CareFirst Careers

Senior IT Compliance Auditor

Resp & Qualifications

This position will provide oversight and contribute to the support of internal and external audits within the TOS Division.  Duties stem from Corporate Audit and Assurance Services (CAAS), regulatory examinations and vendor software utilization reviews in conjunction with TOS Leadership, Procurement, Legal and Corporate Finance with direction from IT Audit Manager.   The Senior IT Compliance Auditor provides support and oversight of the coordination for all TOS-related Internal Controls, Assessments and Audits as an individual contributor and mentor to IT Compliance Auditors. 

These audits generally entail 100+ distinct programs with thousands of underlying activities requiring coordination.  These audits and assessments are initiated from a variety of sources: 
• Internal: Corporate Audit and Advisory Services (CAAS), Finance, Management
• Regulatory State or Federal inquiries from regulatory bodies such as Department of Insurance, Securities, and Banking (DISB), Maryland Insurance Administration (MIA), Virginia Bureau Of Insurance (VBOI), BlueCross BlueShield Association (BCBSA)
• Other external: Large Account Performance Audits (such as State of Maryland and City of Baltimore); Vendor Software License Audits

This position facilitates information technology control assessments and compliance activities including but not limited to: leading efforts and contributing to the documentation of systems and controls and technical risk assessment evaluation.  Position also conducts IT pre-audit activities, remediation management and tracking, and compliance reporting.  Tasks related to information assurance are also performed including, but not limited to: identification of vulnerabilities, remediation and mitigation, analysis of hardware and software vulnerabilities, identification of priorities, documentation and conveyance of operational requirements to enhance control capabilities.

This position will also guide staff in support and oversight of the Service Organization Control (SOC) 2 and SOC 2+ assessments based on most recent AICPA, PCAOB and US Audit guidelines and standards across the CareFirst enterprise for major systems supporting the company’s critical technical and business processes (i.e. Enrollment, Claims, Billing, Electronic Data Interfaces (EDI), Security and Provider Pricing). These assessments are highly complex, nuanced, and require a thorough understanding of risk and system/application and business internal controls and processes that span across all TOS & CareFirst Business areas.

PRINCIPAL ACCOUNTABILITIES: Under the direction of the IT Audit Manager, responsibilities include, but are not limited to:
Planning and Execution – control reviews and/or audits

  • Guide and Mentor IT Compliance Auditor staff in the completion of control reviews and/or audits.
  • Drive activities for planning and executing integrated reviews and/or audits as well as IT compliance specific reviews and/or audits (general computer controls, application controls, agreed upon procedures, SOC 2, process improvement, control self-assessment, operational, compliance, etc.). 
  • Analyze and evaluate IT operations and strategies to identify opportunities for improvement in processes and outcomes, and provide technical audit advice relating to systems/operations; systems development, design and controls; systems security; change/project management; business process improvement; complex integrated systems and related computer applications; disaster recovery; across various technical environments (e.g. IBM mainframe, Unix and Windows NT).
  • In advance of formal audits conducts pre-audits and inspections of the organization’s processes to ensure performance and adherence to quality requirements, company policy and identify potential or existing risks/problems.  Documents findings and makes recommendations for improvements to address know deficiencies.
  • Assure deficiencies are appropriately addressed.
  • Prepares audit reports, findings, recommendations, and presentations as requested including using and leveraging the GRC tool and repository (e.g. MetricStream and SharePoint).

Internal and External Audit Support

  • Throughout review and/or audit assignments, identify and maintain a repository of best practices and benchmarking information related to CareFirst’s IT business operations. 
  • Maintain a repository of audit issues and relative corrective action plans and update management on outstanding issues and potential risks on a scheduled basis (e.g. SharePoint; MetricStream).
  • Interfaces with and assists outside auditors to expedite their work.
  • In conjunction with internal and external audit teams participate in and conduct walk-through activities/meetings, collection of evidence, entrance and exit conferences with auditors, and auditees.
  • Prepares and/or participates in the creation of audit reports, documents findings, recommendations, and creates presentations as requested including using and leveraging the GRC tool and repository (e.g. MetricStream and SharePoint).
  • Create management action plans in conjunction with TOS leadership to address identified deficiencies in a timely manner.
  • Track and monitor remediation activities to satisfy and bring closure to internal and external audit Issue Memorandums (IM).

