Manager Information Technology Risk Management - Business Controls Function

Profile

At Bristol Myers Squibb, we are inspired by a single vision - transforming patients' lives through science.In oncology, hematology, immunology and cardiovascular disease - and one of the most diverse and promising pipelines in the industry - each of our passionate colleagues contribute to innovations that drive meaningful change. We bring a human touch to every treatment we pioneer. Join us and make a difference.

Position Purpose

The Manager role within Business Controls Function (BCF) for the Information Technology cycle will support Bristol-Myers Squibb's and internal controls department's risk management initiatives for the information technology (IT) area. The BCF resides in the second line of defense (an Institute of Internal Audit three lines of defense concept), directly supporting the controllership function, and partnering with Finance, business operations, functional leads and senior management. This position reports directly to the Director, BCF Information Technology. The individual will be a key contributor to the Company's overall enterprise risk management; based in Princeton, New Jersey.

The Manager will represent BCF, in close partnership with IT Quality Management (ITQM), as a subject matter expert in general computer/application controls, including anti-fraud and segregation of duties risks. The Manger will also be responsible for ensuring that risk associated with key IT third-party services providers is addressed, including Software as a Service (SaaS) and Business Process as a Service (BPaaS) providers, and related service auditor report collection and analysis. This role will act as an advisor to other BCF cycles and business partners across the Company in areas of IT and automation risk. The Manager will also support major system implementations that impact our global financial processes, including our planned global SAP implementations, to ensure that the risk to our control environment is minimized and all of our key controls remain stable.

The Manager will work closely with ITQM to support in evaluating the adequacy of application/automated controls supporting financial processes, Global Internal Audit & Assurance (GIA) IT-related findings, changes in the Company's control environment, and other IT-related matters. The Manager will also support in the execution of a comprehensive risk assessment for the purpose of Sarbanes-Oxley compliance designed to identify changes to people, process, technology and other risks, and for purposes of risk ranking the IT control environment and developing risk-based test plans in partnership with the Company's IT leadership.

Key to the success of the Manager is the knowledge and experience in IT risk management and the ability to identify risks resulting from deviations from the standard processes, the ability to collaborate with key management in the BCF, Global Internal Audit & Assurance, Business Process Owners, and IT owners, gaining the confidence and cooperation of global process owners and functional managers. The Manager has deep subject matter expertise in enterprise risk management, information technology application and general computer controls, the Sarbanes-Oxley Act and COSO Framework, and related IT frameworks (e.g., COBIT).

Duties & Responsibilities

Governance


Regularly engage with management in the IT processes to proactively identify and mitigate financial, operational and fraud risk, serving as subject matter in the end-to-end processes for this cycle.
Ensures that the BCF has appropriate stakeholder engagement with all key executives in areas of IT risk.
Collaborates with BCF, operational and ITQM to build a controls-driven culture from an IT perspective across BMS.
Maintain formal stakeholder engagement plan for relationship management with the key leaders in these processes.
Consult outside resources as necessary including trade groups and management consulting firms to remain abreast of technological and other developments in an effort to drive process improvement and simplification opportunities.
Deliver training and presentations to the BCF network regarding significant IT general computer, application controls, systems, network architecture, and database control environments.


Sarbanes-Oxley & Sub-Certification Activities


In partnership with ITQM, responsible for Sarbanes Oxley compliance and support of management's assertion over effectiveness of internal controls over financial reporting with respect to the Company's information technology controls
Contribute to SOX scoping and testing decisions annually, including quantitative and qualitative considerations such as history and trend of control deficiencies, changes in people, process, technologies, and similar considerations.
Coordinate with ITQM to complete the annual walk-throughs of internal controls for IT cycle for the BCF's management and the Company's external auditors. Update process flows and related narratives as necessary.
Meet with key business leaders in these functions to ensure the controls documentation accurately reflects current practices and procedures.
Review Sarbanes-Oxley testing that the IT Quality Management team executes and documentation gathered to support walkthroughs with the Company's external auditors.
Identify and evaluate complex business and technology risks, internal controls which mitigate risks, and related opportunities for internal control improvement.
Make recommendations for corrective action to improve controls, enhance operations, and increase efficiency. Adapt to the ever changing compliance landscape and keep abreast with the latest IT threats, mitigation Techniques, etc.
In coordination with ITQM, reviewing the aggregation and evaluation of all control deficiencies in areas of responsibility, including pervasiveness assessment across all end-to-end processes. Directly leads analysis of potential significant deficiencies, material weaknesses in control, and any control deficiency involving potential fraud and misappropriation of BMS assets, including drafting of whitepapers for BCF leadership.
Prepare and deliver presentations on the status of control deficiencies to senior management and the Company's external auditors.


