- Interacts effectively with all key Governance Committees.
- Responsible for continuous review and enhancement of the Risk Management Internal Audit processes.
- Establishes and continuously evaluates Key Performance Indicators (KPIs) for the Audit Services IT and Cyber Security team to ensure achievement of objectives. Adjusts KPIs as needed to continuously align to enterprise objectives and consults with Audit executives to support KPI report deliverables.
- Oversees the design, development and delivery of timely, accurate, and impactful management reporting in addition to high-quality, impactful external reporting deliverables, including coordination with appropriate internal and external stakeholder.
Interacts with or participates in enterprise governance committees, such as:
- Information Technology / Information Security Committee (ITISC)
- Bank ITISC (BITISC)
- Bachelor's degree is required.
- Advanced degree such as Business, Accounting, Finance, or Information Technology is preferred.
- A minimum of 12 years of experience in technical discipline (e.g., information technology audit or cyber security audit function) with a proven track record leading comparable operations and programs (e.g., complex audit programs and regulatory heightened expectations) is required.
- A minimum of 8 years of people leadership experience in building, managing and/or developing high-performing teams is required.
- A minimum of 8 years of relevant experience in a large financial institution ($100 billion +), including 5+ years post-Dodd Frank, in a senior staff role within an audit department is preferred.
Demonstrated understanding of the full spectrum of regulatory examinations and other supervisory engagement and processes. Expected working knowledge of the following regulatory guidance such as:
- Dodd-Frank Act
- Home Owners’ Loan Act
- Fair Lending laws
- Texas Insurance Code
- New York Insurance Law
- Securities and Exchange Commission Statutes, including the 1933 Securities Act and the 1934 Exchange Act
Federal regulations and supervisory guidance:
- 12 CFR Part 238 (Regulation LL)
- 12 CFR Part 252 (Regulation YY)
- 12 CFR Part 223 (Regulation W)
- 12 CFR Part 30, including Appendices A through E
- 12 CFR 9 - Bank Fiduciary Activities
- 12 CFR 25 -- Community Reinvestment Act
- 12 CFR Part 46 (Annual Stress Test)
Federal Reserve Supervisory Guidance Documents:
- SR 12-17 (Consolidated Supervision Framework for Large Financial Institutions);
- SR 08-08 (Compliance Risk Management Programs);
- SR 14-9 (Incorporation of Federal Reserve Policies into the Savings and Loan Holding
- Company Supervision Program and related applicable guidance);
- Bank Holding Company Examination Manual;
- Federal Reserve proposals concerning Board effectiveness and core principles of effective senior management, management of business lines, and independent risk management and controls
- OCC Supervisory Guidance Documents: Large Bank Supervision Handbook; Corporate
- and Risk Governance Handbook; and key OCC bulletins (Model Risk Governance; Model
- Risk Management; New Products and Services Risk Management; Third Party Risk
- FFIEC: BSA/AML Manual; IT/Cyber Handbooks
- CFPB: Consumer Protection Regulations; UDAAP
*Regulatory understanding is for illustrative purposes and not an all-inclusive list. Roles would need an understanding of all federal and state laws and regulatory guidance applicable to the organization and responsibilities of the role.
Note: The above statements are intended to describe the general nature and level of work being performed by employees in this position. They are not intended to be an exhaustive list of all duties, responsibilities and qualifications of employees assigned this job.
Industry certification such as Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP) is preferred.
- USAA has an effective process for assessing market data and establishing ranges to ensure we remain competitive. You are paid within the salary range based on your experience and market position. The salary range for this position is $236,400- $425,700.
- Employees may be eligible for pay incentives based on overall corporate and individual performance or at the discretion of the USAA Board of Directors.
- Long Term Incentive Plan: Cash payment for Executive level roles only, representing a cash payment which is both time and performance based.
- Stipend:As an EMG Member, you will receive an annual stipend (amounts determined by level) which will be paid in quarterly installments.
At USAA our employees enjoy best-in-class benefits to support their physical, financial, and emotional wellness. These benefits include comprehensive medical, dental and vision plans, 401(k), pension, life insurance, parental benefits, adoption assistance, paid time off program with paid holidays plus 16 paid volunteer hours, and various wellness programs. Additionally, our career path planning and continuing education assists employees with their professional goals.
Please click on the link below for more details.