Professional Documents
Culture Documents
IT Auditor Skills
IT Auditor Skills
Data classification
NIST/PCI
IT Auditor Skills
Systems hardening
Experience: Enclaves, Data classification, EAD servers ATO, Priv Access Management cyberark project,
firewalls, subnets, Bitlocker, AppLocker, LAPS. Systems logging/splunk. Systems monitoring. Baseline
server hardening.
Account controls
Experience: EAD administration accounts, service accounts and security groups, Group Managed Service
Accounts, least privilege, permissions audit, ADUC Users/computers audit, GPO Audit, account
expirations, DUO, logging, implementing LAPS, CyberArk PAM. DHCP/MAC Filtering and IP reservations.
Account controls via group policy.
Documentation
Experience: Gradschool wiki, Gradschool Mura documentation, Gradschool Tech Newsletter, EAD wiki,
CyberArk wiki. Change Request process and documentation. Documentation for setting
up/upgrading/securing servers. Creating/maintaining asset records for all hardware and software.
Wrote canned responses for replying to high volumes of tickets. Expanded on existing EAD knowledge
base regarding migrating to EAD to make the process easier for IT Units – Created templates for
communicating migration and expectations to end users.
Policy Documentation
Unit consultations/training/consulting
Experience: Teaching background, consulting/training work done at Grad School. Software training at
Grad School (ms office, adobe, etc). User security training at gradschool/malicious emails.
Onboarding/New User Guide at Gradschool, Mura training at Gradschool, EAD Onboarding for IT Units,
CyberArk onboarding.
Communication skills:
Experience working with users face to face, via phone, Zoom, email, or chat. Experience planning and
organizing consultations for end users. Experience communicating security threats to staff, and
communicating large scale changes, planned outages, etc. Change requests communicated to entire
PSU IT Community via Yammer, NWOFP, etc.
Penn State Internal Audit is seeking to hire an IT Auditor Level 2 or 3 with internal or external auditing
experience. The Level 2 IT Auditor will participate in all aspects of the end-to-end audit and quality
control process to include engagement planning, coordination, and risk identification.
Engagement Planning/Coordination:
Planned unit consultations for onboarding departments/colleges into Enterprise Active Directory
Developed a predetermined list of preliminary questions to help standardize this process, save
time, and streamline onboarding
Developed a post consultation email with “next steps” for units in the EAD migration process
Developed documentation for communication strategies regarding EAD migration
Scheduled migration consultation times, and coordinated test and production migrations.
Formal group trainings with staff from various departments of Graduate School
Planned and coordinated IT Resources for major Graduate School events (Graduate Exhibition)
Planned and coordinated migration to Enterprise Active Directory for Graduate School
Planned and coordinated server upgrades, public website upgrades, ITS Alerts messages
Risk Identification:
Implemented best practices and standards in environment such as LAPS, and AppLocker. Audited
equipment and user accounts on a routine basis. Audited firewall rules, Audited group policies, file
permissions.
Determined risk to organization for a variety of exploits and vulnerabilities – KRACK, Apache Struts,
Coldfusion patches, WannaCry ransomeware
Systems hardening with EAD/CyberArk team per Microsoft, PSU, or vendor specifications
The Level 2 IT Auditor will use applicable systems and programs to support and perform the audits,
document audit issues, make recommendations and procedural comments for distribution of findings to
appropriate management and draft reports for assigned audits.
Reported to Leadership Committee at Graduate School regarding a variety of security incidents, exploits
and issues – KRACK, WannaCry, ApacheStruts, Firmware vulnerabilities, network vulnerabilities.
Provided timely updates regarding the resolution of outstanding issues. Provided monthly PII reports to
all department heads at The Graduate School.
The successful candidate will also monitor and perform follow-up procedures on the status of prior audit
findings and recommendations to ensure that report recommendations are being implemented on a
timely basis.
The Level 3 IT Auditor may also develop audit plans and will be required to assess the level of risk in the
unit/work process under audit. The Level 3 IT Auditor will also identify and document internal controls
related to Information Technology including general infrastructure, application and security controls.
The Level 3 IT Auditor will also provide consultation and participate in projects to ensure that the
University is in compliance with regulations and security standards, such as NIST 800-53, PCI and HIPAA,
and to ensure that controls are in place prior to implementation of new systems. Experience in auditing,
information systems or information systems security in higher education is desirable. Experience in
programming and data analytics with tools such as ACL and CaseWare is also desirable. The Auditor
must have excellent verbal and written communication, analytical and organizational skills; the ability to
work in a collaborative environment; demonstrate strong professional judgment and an ability to work
with a variety of cultures and backgrounds. The successful candidate will be able to work independently
with minimal supervision. Penn State and the Office of Internal Audit are committed to fostering
diversity, inclusion, and equal opportunity. This job will be filled as a level 2, or level 3, depending upon
the successful candidate's competencies, education, and experience. Typically requires a Bachelor's
degree or higher plus two years of related experience, or an equivalent combination of education and
experience for a level 2. Additional experience and/or education and competencies are required for
higher level jobs. Bachelor’s degree in Accounting or Information Systems is preferred for a Level 2 IT
Auditor. A Bachelor’s degree in Accounting or Information Systems and certifications, such as CISA, CPA
or CIA, are preferred for the Level 3 IT Auditor.