The Compliance & Audit Specialist designs, implements, and assesses internal controls across IT and Development operations at Madiba. This role ensures sustained compliance with SOC 1, SOC 2, ITGC, and SOX frameworks - embedding audit readiness into day-to-day operations, SDLC phases, and DevOps pipelines - while partnering with IT, Development, Finance, and Business teams to prepare the organization for external audits with confidence.
Key Responsibilities
1. Control Frameworks & Standards
• Implement ITGC across Change Management (version control, approvals, rollback), Logical Access (provisioning, PAM, access reviews), and IT Operations (job scheduling, backup/recovery, incident management).
• Design and maintain SOC 2 Type II controls across all five Trust Service Criteria; align SOC 1 (SSAE 18 / ISAE 3402) controls for financial reporting integrity.
• Integrate SOX Sections 302 & 404 into ITGC for financially significant systems; map controls to ISO 27001 and ISO 22301 for cross-standard alignment.
2. SDLC & DevOps Compliance
• Embed ITGC and SOX compliance checkpoints across all SDLC phases (requirements through deployment), including segregation of duties, code review mandates, secure coding standards, and environment segregation (Dev / QA / UAT / Prod).
• Assess DevOps toolchains (CI/CD, repositories, configuration management) against ITGC requirements; enforce least-privilege access and SOX-compliant pipeline permissions.
• Document compliance evidence from SDLC activities for audit walkthroughs and control testing.
3. Risk Management & Audit Readiness
• Conduct periodic risk assessments and gap analyses against SOC 1, SOC 2, ITGC, and SOX benchmarks; prepare comprehensive audit evidence packages (narratives, walkthroughs, supporting documentation).
• Coordinate end-to-end external audit engagements (planning, fieldwork, closure); track and remediate findings within agreed timelines, escalating systemic issues to the Head of IS&C.
• Maintain a risk register and control deficiency log; lead BIA exercises for SOC 2 Availability (RPO/RTO); report control maturity trends to senior management quarterly.
4. Governance, Documentation & Continuity
• Develop and maintain audit-ready documentation: IT security policies, control procedures, risk registers, and RACMs; maintain a unified controls inventory mapped to SOC 1, SOC 2, SOX, and ISO standards.
• Support ITGC testing cycles (self-assessments, walkthroughs, design/operating effectiveness testing); prepare compliance dashboards for stakeholder visibility.
• Develop incident escalation protocols affecting financial reporting or SOC 2 criteria; participate in DR drills and tabletop exercises to validate SOC 2 Availability controls.
Required Skills & Experience
Technical & Domain Expertise
• Strong working knowledge of SOC 1 (SSAE 18), SOC 2 Trust Service Criteria, ITGC domains, and SOX Sections 302 & 404; hands-on in all three ITGC areas.
• Practical experience applying ITGC and SOX controls within SDLC and DevOps environments (CI/CD, Git-based workflows, IaC); familiarity with AWS, Azure, or GCP compliance implications.
• Understanding of ISO 27001 (ISMS) and ISO 22301 (BCMS) control frameworks.
Audit, Risk & Soft Skills
• Full audit lifecycle management: planning, scoping, walkthroughs, control testing, and remediation tracking; experience preparing Type I and Type II audit evidence artifacts.
• Ability to perform independent gap analysis and risk assessments across multiple frameworks simultaneously.
• Excellent written and verbal communication - able to convey technical compliance requirements to non-technical stakeholders; collaborative across IT, Development, Finance, and Legal functions.
Preferred Qualifications
• Bachelor's or Master's degree in Computer Science, Information Systems, Cybersecurity, or a related field.
• Professional certifications: CISA (strongly preferred); CPA with SOC specialization; CISSP, CISM, or ISO 27001 Lead Auditor/Implementer; AWS/Azure security or compliance certifications.
• Prior experience in a Big 4 or mid-tier audit firm conducting IT audit or advisory engagements.
• Experience with GRC platforms (ServiceNow GRC, Archer, Vanta, Drata, or similar) for control automation; exposure to cloud-native SOC 2 readiness and continuous compliance tooling.
