KPMG Jamaica has a delivery center named “KPMG Jamaica Extended Support Services (KJESS)” operating from the Kingston office, which is contracted to provide back-office support to its member firm KPMG United States (“the Client”). IT Security Compliance works within the Information Security Office of KPMG and is tasked with evaluating and continually improving cyber compliance controls.
The KJESS Security Compliance Auditor is responsible for the execution of the firm’s IT Information Protection Controls Review (IPCR) program including associated processes and procedures. The role evaluates IT controls to ensure that management and employees maintain continuous compliance with the internal IT policies, control objectives, and/or procedures and that those are aligned to legal and contractual obligations, as well as with the firm’s business objectives.
• Develop and establish a high-quality IT assessment program in compliance with the firm’s IT policies, governmental regulations, and customer requirements. Prepare the Risk Treatment Plans (RTP) to help the firm mitigate identified control deficiencies and potential risks to an acceptable level to the firm, provide guidance to prioritize timely remediation implementation based on its deficiencies risk rating.
• Maintain an independent and objective opinion, and perform the assessment on the internal IT controls, in accordance with its business and regulatory requirements, with due care. Following the risk-based approach, assessment activities may include: establishing the controls’ scopes, collecting the control evidence and maintaining them within an approved centralized repository system, reviewing hand communicating the completeness, accuracy, and relevance of the evidence, reporting of the control deficiencies and potential risks to the firm, providing recommendation/guidance on corrective action plans and requesting business support and control owner’s commitment to timely implement effective corrective actions.
• Collaborate with the firm’s internal IT GRC teams to gather Document Request List (DRL) or Provided by Client (PBC) related to the appropriate firmwide controls (including mitigating controls), procedures, and evidence to ensure a more efficient assessment execution.
• Maintain an effective relationship and expectation management with the internal IT control owners and stakeholders, championing a collaborative and partnership culture conducive to continuous IT compliance, asset protection, and reduction of audit fatigue.
• Liaise with business units to advise and influence control owners to act properly in their roles as control owners, ensuring continuous compliance to the firm’s IT Policies, control objectives, and procedures. Act as a key Subject Matter Expertise (SME) for the IT Policy and Compliance function, to understand business needs and demands as they apply to the IT Policy and Compliance function.
• Direct, supervise, train, and/or guide the IT Assessment junior team members/resources, ensuring that they are aware of the assessment scopes as well as the IT Policies, control objectives, and procedures. Review and confirm their work prior to sharing the information with the IT control owners and stakeholders.
• Monitor and as needed, report compliance activities of other departments to remain abreast of the status of all compliance activities and to identify trends.
• Monitor in-progress corrective action plans and provide the Executive Management with the summary information on the status of the portfolio of the corrective action plan.
• Assist in the development of monitoring and reporting key Policy & Compliance metrics, trending summaries for these metrics, and potential risks to the firms to provide visibility of IT Compliance areas of concern to the IT senior management.
• Bachelor’s degree with a minimum of 5-8 years of information security/protection and privacy assessment/audit in either public accounting organization or publicly traded corporation in the US that is subject to the Sarbanes Oxley Act (SOX), general IT controls, and IT Governance Risk Compliance (GRC). Such experience is further supplemented with CISSP, CISA or CISM certifications.
• In-depth and/or working knowledge of IT and Cyber Security controls from the operational support, implementor, and/or administrator’s perspective. Thorough understanding of project management best practices and principles.
• Proficient in IT Audit and Security Risk Assessment testing, evaluation of primary and mitigating controls, identification of control deficiencies and facilitation of the remediation processes collaboration. Ability to articulate control deficiencies, potential risks to the firm, be credible source of knowledge, and positively influence control owners to build/maintain a long term proactive continuous compliance to be incorporated within their IT/Security operational best practices.
• Familiarity with the Public Company Accounting Oversight Board (PCAOB), HIPAA/HITRUST, AICPA, ISO, NIST, PCI, SOC and other relative IT and Information Security Frameworks.
• Strong troubleshooting, verbal/written communication skills, with the ability to effectively interact with individuals at all levels of responsibility and authority. Must be able to prioritize, delegate/train and foster the development of high-performance teams to lead/support an environment driven by customer service and teamwork. Strong organizational skills and ability to work on multiple projects simultaneously.
• Communication – Delivering clear, effective communication and taking responsibility for understanding others
• Customer Service – Demonstrating a commitment to public service, serving internal and external customers while holding oneself accountable for quality outcomes.
• Collaboration & Teamwork – Working cooperatively with others, inside and outside the organization, to accomplish objectives. Building and maintaining mutually beneficial partnerships while leveraging information and achieving results.
• Stakeholder Management – maintaining good relationships with the people who impact your work most.
• IT Systems Administration & Cyber Security Support – Understands and demonstrates knowledge of applicable Information Technology and network defense in depth for systems implemented on-prem and in Cloud, including concepts, principles, and practices related to their use and application.
• Data Gathering and Analysis – Seeks or collects and synthesizes information from a variety of stakeholders and sources in an objective, unbiased manner to reach a conclusion, goal, or judgment and to enable strategic and leadership decision-making.
• Problem-Solving – Identifies problems and uses logic, judgment, and data to evaluate alternatives and recommend solutions to achieve the desired organizational goal or outcome.
• Ethics Knowledge – Understands and applies knowledge of and promotes compliance with appropriate statutes, regulations, policies, and procedures.
• Expected to work in a fast-paced team environment.
• Will be working primarily in a paperless environment and expected to be using information systems for the entire workday to access data or perform activities.
• May be required to work extended hours periodically or on public holidays.
Learn more about K-JESS
© 2023 KPMG, a Jamaican partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.