CareFirst Careers

Senior Compliance & Control Analyst

Resp & Qualifications

Sr. Compliance & Control Analyst (AUDIT)

Job code – SCASR

PURPOSE:  The incumbent will be accountable for audit management, governance and security controls strategy development and associated execution activities. This includes facilitating audit activities with the business and internal or external audit; collaborating with cross-functional teams to identify and mitigate program risk; implementing an operating procedural governance structure; and reviewing evolving privacy and security controls at the CareFirst.

PRINCIPAL ACCOUNTABILITIES:  Under the direction of the Manager, Audit Compliance the principle duties and responsibilities include, but are not limited to, the following:

  • Manage and facilitate external and internal audits, to ensure that appropriate business owners are fully aware of objectives and they can produce and maintain suitable records, reports, and files which adequately document planning, execution, and reporting for all relevant activities pertaining to the focus of the audits and regulations, including documentation and storage of policies and procedures.  Prepare status reports and communicate to management as requested. 
  • Prepare audit work papers, reports, and presentations as requested.  Ensure audit conclusions, findings and recommendations for improvement or corrective action are appropriately presented to management staff for review, and verify that all findings are accurate, complete and objective. Ensure effective remediation plans are developed, tracked and implemented.
  • Utilize audit findings and proactive audit preparatory work to institute technical and procedural controls to mitigate future findings. Work with project business owners to proactively assess and identify privacy, security, business continuity, or organizational risk vulnerabilities in proposed projects; recommending mechanisms or systems controls to mitigate the risks.
  • Work with Management and Business to develop enterprise-wide governance framework, collaborating with interdepartmental groups to ensure wide-spread adoption, communication and education.
  • Lead development of and manage maintenance of dashboard reporting system to support strategy and business operations decision-making. Manage governance program road map, proposing new activities and leading associated action steps as defined by senior management or an advisory council. Lead assessment of any proposed governance activities to identify overlaps, operational impacts or potential risks.
  • Establish and evolve an internal control self-assessment process, leading its execution throughout CareFirst, designed to improve the technical and administrative safeguards within the organization. Craft action plans and control recommendations to close operational and technical gaps identified by the assessments or audit findings. Assess operational reports to recommend and establish new compliance measures, or IT and business process controls that reduce probabilities of future breaches or audit issues. Propose and oversee detection infrastructure.
  • Recommend and draft organizational SOPs that align the control environment of the organization with changing regulations, risk framework modifications and privacy, security or audit control implementations. Develop, institute and maintain subsidiary procedure repository and change control infrastructure. Coordinate departmental procedure maintenance assessments and enhancements based on control and regulatory changes. Establish governance structure around SOP and management directives and develop associated communications and training materials.


SCOPE DATA:  Develop, manage, and maintain risk, security controls, and governance processes and initiatives—conducting related assessments and organizational program enhancements as needed.

Required: This position requires a Bachelor’s degree in Business Administration, Management Sciences, Information Systems, or other relevant area of study, and 3-7 years of audit coordination, privacy and/or security control, risk management and governance experience, OR total related work experience. Must be able to synthesize complex systems and risk information into a format easily and completely understood by a diverse audience. Individual must have working knowledge of privacy and security regulations, audit management, system controls, business operating processes, and healthcare environment. Audit experience is a plus.

ABILITIES/SKILLS: Incumbent must have excellent interpersonal skills but also be able to influence functional managers and decision makers to ensure acceptance of change needs. Must have the ability to communicate throughout all levels of the company. Individual must demonstrate ability to focus on details, creative problem solving, and juggling multiple priorities. Must demonstrate significant comprehension of administrative, physical and technical risk mitigation strategies and ability to identify and assess process controls. Should possess strong analytical and technical writing skills, but be able to communicate and educate using diverse creative outlets.  Experience with HIPAA/HITECH, SOC 1, SOC 2, ePHI and/or NIST.

PREFERRED: Master's degree in related field; risk management, security or governance certification; and prior consulting, internal controls, risk and governance strategy execution, and process improvement experience. Certifications such as PMP, CIA, CISM, CISA, ITIL.


Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer.  It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.

Hire Range Disclaimer

Actual salary will be based on relevant job experience and work history.

Where To Apply

Please visit our website to apply:

Closing Date

Please apply before: 6.24.21

Federal Disc/Physical Demand

Note:  The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on Federal health care programs.


The associate is primarily seated while performing the duties of the position.  Occasional walking or standing is required.  The hands are regularly used to write, type, key and handle or feel small controls and objects.  The associate must frequently talk and hear.  Weights up to 25 pounds are occasionally lifted.

Sponsorship in US

Must be eligible to work in the U.S. without Sponsorship

Not finding the right job?
Stay informed about future openings by joining one of our Talent Networks!

Learn more about Information Technology