IT Domain GRC Specialist Back-Office

The IT Domain GRC Specialist Back Office is responsible for defining implementing and ensuring the effective operation of IT controls within the Back Office domain with a strong emphasis on the Oracle ERP SaaS environment. This role ensures compliance with SOx requirements leads the adoption of AVEVAs Crown Jewel Security Playbook and protects critical assets through governance identification protection detection response and recovery practices.

The role requires close collaboration with Finance HR Business Owners and multiple GRC stakeholders to document control designs manage evidence collection coordinate key dependencies and strengthen Role-Based Access Control (RBAC) across Back Office operations. This position plays a vital role in shaping digital risk management and maintaining a secure and compliant Back Office ecosystem.

• Document control designs for Back Office processes ensuring alignment with Crown Jewel Playbook controls such as stakeholder inventories supply-chain risk management risk assessments data inventories and user access reviews.
• Coordinate and support Control Operators in maintaining structured accurate evidence for control effectiveness including backups vulnerability scans logging and penetration testing results.
• Projectmanage dependencies across teamsensuring timely SOC report reviews (Finance) JML feeds (HR) and user access reviews (Business Owners).
• Strengthen RBAC structures by reviewing roles permissions and access levels to support leastprivilege principles and periodic access certifications.
• Define cybersecurity and dataprotection requirements for Back Office systems especially Oracle ERP SaaS ensuring consistent compliance across services.
• Support readiness and response efforts for cybersecurity incidents within Back Office scope contributing to domainspecific security best practices.
• Identify mitigate and monitor cybersecurity risks related to Back Office activities ensuring protection of Crown Jewel assets.
• Guide teams on Secure Development Lifecycle (SDL) practices ensuring security and privacy requirements are embedded into design and delivery.
• Measure compliance with IT policies set KPIs identify gaps and lead corrective initiatives. Prepare documentation for internal and external audits as well as Executive Risk Committee submissions.
• Ensure SOx compliance through timely evidence collection audit preparation and proactive management of remediation activities.
• Serve as the Digital Risk representative for the domain and collaborate with broader GRC teams as required.

• ISACA (or equivalent) qualification such as CISA CISM or CGEIT.
• Minimum 2 years experience in IT control design assurance or auditing.
• Experience documenting and presenting control recommendations to management.
• Experience estimating remediation costs and distinguishing between oneoff vs recurring expenses.
• Experience collaborating with external and internal auditors with solid understanding of SOx compliance and Crown Jewel asset protection.
• Handson experience with Oracle ERP SaaS including implementing controls for financial and operational processes.
• Strong proficiency in documenting risk and control mappings for audit review.
• Ability to map business processes system workflows and RBAC structures.
• Strong MS Office skills especially Excel PowerPoint Outlook and SharePoint.

• Knowledge of Crown Jewel Playbook controls (e.g. patching MFA data encryption incident response).
• Familiarity with Oracle ERPspecific controls such as database hardening dataflow mapping and supplier security requirements.
• Strong analytical skills and the ability to coach nondirect reports.
• Collaborative mindset with the ability to work across teams while establishing clear accountability.
• High attention to detail when drafting submissions or communications for auditors and stakeholders.
• Proactive approach to identifying improvements and driving evidencebased enhancements.