Risk Assessment


Collaborates with IT owners to complete a comprehensive financial, operational and fraud risk assessment from an IT perspective to support the Company's approach to Sarbanes-Oxley scoping and testing (i.e., qualitative risk assessment in partnership with key IT and operational leadership).
Maintains close working relationship with functional IT leaders and digital capability management to understand their operational challenges and engages in collaborative problem-solving.
In partnership with ITQM, follow-up with BPOs to ensure prompt and thorough implementation of risk mitigation activities.
Present to BCF and other leadership on the results and status of issues identified in this risk assessment. Collaborate with BCF senior leadership to incorporate suggestions into risk management framework


Audit Support


Facilitate all GIA activities related to the Information Technology audits, including attending meetings, understanding observations, interpreting policy and procedure, whether audit findings represent SOX deficiencies, and contributing to the development of innovative remediation and process improvement opportunities.
In partnership with ITQM, follow-up with BPOs on all remedial activity in response to audit observations to ensure prompt and thorough completion, and sustainable control improvement.


Third-Party Risk Management


Proactively addresses Sarbanes-Oxley risks to internal controls over financial reporting posed by service providers.
Coordinate closely with ITQM for evaluation (and completeness thereof) of service auditor reports (SOC I, II) where necessary, including evaluation of adequacy of mitigating controls required as a result of service provider control failures and required BMS internal controls not addressed at the service provider.


Project & Other Areas


Responsible for Company's segregation of duties controls and risk mitigation with role conflict resolution for both SAP, Oracle and other applications that have an impact over the Company's controls over financial reporting.
Understand Service Now Vitalize problem management data for potential breakdowns in IT internal controls and SOX deficiencies, and for early warning signals for risk trends.
Develops continuous improvements to financial and operational business risk function, including contributing to policy development.
Provide guidance and input regarding all corporate financial/compliance systems implementations to ensure the appropriate internal controls over financial reporting from an IT perspective are in place. Contributes to IT operational considerations in such projects.
Supports process improvement projects from an IT perspective with a focus on enhancing controls effectiveness.
Adapt to the ever changing compliance and risk landscape and keep abreast with the latest IT threats, mitigation Techniques, etc., including Cyber Security threats.
Contributes to robotics process automation initiatives by evaluating controls. Proposes opportunities to enhance controls that are manual through automation.


Education/Experience


BA/BS in Computer Science, Information Systems Administration or related IT or financial field
7-10 years of experience in top public accounting firm focused on IT audits and/or operational IT risk management experience in a complex global public company
Knowledge of the accounting and financial reporting processes of a large global public company
Possession of, or desire to obtain Certified Internal Systems Auditor (CISA) or other equivalent certification. Other certifications such as Certified Public Accountant (CPA), Certified Internal Auditor (CIA) or Certified Fraud Examiner (CFE) also desirable
Effective client service and communication skills, both verbal and written.
Experience with IT foundational concepts (e.g. Change Management, Logical Access, IT Operations, and Security) and the associated risks and controls within these processes.
Experience in SAP and Oracle ERP is strongly desired
Knowledge of IT general computer controls, application controls, operating systems, network and database control environments.
Desire and ability to work in a team environment.
Deep understanding of the of the Sarbanes-Oxley Act, including sections 302 and 404, the COSO Framework, and Public Company Accounting Oversight Board promulgations.
Experience working and collaborating with an external auditor in a public company environment.
Evaluation of risk with third party SaaS and BPaaS service providers.
Strong understanding of internal controls and continuous monitoring processes, segregation of duty conflicts.
Strong, proven leader, influencer, change agent, and executive presence.
Work well in an environment of complexity and uncertainty, with global perspective.
Ability to execute a solution in a confident and successful manner.
Excellent verbal and written communication skills.
Ability to display tact and diplomacy in difficult situations.
Process and control documentation experience, experience with process enhancement and systems implementation and working in a transformational environment required.
Ability to manage multiple projects and competing priorities, while working independently with speed and accountability.
Ability to work with a range of technically and culturally diverse people.
Strong written and verbal communication to facilitate relationship building with peers and senior management. Comfort presenting to senior management.


Around the world, we are passionate about making an impact on the lives of patients with serious diseases. Empowered to apply our individual talents and diverse perspectives in an inclusive culture, our shared values of passion, innovation, urgency, accountability, inclusion and integrity bring out the highest potential of each of our colleagues.

Bristol Myers Squibb recognizes the importance of balance and flexibility in our work environment. We offer a wide variety of competitive benefits, services and programs that provide our employees with the resources to pursue their goals, both at work and in their personal lives.

Company: Bristol-Myers Squibb

Req Number: R1526999_EN

Updated: 2020-06-26 00:00:00.000 UTC

Location: Princeton,New Jersey

Bristol Myers Squibb is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, protected veteran status, pregnancy, citizenship, marital status, gender expression, genetic information, political affiliation, or any other characteristic protected by law.

Company info

Sign Up Now - AccountingCrossing.com