To Be Determined
Minimum Qualifications Non-Competitive: Seven years of IT audit experience*.
*IT auditing experience must have been gained in any one or combination of the following:
• Responsibility for performing IT-related audits and examinations to determine the compliance of agencies, authorities, municipalities, and schools, including reviews of physical and logical access controls, general IT controls, and application controls, and the writing and presentation of findings reports of technical issues to a non-technical audience.
• Responsibility for the analysis and evaluation of information systems, such as platforms, applications, network infrastructure, and/or IT-related operational practices and the writing and presentation of reports of findings suitable for non-technical audience.
• Responsibility for supporting an audit group, such as designing, developing/programming, maintaining technological solutions in support of audit activity, and evaluating and developing artificial intelligence programs in support of audit activity.
Education/Experience Substitution: an Associate’s degree may be substituted for up to two years of IT audit experience; a Bachelor’s degree may be substituted for up to four years of IT audit experience; a master’s degree may be substituted for an additional one year of IT audit experience (i.e., up to five years of experience). There is a maximum of 5 years of educational substitution. Additionally, one year of generalized audit experience** may be substituted for one year of IT audit experience.
**Generalized audit experience - Performed performance audits in accordance with Generally Accepted Government Auditing Standards; analyzed areas for audit, addressed areas of risk; evaluated systems and procedures relating to audit areas for compliance with applicable laws, rules and regulations and contract terms, as appropriate; ensured funds are utilized in accordance with laws and regulations, and proper and effective controls are in place for areas under audit; used computer assisted auditing tools and techniques across various platforms to meet audit objectives; determined the accuracy and completeness of computer-processed data, prepared audit work papers to document work done and conclusions; prepared preliminary audit findings or portions thereof, discussed findings with auditee representatives, and participated in exit and entrance conferences.
Duties Description Information Technology Audit Support Services
• Identifies and recommends that the auditee resolve technical weaknesses using various tools and assets (e.g., vulnerability scanners and a technology research facility).
• Applies applicable IT security requirements such as New York State Technology Law, publications from the State Office of Information Technology, and National Institute of Standards and Technology (NIST), for example. Further, conducts audit work in conformance with Generally Accepted Government Auditing Standards (GAGAS), and Division and Applied Technology Unit policies.
• Provides consultation to other OSC/Division audit teams, and auditees as necessary, on IT areas during a risk assessment, financial or performance audit and provides expertise on highly technical IT matters, such as those relating to issues and deficiencies observed during risk assessments, audits and/or accessing systems and data.
• Performs, or assists other Division audit teams in performing, the following:
o Develops or follows IT audit programs of computer systems or operations in accordance with applicable auditing and technology standards.
o Inspect data, systems, and controls to assess risk and determine areas for audit and other projects.
o Develops and performs tests of IT controls to determine whether they have been placed in operation and are operating effectively and if there are adequate controls in place.
o Reviews general and application controls of auditee’s information security programs.
o Performs various IT testing methodologies during audits using vulnerability scanners and other network management tools as needed. This includes assisting in technical aspects of work such as vulnerability assessments, use of technical software programs, and performing complex segments of the work.
o Analyzes and evaluates the adequacy of auditee’s IT policies and procedures.
o Evaluates data, systems, and procedures relating to audit/special project areas for compliance with applicable laws, rules, and regulations.
o Evaluates auditee’s systems and IT operating practices to assess compliance with applicable requirements and for efficiency and effectiveness in meeting operational and legislative goals and priorities.
o Examines internal controls to evaluate the extent to which proper and effective controls are in place for areas under audit.
o Participates and/or conducts interviews with auditees and perform walk-throughs to assist in the evaluation of system controls.
o Attends audit team meetings.
o Examines transactions and supporting documentation to help assess whether there is a risk for fraud, waste, and abuse.
o Assesses the accuracy of the auditee’s IT processes.
o Prepares and organizes work papers to document the work performed and conclusions drawn during the audit project.
• Works on specialized IT audits, projects, and studies that incorporate, for instance, advanced computer programming, complex IT matters, emerging technologies such as Artificial Intelligence (AI), machine learning algorithms, web-based technologies, and/or cloud-based computing for secure information sharing.
