The IT Assurance Manager is responsible for leading the day-to-day execution of IT-related control assessment or control readiness activities and projects associated with external audits, internal audits and service organization reports (e.g. SSAE 18 – SOC1). The Manager oversees continuous improvement efforts to meet state and federal regulatory standards, including HIPAA, and achieve IT control best practices. Works collaboratively with Information Technology and operational management to develop right-sized solutions, analyzes IT-related control incidents, presents assessment results to senior leadership team members for risk response or acceptance, and plays an integral role in facilitating and validating corrective action implementation and ensuring remediation.
The IT Assurance Manager represents Heath New England as the key point of contact and liaison for IT Assurance-related external audit and consultant engagements including management of the annual HIPAA risk assessment and SSAE 18/SOC1 reviews. The Manager is expected to builds strong relationships with external auditors/consultants and develop a thorough understanding of Health New England’s information system and control structure to validate appropriateness when risks or weaknesses are identified.
This position reports directly to, and will actively collaborate with, the Director of Risk and Assurance Management, will have a prominent role in reporting to the Audit and Compliance Committee, and is expected to exercise a high degree of independent judgment.
IT Control Assurance and Monitoring
Collaborates with the Director of Risk and Assurance to develop an internal audit process and execute annual IT audit projects
Works in conjunction with internal financial auditor to ensure coverage and testing is in place to achieve adequate Model Audit Rule (MAR) compliance, including annual access recertification
Evaluates control deficiencies as identified and reported in internal/external assessments and collaborate with management to develop appropriate corrective actions
Effectively communicates and escalates, as necessary, any control deficiencies, gaps or at risk actions
Partners with internal information technology business owners to discuss and evaluate implementation of IT controls, collectively develop deployable solutions, and to report to the leadership team
Assesses corrective action plan control improvements and verifies they have been implemented effectively, and reports status and concerns to the leadership team
Works directly with process owners and management and participates in walkthroughs of IT control processes and system controls (e.g., planning, systems development and product selection) to assist in the design and implementation of controls (manual and automated) in IT processes and systems in light of risks, strategic objectives, and regulatory requirements. Prepares reports for leadership that represent process understanding and recommended control improvements or actions
IT Assurance Audits, Engagements, and Risk Assessments
Serves as the internal liaison with auditors/consultants for the annual SOC1/SSAE-16 IT audit, IT Components of the annual financial audit, and annual HIPAA Security risk assessment by building internal relationships, overseeing document requests, and providing guidance to operational owners in response to external findings
Evaluates initial findings from external auditors/consultants in their documentation and/or system understanding. Works with external auditors/consultants to ensure risk and impact is accurate prior to final reporting. Facilitates and assists in the preparation of audit and compliance-related reports, regulatory filings, and management response to internal/external audit as needed
IT Assurance Strategy
Assists the Director of Risk and Assurance Management in the ongoing development of strategic planning and implementation of IT Control Monitoring and Assessment Program
Provides key input to annual department goals and work plans for Committee-level approvals
Manages and directs staff
Monitors industry, legislative and regulatory trends for potential impact and risk in the existing environment
IT Assurance Policies and Procedures
Develops and maintains department policies and procedures as appropriate
Evaluates IT Security policies and procedures and provides improvement recommendations to IT Business Owners
Bachelor’s degree in Computer Science, MIS or related field with five years of relevant experience in information security, technology, risk management, compliance or consulting in a complex technology environment; or an equivalent combination of education and experience.
Demonstrated leadership experience
Advanced business and IT processes, IT risk management, and information security experience required.
Detailed knowledge of industry regulatory environment (e.g. HIPAA, CMS, EOHHS) required
Broad understanding of audit, control, and security standards (e.g., AICPA, ISACA / COBIT, etc.) required.
Solid grasp of concepts on a wide array of technology platforms, controls (ex: ITIL) and IT processes (ex: AGILE, SDLC).
Considerable knowledge of, and skill in applying, internal auditing principles and practices, management principles and preferred business practices
Demonstrated knowledge of security controls for network, database, application and operating systems.
Knowledge of network architectures and design, administrative, technical and physical security controls, Windows Active Directory, Windows server; database and application architecture
Ability to earn trust of sponsors and key stakeholders; mobilize and motivate teams; set direction and approach; resolve conflict; execute with limited information and ambiguity
Ability to think through complex problems, determine proper analytical processes and procedures, independently derive conclusions and present results to management.
Must be able to summarize and communicate technical data to a non-technical audience
Additional Salary Information: Salary plus bonus plan
Internal Number: 1167
About Health New England
At Health New England, our mission is to improve the health and lives of the people in our communities, and we are deeply committed to the individuals we serve every day. Based in Springfield, Massachusetts, we have been meeting the health care needs of our members for more than 35 years. Our passion is taking extraordinary care of our members. Everything we do is built around this simple, deeply held belief.
With a strong focus on excellence of care, Health New England is a not-for-profit health plan that protects employers and individuals in the commercial, Medicaid and Medicare markets. We proudly provide health care coverage for approximately 170,000 members. HNE’s service area in Massachusetts includes Franklin, Berkshire, Hampden and Hampshire counties and part of Worcester County. We also serve Hartford, Litchfield and Tolland Counties in Connecticut. Learn more at www.healthnewengland.org.