Senior Risk Analyst: IT & IS Assurance

General Description

The Senior Risk Analyst is responsible for executing and documenting design effectiveness (DE) and operating effectiveness (OE) testing of IT and Cybersecurity controls across applications, databases, infrastructure, and cloud services. The role safeguards the integrity, availability, and confidentiality of technology that supports financial reporting and critical operations, ensuring compliance with applicable banking regulations (e.g., SOX, NYDFS) and alignment to leading frameworks and standards (e.g., NIST, CRI, CCM, PCI DSS, FFIEC) as well as the institution’s internal policies and standards. The Sr. Risk Analyst partners with firstline technology owners, internal/external auditors, cyber risk teams, and business stakeholders to drive effective control execution, timely remediation of issues, and clear, decision ready reporting. 

Essential Duties and Responsibilities

• Lead control walkthroughs with system/process owners to confirm design, identify key attributes, and determine evidence requirements.  
• Obtain, evaluate, and securely retain evidence (configurations, logs, tickets, reports, approvals) sufficient to support conclusions. 
• Perform comprehensive testing and validation of core IT and Cybersecurity controls across key domains, including Identity & Access Management (provisioning, terminations, periodic access reviews, privileged access), Change Management (authorization, segregation of duties, migration controls), IT Operations (backups, batch processing, incident/problem management), logging/monitoring, and technology governance. Testing activities should be executed in alignment with the control requirements defined by leading industry frameworks and regulatory standards such as NIST, CRI, PCI DSS, COBIT, Cloud Controls Matrix (CCM), among others, ensuring that organizational practices meet established benchmarks for security, compliance, and risk management. 
• Validate population completeness and sample accuracy; execute re-performance and inspection procedures; document testing results with clear linkage to criteria and attributes. 
• Support SOX 404 management testing and coordination with internal/external auditors; assist with regulatory inquiries as needed.
• Draft findings with risk statements and impact analysis; agree on remediation plans and target dates with Control Owners and Senior Management; track progress and perform remediation validation (retesting) when due.
• Prepare concise status updates, dashboards, executive summaries, and communicate testing progress, blockers, and outcomes to management and stakeholders.  
• Ensure workpapers meet documentation standards and are auditor ready (completeness, accuracy, and review evidence).   
• Lead initiatives that support methodology enhancements, control library rationalization, automation opportunities (e.g., report generation, continuous control monitoring), and lessonslearned. 

Education

Bachelor’s or Master’s degree in Information Systems, Computer Science, Cybersecurity, Risk Management, or a closely related field required. 

Experience

At least 5 years of working experience in IT audit/assurance, risk management, or control testing roles.  

Demonstrated experience with SOX compliance, Information Technology systems (enterprise applications, databases, operating systems, cloud/SaaS), Cybersecurity fundamentals (access management, logging/monitoring, vulnerability/patch processes, security standards). Proficiency in data analysis and applications (such as Excel, Power Query/Power BI, basic SQL, or scripting). 

Working Knowledge of IT and cyber frameworks and financial institutions laws and regulations (E.g. NIST, COBIT, FFIEC, etc.). Experience defining, reviewing and documenting IT / Cyber policies and procedures 

Other Qualifications

• Excellent analytical skills to identify situations, look for alternatives and make good decisions. 
• Excellent written and verbal communication in English and Spanish 
• Critical thinking ability. 
• Excellent organizational skills are required to establish priorities, multitask, work under pressure, and meet deadlines. 
• Excellent interpersonal skills and teamwork. 
• Proficient in Microsoft Office: Word, Excel, PowerPoint, and Outlook. 

Certifications / Licenses

Preferred but not required IT or Cyber certifications preferred (e.g. CISA, CISM, CISSP, CGEIT, CRISC, etc.) 

Values