• Writes or assists audit teams with writing preliminary audit findings, discussion documents, draft reports, and/or special project reports that are clear, concise, objective, complete, well organized, meet professional requirements and prepared within the assigned time budget.
• Keeps up to date on emerging technologies.
• Develops documentation supporting recommended areas for future audit or special IT projects.
Technology Assistance and Training
• Use advanced IT auditing tools such as SAINT, Nessus and AppScan during risk assessments and audits throughout the Division. Provide training and support to other Applied Technology work unit staff using the tools, develop related Division policies and procedures, and work with others in the Agency using similar tools to advance our collective knowledge.
• Provide hands-on assistance to audit staff throughout the Division in assessing and testing controls over computerized systems in local governments and schools across the state. Prepare work papers consistent with applicable professional standards and Division policies. Assist other Applied Technology work unit staff as they provide hands on assistance to audit staff in assessing and testing controls over computerized systems in local governments across the state.
• Develop and expand the Division’s capacity to use computer assisted audit tools. Keep Applied Technology management informed of trends and new developments in computer assisted auditing capabilities and how they might enhance the efficiency and effectiveness of our services. This will require a proactive role, researching and suggesting potential uses for technology, determining IT auditing trends, finding best practices from other audit agencies in New York and other states, and being an active member of one or more IT related communities.
• Provide in-person training for Applied Technology work unit staff and Division audit staff on various information technologies and IT auditing topics, and how they may affect the services we provide.
• Provide cybersecurity training for local officials in-person and virtually, as appropriate.
• Prepare written communications and audit guidance to assist IT Specialists and audit staff in understanding IT issues, trends, automated tools, and Division policies and procedures.
Supervision- May assist in the supervision of Auditor 1s, Information Technology Specialist 1s, trainees or students. In addition, supervision may include reviewing and editing written IT-related communications from and/or for Agency or Division executive management.
Additional Information: It is expected that this position may require up to 30% travel, including overnight visits around the State, annually. This position can be assigned to the Central Office-Albany or any Regional Office.
Additional Comments Knowledge, Skills, and Abilities:
• IT industry experience and/or IT or information systems degree
• Relevant professional certification(s) (CISA, CISSP, CISM, CRISC, CISSP, ISSMP, CIA)
• Familiarity with GAGAS, CIS, COBIT, COSO and NIST CSF frameworks
• IT audit experience including but not limited to, conducting Cloud, application, and system security audits.
• Excellent interpersonal skills with staff and customers
• Works well independently and in a team environment
• Possesses effective oral and written communication skills.
• Detail orientated and produces an accurate and timely work product.
• Ability to effectively apply work unit policies and procedures.
• Ability to handle multiple and sometimes competing priorities.
• Good knowledge and use of technology
• Strong organizational skills
• Strong work ethic and positive attitude
• Non-Competitive: Seven years of IT audit experience*.
The Office of the New York State Comptroller (OSC) supports telecommuting where it is reasonable to do so based upon the agency’s mission and operational needs. Generally, employees new to OSC will be restricted from telecommuting for at least 8 calendar weeks. After the initial 8 calendar week restriction, if an employee’s duties and work performance are aligned with telecommuting they may be allowed to do so. Upon approval to telecommute, OSC employees may telecommute for up to 5 days per pay period.
Some positions may require additional credentials or a background check to verify your identity.
110 State Street, 12th Floor
Notes on ApplyingSubmit a clear, concise cover letter, resume, and a completed copy of this template: https://www.osc.state.ny.us/files/employment/docs/02926-28-information-systems-auditor-1-mq-template-6-2023.doc via e-mail to firstname.lastname@example.org, no later than January 5, 2024.
Reference Item #02938(7)-OER-SAB in the subject line and on the cover letter for proper routing.
PLEASE NOTE: You MUST complete the linked template in full to demonstrate you meet the minimum qualifications for this position. Interview selection is based SOLELY on the information you provide in this document, incomplete or vague information will not be viewed in your favor. To access the required template, copy the link above and paste it into your web browser, then download, complete, and save to submit with your email response.
If you have questions about this vacancy, please contact this Division representative:
Division contact: Jennifer Haviland, JHaviland@osc.ny.gov
When responding, please include the reference number and letters listed in this section only. The OER ID # should not be included.