Senior IT Auditor

About Ethos

Ethos is a leading life insurance technology company on a mission to protect families by democratizing access to life insurance and empowering agents at scale. With its robust three-sided technology platform, Ethos is transforming the life insurance experience for consumers, agents, and carriers alike. Ethos offers instant, accessible products and a seamless online process that requires no medical exams and just a few health questions; it eliminates traditional barriers, making it easier than ever for everyone to protect their families. Ethos is redefining how life insurance is bought, sold, and underwritten.

About the role:

The Senior GRC Analyst is responsible for supporting the organization's information security governance, risk, and compliance activities. This role involves ensuring that the organization’s security policies, procedures, and practices are aligned with regulatory requirements, industry standards, and best practices. The ideal candidate will have a strong understanding of information Security & Privacy principles, Third Party Vendor Risk management, ITGC & SOC2 audit controls, and the ability to communicate complex security issues to various stakeholders.

Duties and Responsibilities:

1. Audit Governance & Strategy

• Evaluate the design and effectiveness of IT governance frameworks to ensure compliance with SOX 404 and organizational objectives.
• Ensure alignment of IT controls with business objectives and regulatory requirements.
• Perform independent assessments of the IT control environment to identify gaps in the governance structure.

2. SOX Compliance & Internal Controls

• Lead the end-to-end execution of IT General Controls (ITGC) testing across domains including Logical Access, Change Management, and IT Operations.
• Perform walkthroughs and testing of Automated Application Controls and Manual-Dependent Controls to ensure system-generated data is reliable.
• Assess Segregation of Duties (SoD) within key ERP systems and financial applications, identifying and validating mitigating controls where necessary.
• Execute rigorous testing of Information Produced by Entity (IPE) and Information Used in Control (IUC) to ensure completeness and accuracy.
• Perform SOC 1 and SOC 2 Type II report evaluations, specifically mapping Complementary User Entity Controls (CUECs) to internal control environments.
• Identify, document, and communicate control deficiencies (SD/MW) to stakeholders and track remediation efforts to completion.

3. Risk Management & Process Optimization

• Assist in the annual Top-Down Risk Assessment (TDRA) to define the scope of the IT SOX program.
• Conduct targeted pre-implementation reviews for new systems or significant process changes to ensure "security by design" and auditability.
• Partner with business and IT process owners to provide technical expertise on control design and process optimization.
• Stay current on PCAOB trends and emerging IT audit methodologies to improve audit efficiency.

4. Reporting and Documentation

• Maintain comprehensive and accurate workpapers related to SOX compliance, meeting "reperformance" standards.
• Prepare and present audit findings and executive summaries on the organization's compliance status to senior management.
• Ensure all documentation is in compliance with Internal Audit standards and external auditor expectations.

Qualifications and Skills

• Bachelor’s degree in Accounting Information Systems (AIS), Management Information Systems (MIS), Finance, or a related field.
• Experience: 4-5+ years of direct experience in IT Audit, preferably within a large-scale corporate environment or a professional services firm.
• Technical Expertise: Extensive experience in ITGC testing, SOX 404 requirements, and testing of automated business process controls.
• Strong understanding of IPE/IUC requirements and the ability to validate data integrity from source to report.
• Proficiency in auditing diverse environments (e.g., AWS/Azure cloud, SAP, Oracle, or SQL databases).
• Extensive experience in SOC Report analysis with hands-on expertise in interpreting SOC 1 Type II Bridge Letters and CUECs.
• Excellent communication skills, with the ability to convey technical control deficiencies to financial controllers and process owners.
• Certifications: Relevant certifications such as CISA (required), CISSP, CPA, or CIA are highly desirable.

Don’t meet every single requirement? If you’re excited about this role but your past experience doesn’t align perfectly with every qualification in the job description, we encourage you to apply anyway. At Ethos we are dedicated to building a diverse, inclusive and authentic workplace.

We are an equal opportunity employer.. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. Pursuant to the SF Fair Chance Ordinance, we will consider employment for qualified applicants with arrests and conviction records.

To learn more about what information we collect and how it may be used, please refer to our California Candidate Privacy Notice.

Recruitment Notice: Please be aware of recruitment scams. All legitimate communication from our team will only come from email addresses ending in @ethos.com or @getethos.com.
We will never ask for payment, banking details, or sensitive personal information during the hiring process. If you are contacted by someone claiming to represent us from a different email address, please treat it as fraudulent.