IT Audit & Compliance Analyst

IT Audit & Compliance Analyst

The IT Audit & Compliance Analyst is responsible for driving audit execution and regulatory compliance efforts across the organization, with primary accountability for HITRUST, PCI DSS, and SOC 2 frameworks. This role serves as the operational liaison between regulatory standards and internal business/technical teams, ensuring requirements are accurately interpreted, implemented, documented, and successfully validated during external assessments. The ideal candidate has hands-on experience translating complex compliance standards into actionable requirements, coordinating enterprise-wide evidence collection, and confidently presenting documentation to external auditors.

Key Responsibilities

• Regulatory Interpretation & Requirement Translation
• Audit Coordination & Evidence Management
• Cross-Functional Collaboration
• Audit Presentation & External Auditor Engagement

Regulatory Interpretation & Requirement Translation

• Interpret and operationalize requirements from HITRUST CSF, PCI DSS, and SOC 2 standards.
• Analyze regulatory language and translate it into clear, implementable control requirements for IT, Security, Engineering, Infrastructure, HR, and Business Operations teams.
• Identify applicability of specific requirements based on system architecture, data flows, and business processes.
• Document compliance narratives that clearly articulate how organizational processes satisfy regulatory criteria.
• Maintain traceability between regulatory requirements and implemented controls.

Audit Coordination & Evidence Management

• Lead end-to-end audit readiness activities for HITRUST certification, PCI DSS assessments (SAQ or ROC), and SOC 2 Type I/II examinations.
• Develop and manage structured evidence request lists across departments.
• Partner with system owners, application teams, infrastructure teams, and business stakeholders to collect accurate, complete, and audit-ready documentation.
• Validate evidence for completeness, accuracy, and alignment with auditor expectations prior to submission.
• Maintain organized audit repositories and version-controlled documentation.

Cross-Functional Collaboration

• Serve as the primary point of contact between auditors and internal departments.
• Conduct preparatory sessions with stakeholders to ensure clarity on audit expectations.
• Guide teams in producing defensible documentation and system artifacts.
• Resolve gaps or ambiguities in evidence through structured follow-up and remediation tracking.
• Foster accountability for compliance obligations across the enterprise.

Audit Presentation & External Auditor Engagement

• Present policies, procedures, and technical evidence directly to external auditors.
• Provide structured walkthroughs of systems, processes, and compliance narratives.
• Respond to auditor inquiries with clear, technically accurate explanations.
• Defend evidence positions using regulatory language and documented standards.
• Manage follow-up requests and supplemental documentation throughout the audit lifecycle.

Required Qualifications

• Bachelor's degree in Information Systems, Cybersecurity, Computer Science, Accounting, or related field.
• 3+ years of experience in IT audit, compliance, or GRC functions.
• Direct experience supporting or leading: HITRUST CSF certification, PCI DSS compliance initiatives, SOC 2 Type I and Type II audits.
• Demonstrated experience interpreting regulatory frameworks and translating them into internal compliance requirements.
• Experience coordinating multi-departmental evidence collection efforts.
• Experience presenting documentation and responding directly to external auditors.
• Strong documentation, organizational, and stakeholder management skills.

Preferred Qualifications

• Professional certifications such as: CISA, CRISC, CISSP, PCI ISA, or HITRUST CCSFP.
• Experience with compliance automation or GRC platforms (e.g., Archer, ServiceNow GRC, Vanta, Drata).
• Familiarity with cloud environments (AWS, Azure, GCP) and cloud security controls.
• Understanding of HIPAA, NIST CSF, ISO 27001, or other regulatory frameworks