Senior Staff IT Controls, Enterprise Applications

About Gusto

At Gusto, we're on a mission to grow the small business economy. We handle the hard stuff — payroll, health insurance, 401(k)s, and HR — so owners can focus on their craft and their customers. With teams in Denver, San Francisco, and New York, we support more than 500,000 small businesses nationwide and are building a workplace that reflects the people we serve.

 
All full-time employees receive competitive base pay, benefits, and equity (RSUs) — because everyone who helps build Gusto should share in its success. Offer amounts are determined by role, level, and location. Learn more about our Total Rewards philosophy.

 
AI is a fundamental part of how work gets done at Gusto. We expect all team members to actively engage with AI tools relevant to their role and grow their fluency as the technology evolves. AI experience requirements vary by role and will be assessed during the interview process.

About the Role:

As the Senior Staff IT Controls you will own, evolve, and scale IT General Controls (ITGCs) across Gusto's enterprise application ecosystem including NetSuite, Workday, Salesforce, and adjacent platforms, serving as the single point of accountability for ITGC design, testing, remediation, and audit readiness. Sitting within the Enterprise Applications organization, you will partner closely with Internal Audit, IT, Security, and Finance to ensure Gusto meets SOX 404 compliance requirements while strengthening our broader risk posture. You will not only maintain a best-in-class controls environment, but will also pioneer the use of AI and automation to make controls testing faster, smarter, and more continuous, transforming assurance from a periodic, manual exercise into a scalable, intelligent capability. In line with Gusto's enterprise risk management strategy, you will reduce manual effort across the compliance lifecycle while raising the bar on control precision and coverage as the company scales. This is a senior, high-impact individual contributor role that blends deep IT controls expertise with a forward-looking vision for AI-augmented assurance, combining technical rigor, cross-functional partnership, and strategic systems thinking to build a controls function that is both audit-ready and future-proof.

About the Team:

This role will report to the Enterprise AIT team, a group focused on driving the intelligent transformation of Gusto’s enterprise systems. The Enterprise AIT team is responsible for integrating AI, automation, and advanced analytics across our internal applications ecosystem to improve scalability, efficiency, and decision-making. Partnering closely with Finance, Business Ops, IT, and Security, the team enables Gusto’s enterprise systems to become smarter, more predictive, and more adaptive. This is a new role, designed to expand the team’s capacity to operationalize AI within enterprise workflows and support Gusto’s broader Enterprise Systems strategy.

Here’s what you’ll do day-to-day:

• Own ITGC design and operation across enterprise applications — including logical access, change management, SDLC, computer operations, and segregation of duties (SoD).
• Lead the 1st-line control environment for in-scope enterprise applications, partnering with application owners and engineering leads to embed controls into operational workflows rather than bolting them on.
• Drive SoD strategy across ERP, HRIS, and CRM — including role design reviews, conflict remediation, mitigating control design, and ongoing monitoring tooling (e.g., Pathlock, SailPoint, Saviynt, native role analyzers).
• Manage the audit lifecycle as the primary 1st-line liaison with Internal Audit, External Audit, and the SOX PMO — walkthroughs, evidence collection, deficiency remediation, and management responses.
• Build AI-native continuous controls monitoring — including LLM-based evidence review, agentic control testing, and automated anomaly surveillance — to eliminate manual evidence collection, shift controls left, and surface exceptions in near real time. Treat AI agents as control operators with the same evidence and validation expectations as human operators.
• Own the controls posture for Gusto's internal AI and automation portfolio. Partner with AI-builder teams across the company (Finance & BizOps, GRC, Engineering) to review internal AI use cases, classify by risk category, and ensure controls, evidence trails, and validation travel with the build — not bolted on after launch. Be the senior 1st-line owner for "do our internal AI builds meet our control standards?
• Lead access governance including provisioning/deprovisioning workflows, periodic user access reviews (UARs), privileged access management, and integration with the IGA platform.
• Govern application change management for in-scope systems — approvals, segregation between developers and production, emergency change handling, and release evidence.
• Mature the controls program by leading rationalization initiatives, control consolidation, and the adoption of automated/preventive controls over manual/detective ones.
• Partner cross-functionally with Security/GRC, Legal, Finance/Accounting, People Operations, and Revenue Operations to ensure controls support — rather than impede — the business.

Here’s what we're looking for:

• 10+ years of experience in IT controls, audit, or enterprise applications governance, with a strong hands-on background operating in the 1st line of defense as a control owner across NetSuite, Workday, and/or Salesforce.
• Deep expertise in SOX 404, COSO, COBIT, and ITGC frameworks, including segregation of duties (SoD) design and remediation across ERP, HRIS, and CRM environments.
• Proven track record leading external audit engagements (Big 4 or equivalent) as the management-side owner, with public company or IPO readiness experience preferred.
• Demonstrated experience building and deploying AI-augmented controls work including agents, LLM-based reviewers, or automated anomaly detection, with the ability to design controls both for and with AI systems.
• Strong judgment on AI risk, including model risk, prompt injection, output validation, and audit trail design, with hands-on familiarity with agentic tooling such as Claude Code, MCPs, or LLM-based evidence pipelines.
• Excellent communicator who can translate complex control concepts for executives, auditors, and engineers, with experience in continuous controls monitoring (CCM) and data-driven assurance approaches.
• Relevant certifications (CISA, CISSP, CIA, CPA, or equivalent) and familiarity with adjacent frameworks including SOC 1/2, ISO 27001, NIST CSF, and PCI DSS are a plus.

Gusto has physical office spaces in Denver, San Francisco, and New York City. Employees who are based in those locations will be expected to work from the office on designated days approximately 2-3 days per week (or more depending on role). The same office expectations apply to all Symmetry roles, Gusto's subsidiary, whose physical office is in Scottsdale.

Note: The San Francisco office expectations encompass both the San Francisco and San Jose metro areas. 

When approved to work from a location other than a Gusto office, a secure, reliable, and consistent internet connection is required. This includes non-office days for hybrid employees.

Our customers come from all walks of life and so do we. We hire great people from a wide variety of backgrounds, not just because it's the right thing to do, but because it makes our company stronger. If you share our values and our enthusiasm for small businesses, you will find a home at Gusto. 

Gusto is proud to be an equal opportunity employer. We do not discriminate in hiring or any employment decision based on race, color, religion, national origin, age, sex (including pregnancy, childbirth, or related medical conditions), marital status, ancestry, physical or mental disability, genetic information, veteran status, gender identity or expression, sexual orientation, or other applicable legally protected characteristic. Gusto considers qualified applicants with criminal histories, consistent with applicable federal, state and local law. Gusto is also committed to providing reasonable accommodations for qualified individuals with disabilities and disabled veterans in our job application procedures. We want to see our candidates perform to the best of their ability. If you require a medical or religious accommodation at any time throughout your candidate journey, please fill out this form and a member of our team will get in touch with you.

Gusto takes security and protection of your personal information very seriously. Please review our Fraudulent Activity Disclaimer.

Personal information collected and processed as part of your Gusto application will be subject to Gusto's Applicant Privacy Notice.