Director, External Audit Engagement

Director, External Audit Engagement

The Fidelity Enterprise Cybersecurity Governance, Risk and Compliance (GRC) Product Area is seeking a Director, External Audit Engagement to play a leadership role within ECS to ensure successful engagements with independent third-party audit firms. Such third-party firms are hired to assess Fidelity's control environment and attest to the design and operation of cybersecurity controls, following industry-standard frameworks. The Director will introduce ECS product areas to the requirements within the certification frameworks and will work with line managers to ensure that controls are designed in accordance with framework requirements and are operating in accordance with defined procedures. As 3rd party assessments are conducted, the Director will assist product area teams as needed with gathering evidence to demonstrate control effectiveness and will work to resolve or explain potential exceptions. The Director will oversee the timely issuance of draft and final reports attesting to Fidelity's cybersecurity control environment. Throughout the engagements the Director will work closely with Enterprise Technology and Risk Analysis (ETRA) External Audit Center of Excellence and with relevant BU information technology organizations.

Success in this role will be demonstrated by well-managed external audit engagements resulting in unqualified opinions and / or certifications of Fidelity's cyber control environment. These audit engagements and frameworks cover SOC1 / 2 / 3, ISO 27001, NIST CSF / 800-53, HITRUST, and PCI-DSS, among others. The successful incumbent will also have familiarity with laws and regulations which impose information security requirements on Fidelity's businesses, including HIPAA, GLBA, FFIEC, CFTC, and GDPR, to name a few. This will permit the successful incumbent to work with colleagues in GRC to coordinate compliance activities across ECS product areas. By working across Fidelity and achieving unqualified reports from 3rd party assessors, the External Audit Engagement team assures clients that they can select Fidelity with confidence to administer company benefit plans and to process and safeguard customer transactions and accounts.

The Expertise and Skills You Bring

• Proven knowledge of IT risk and cybersecurity functions and how they contribute to Fidelity's mission and success.
• Extensive knowledge of audited cybersecurity frameworks and standards, including AICPA's SOC 1, SOC 2, and SOC 3, including all SOC 2 trust principles; Payment Card Industry's Data Security Standard; HITRUST; ISO / IEC 27000 family
• Experience and knowledge managing projects end-to-end, with demonstrable ability to communicate progress effectively across multiple lines and levels.
• Understanding of NIST Cybersecurity Framework core standards
• Bachelor's degree in a technology or a computer science subject area a plus
• 7+ years working in IT assurance for a 'Big 4' or similar audit firm and experience with Fortune 500 clients.
• Cybersecurity certifications a plus
• Prior experience in a cybersecurity role (policy, operations, technology) or in an IT risk role
• Ability to quickly establish trust and a positive rapport with ECS business partners and BU stakeholders.
• Independent worker; high sense of ownership; 'focus and finish' attitude.
• Ability to influence product areas to prioritize external assessments in product roadmaps and backlogs.
• Ability to manage multiple priorities independently; proactive approach to defining issues and resolving open questions.
• Ability to effectively facilitate and follow up on business meetings, present information to groups with the appropriate degree of formality.
• React quickly to requests; bring a sense of urgency to respond to inquiries.
• Data analysis and synthesis; working knowledge of MS-Excel

The Value You Deliver

The Team

Members of the Compliance Center of Excellence within the GRC Product Area are charged with knowing the external requirements and standards to which Fidelity is held. They make certain that Fidelity ECS has appropriate policies and controls which align to these standards, and they work with Product Area teams to produce evidence supporting the policies and controls. The external requirements include federal and state laws, regulations, guidance, best practices, and industry expectations. Members of the team engage with external assessors and examination staff periodically to provide evidence of control.