Participate in continuous monitoring and improvement activities to assure continued compliance with changing audit and compliance standards.

  • Establish and maintain close working relationships with control owners, internal audit and external audit.
  • Develop teamwork and synergies among personnel throughout the organization working closely with counterparts within CAAS and the Finance SOC 1/MAR audit teams; as well as external regulatory agencies and audit firms.
  • Participate in consultative assignments specific to ensure adequate internal controls are incorporated prior to implementation and risks are appropriately considered at the process and enterprise levels.
  • Provide technical advice to technical teams in the development or modification of internal systems controls during systems development or enhancement.
  • Provide consulting services and best practices to drive continuous improvement to internal processes and controls.

Special Projects
Performing moderate complex special projects as assigned by management including, but not limited to Corporate Initiatives and day to day projects pertaining to audit and non-audit activities.
Participate and support special projects in a preventative control capacity consisting of business process improvements, reengineering and corporate initiatives conducting requirement analysis, risk assessments and quality assurance reviews identifying control gaps or issues that impact established control objectives as well as other auditing standards for both internal and external audits.

Required: This position requires a BS/BA degree in Business Administration, Information Systems, Finance, Accounting, similar major or a minimum of 3 years’ experience in an IT or Audit business advisory services role.  Maintaining or in the process of obtaining an audit Certification in relevant IT, Security, or auditing field is also preferred.

Abilities/Skills: Candidate must be able to show ability to lead teams.  Candidate must adequately understand information technology and auditing techniques, concepts and principles.  Candidate must be knowledgeable of internal controls, general computer controls, and application controls.  Candidate must possess considerable judgment, tact, initiative, accuracy and trustworthiness, as well as excellent interpersonal skills with ability to build consensus and agreement and bring resolution to contentious issues and entrenched interests.  Must be highly motivated, organized, and committed to professional development, with demonstrated progression and achievement.  Ability to work independently with minimal supervision is required, as well as ability to work effectively in a team-oriented atmosphere.  Candidate must have highly developed oral and written communication skills to effectively communicate information technology, auditing information and business risks to a non-technical audience.  Candidate must adequately understand general project management skills relevant to performing audit functions and responsibilities. 

Candidate must be able to effectively work in a fast paced environment with frequently changing priorities, deadlines and workloads that can be variable for long periods of time.  Must be able to meet established deadlines and handle multiple customer service demands from internal and external customers, within set expectations for service excellence.  Must be able to effectively communicate and provide positive customer service to every internal and external customer, including customers who may be demanding or otherwise challenging.

Must be experienced and proficient with Word, Advanced Excel and database management and related software applications; possess excellent oral and written communications; able to communicate and make presentation to all levels of management and associates at all levels throughout the Company.  Additional qualities are good analytical skills, judgment and strong decision-making abilities.

Preferred: Hands on with the implementation, support, or assessment of Information Technology hardware, software or database administration.  Possess certification as a CPA, CIA, CISA or comparable certification; advanced degree; healthcare insurance industry experience.



Department: Budget, Sourcing & Assurance

Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer.  It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.

Hire Range Disclaimer

Actual salary will be based on relevant job experience and work history.

Where To Apply

Please visit our website to apply:

Closing Date

Please apply before: 9/6/2018

Federal Disc/Physical Demand

Note:  The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on Federal health care programs.

The employee is primarily seated while performing the duties of the position.  Occasional walking or standing is required.  The hands are regularly used to write, type, key and handle or feel small controls and objects. The employee must frequently talk and hear.  Weights of up to 25 pounds are occasionally lifted.

The physical demands described here are representative of those that must be met by an employee to perform the essential duties and responsibilities of the position successfully.  Requirements may be modified to accommodate individuals with disabilities.  Travel among CareFirst sites is required

Sponsorship in US

Must be eligible to work in the U.S. without Sponsorship

Learn more about Information Technology