Responsible for planning and overseeing the execution of IT and cybersecurity audit/assurance and advisory engagements at the State of Colorado

Responsible for planning and overseeing the execution of IT and cybersecurity assurance and advisory engagements at the University of Colorado

As Deputy State Auditor at the Colorado Office of the State Auditor (OSA), I am responsible for overseeing complex, value-added IT audits in the State of Colorado. In addition, I am responsible for overseeing select performance audits; the OSA’s IT audit strategy, plan, report writing, and communications functions; and the OSA's IT infrastructure.Key responsibilities and duties include:• Planning, organizing, leading, and motivating the activities of the IT and performance audit teams in complex audits of state government agencies, institutions, programs, and activities.• Overseeing in-house and contract IT and performance audits to ensure compliance with audit standards and OSA policies and procedures.• Overseeing OSA administrative operations to assist the State Auditor in performing the duties and responsibilities in the Colorado Constitution and statutes.• Reviewing and approving in-house and contract audit reports requiring a high degree of technical expertise and knowledge.• Applying knowledge, judgment, and experience to facilitate the completion of efficient, well-planned, and fully documented IT and performance audits that meet quality standards and the needs of the Legislative Audit Committee, members of the General Assembly, audited agencies, and others key stakeholders.• Overseeing the research and implementation of new audit process improvement approaches and ensuring compliance with reporting and auditing standards.• Developing and implementing organizational strategic plans and other initiatives. • Overseeing the internal report writing, publishing, and communications functions.• Overseeing the OSA’s IT infrastructure to ensure adequate technology resources, including hardware and software, are available for audit and support functions.• Ensuring that adequate training plans are in place to meet professional development needs of staff.• Directing the overall activities of audit and admin staff.

• Planned and managed the execution of IT and information security audits and advisory projects, including reviews involving HIPAA and PCI compliance, information security policies and procedures, IT governance, network, web application development and security, database security, remote computing, log management and system monitoring, enterprise systems development and project management, identity and access management, information security training and awareness, application and IT general controls• Presented audit and advisory findings and reports, along with detailed recommendations and remediation action plans, to executive management and the Regent Audit Committee• Participated as an advisor for various IT and information security groups and committees, including the Student Information System Replacement Project Steering Committee, Security Advisory Committee, IT Security Principals Forum, Electronic Research Administration Steering Committee, the Chief Information Security Officer (CISO) Search Committee, and various incident response teams involving information security and data breach incidents• Acted as a reviewer of IT and information security policies and procedures, campus IT strategic and tactical plans, staffing models, budgets, service level agreements, IT vendor contracts, and emerging technologies• Led departmental risk assessment processes to understand current IT and information security risks facing the university and to develop the annual IT audit plan• Assisted non-IT internal auditors with enhancing IT risk recognition and helped them develop work program steps and findings when IT-related risks were involved in their operational audit engagements• Performed project management responsibilities for audit and advisory engagements (i.e., managed scopes, schedules, budgets/expenses, and deliverables)• Participated in the recruiting, interviewing, and hiring processes for internal audit department personnel

• Planned and managed the execution of IT audit projects• Presented audit findings and reports to executive management• Provided detailed recommendations and remediation action plans for audit issues• Reviewed security audits performed by external auditors for First Data entities, including the California State Disbursement Unit, the Treasury Department’s Electronic Federal Tax Payment System (EFTPS), and various GovConnect eFile and Paypoint tax payment products and services• Managed SAS 70 audits to ensure that various business unit personnel involved were working effectively with external auditors performing the audits and that they met the budgeted scopes, timelines, expenses, and deliverables• Performed gap analyses of the company’s Information Security Policy (based on ISO 17799) against applicable regulatory, legal, and compliance requirements, including COBIT, COSO, FFIEC, GLBA, HIPAA, Sarbanes-Oxley, and PCI Data Security Standards.

• Oversaw the IT audit function at the company and ensured that an effective IT audit process was established to achieve compliance with internal and external audit requirements• Developed and maintained IT audit methodology, policies, and procedures• Identified gaps in existing IT processes and controls based on risk assessments, and developed frameworks of controls to mitigate the risks involved• Determined readiness for audit compliance against Sarbanes-Oxley, ISO 9001:2000, and HIPAA requirements• Planned and managed the execution of IT audit test programs• Reviewed results of control testing and determined remediation strategies and management action plans for control deficiencies• Worked with external auditors to facilitate the evaluation of company-level IT controls• Provided training to business unit personnel who were involved with IT audit testing

• Planned engagements by developing work program timelines, risk assessments, and other planning documents• Worked with the financial audit team to document business processes dependent on information technology• Ensured high quality client service by directing daily progress of fieldwork, reporting engagement status, and managing staff performance• Demonstrated and applied a thorough understanding of complex information systems• Used knowledge of current IT environments and industry trends to work efficiently on client engagements• Communicated information to the engagement team and client management through written correspondence and presentations• Demonstrated and applied strong project management skills• Inspired teamwork and responsibility with engagement team members• Used current technologies and tools to enhance the effectiveness of deliverables and services

• Utilized NIST and other risk assessment methodologies to perform IT general controls (ITGC), HIPAA, and PCI risk assessments and reviews• Evaluated and documented efficiency and effectiveness of general and application IT controls• Prepared, executed and documented IT control tests• Reviewed and analyzed IT environments including operating systems, applications, infrastructure components, organizational IT infrastructure, IT policies and procedures, SDLC and change management methodology, etc.• Executed IT audits and SAS 70 reviews with little or no supervision• Managed client relationships• Performed travel to fulfill job responsibilities• Attended training and received guidance to keep current with audit methodology and practices

• Identified needs and flaws in client operations• Consulted with clients to create process improvements and solutions• Performed HealthFacts data warehouse operational tasks• Conducted new client software installs and configurations• Maintained awareness of current Cerner product functionality• Improved skills in operating systems and database administration• Developed content for internal and external client education