Director, External Audit Engagement

Director, External Audit Engagement

The Role

The Fidelity Enterprise Cybersecurity Governance, Risk and Compliance (GRC) Product Area is seeking a Director, External Audit Engagement to play a leadership role within ECS to ensure successful engagements with independent third-party audit firms.  Such third-party firms are hired to assess Fidelity’s control environment and attest to the design and operation of cybersecurity controls, following industry-standard frameworks.  The Director will introduce ECS product areas to the requirements within the certification frameworks and will work with line managers to ensure that controls are designed in accordance with framework requirements and are operating in accordance with defined procedures.  As 3rd party assessments are conducted, the Director will assist product area teams as needed with gathering evidence to demonstrate control effectiveness and will work to resolve or explain potential exceptions.  The Director will oversee the timely issuance of draft and final reports attesting to Fidelity’s cybersecurity control environment.  Throughout the engagements the Director will work closely with Enterprise Technology and Risk Analysis (ETRA) External Audit Center of Excellence and with relevant BU information technology organizations.

Success in this role will be demonstrated by well-managed external audit engagements resulting in unqualified opinions and/or certifications of Fidelity’s cyber control environment. These audit engagements and frameworks cover SOC1/2/3, ISO 27001, NIST CSF/800-53, HITRUST, and PCI-DSS, among others.  The successful incumbent will also have familiarity with laws and regulations which impose information security requirements on Fidelity’s businesses, including HIPAA, GLBA, FFIEC, CFTC, and GDPR, to name a few.  This will permit the successful incumbent to work with colleagues in GRC to coordinate compliance activities across ECS product areas.  By working across Fidelity and achieving unqualified reports from 3rd party assessors, the External Audit Engagement team assures clients that they can select Fidelity with confidence to administer company benefit plans and to process and safeguard customer transactions and accounts.

The Expertise and Skills You Bring

• Proven knowledge of IT risk and cybersecurity functions and how they contribute to Fidelity’s mission and success.

• Extensive knowledge of audited cybersecurity frameworks and standards, including AICPA’s SOC 1, SOC 2, and SOC 3, including all SOC 2 trust principles; Payment Card Industry’s Data Security Standard; HITRUST; ISO/IEC 27000 family

• Experience and knowledge managing projects end-to-end, with demonstrable ability to communicate progress effectively across multiple lines and levels.

• Understanding of NIST Cybersecurity Framework core standards

• Bachelor’s degree in a technology or a computer science subject area a plus

• 7+ years working in IT assurance for a 'Big 4' or similar audit firm and experience with Fortune 500 clients.

• Cybersecurity certifications a plus

• Prior experience in a cybersecurity role (policy, operations, technology) or in an IT risk role
• Ability to quickly establish trust and a positive rapport with ECS business partners and BU stakeholders.

• Independent worker; high sense of ownership; 'focus and finish' attitude.

• Ability to influence product areas to prioritize external assessments in product roadmaps and backlogs.

• Ability to manage multiple priorities independently; proactive approach to defining issues and resolving open questions.

• Ability to effectively facilitate and follow up on business meetings, present information to groups with the appropriate degree of formality.

• React quickly to requests; bring a sense of urgency to respond to inquiries.

• Data analysis and synthesis; working knowledge of MS-Excel

The Value You Deliver

• Help to win and retain business for Fidelity by demonstrating the depth and breadth of Fidelity’s cybersecurity program.

• Manage third-party assessments in a manner which minimizes risk for Fidelity.

• Review exceptions or findings on final reports and support their ultimate remediation.

• Center of excellence and expertise for external audit processes, value and outcomes

The Team

Members of the Compliance Center of Excellence within the GRC Product Area are charged with knowing the external requirements and standards to which Fidelity is held.  They make certain that Fidelity ECS has appropriate policies and controls which align to these standards, and they work with Product Area teams to produce evidence supporting the policies and controls.  The external requirements include federal and state laws, regulations, guidance, best practices, and industry expectations.  Members of the team engage with external assessors and examination staff periodically to provide evidence of control.

Placement in the range will vary based on job responsibilities and scope, geographic location, candidate’s relevant experience, and other factors.

Base salary is only part of the total compensation package. Depending on the position and eligibility requirements, the offer package may also include bonus or other variable compensation.   

We offer a wide range of benefits to meet your evolving needs and help you live your best life at work and at home.  These benefits include comprehensive health care coverage and emotional well-being support, market-leading retirement, generous paid time off and parental leave, charitable giving employee match program, and educational assistance including student loan repayment, tuition reimbursement, and learning resources to develop your career.  Note, the application window closes when the position is filled or unposted.

Please be advised that Fidelity’s business is governed by the provisions of the Securities Exchange Act of 1934, the Investment Advisers Act of 1940, the Investment Company Act of 1940, ERISA, numerous state laws governing securities, investment and retirement-related financial activities and the rules and regulations of numerous self-regulatory organizations, including FINRA, among others. Those laws and regulations may restrict Fidelity from hiring and/or associating with individuals with certain Criminal Histories.

Most roles at Fidelity are Hybrid, requiring associates to work onsite every other week (all business days, M-F) in a Fidelity office. This does not apply to Remote or fully Onsite roles.