Summary

Dynamic and visionary professional driving positive change and with 17+ years of progressive experience in the auditing/ assurance, consulting, risk, compliance, financial/ accounting, and IT/ security fields delivering risk-based audit plans, deploying audit/ assurance resources efficiently and effectively through risk-assessment processes, and using the audit process to identify opportunities for improving quality, performance, and operations. Extensive experience reporting relevant issues and recommendations to executive leadership, Audit Subcommittee, and Board, and following up on corrective actions plans and recommendations to ensure issues are addressed and risk is mitigated. Excellent interpersonal, leadership, project management, and collaboration skills essential to effectively build confidence and trust with the team, management, and clients. Strategic and analytical thinker, coach, trainer, and mentor who likes to participate and support the team, fast-paced, results driven, attentive to detail, and flexible. Communicate effectively verbally and in writing (fluent in English and Spanish). Inspire teamwork and innovate to enhance the effectiveness of deliverables and services. Trusted and respected by clients and colleagues as a knowledgeable valued professional. Produce timely and quality work. Enjoy building and maintaining networks of client and stakeholder relationships. Available to travel 50%+ of time.

Expertise Highlights

Functional Expertise

Technical Expertise

Leadership Expertise

Auditing and consulting

Root cause analysis

Project management

Audit plan/ program development

Risk assessments and management (enterprise, project, annual)

Internal control process

Auditing and accounting standards and frameworks (GAGAS, GAAS, GAAP, COSO, IPPF, etc.)

Financial management

Business development

Benchmarks evaluations

Continuous monitoring

Pre/ post implementation reviews

Process improvement

Accounting

Liaison with internal/ external entities

Reporting mechanisms

Strategic planning

Corrective action plans

Business consulting

Compliance management

Business operations

Audit planning, scoping, initiation, execution, and delivery

Stakeholder management

Performance measures/ metrics

Peer reviews

Governance and ethics maturity assessment

Recommendations for improvement

Fraud and ethics compliance and management

IT management/ project management

IT systems analysis, evaluation, and enhancement

IT/ security risk assessments and management

IT/ security/ cybersecurity and regulatory compliance and frameworks (FISMA, NIST, SOC/ SSAE, PCI, TAC, HIPAA, CoBIT, ISO 27000, SOX, GDPR, CMMI, PMBOK, CFR, CJIS, SAP, etc.)

ERP security controls

IT general and process controls

Application controls

Logical access controls, physical, and environmental controls

System validation controls

Development process and methodologies (Hybrid, Waterfall, Agile, etc.)

Data and gap analysis

Data reliability assessments

Service level management

Governance, risk, data, and privacy compliance

Issue tracking and management

Incident management

Data management and classification

Back-up, recovery, continuity of operations

RACI charts

Tools: MS Office (Word, Excel, Access, PowerPoint, Notes), TeamMate, SharePoint, Visio, scanning (Nessus, Oscanner, NMAP, App Scan), SalesForce, IT Service Management (Remedy), IT Financial Management, Service Flow, ColorCodeIT, RSA Archer

Leadership and management

Strategic oral and written communication

Presentation and public speaking skills

Team building

Executive level engagement, negotiation, and collaboration

Staff development

Performance management

Anticipation of issues/ problem solver

Training/ coaching/ supervision

Work History

Duration

Company

Work Experience

October 2018 – present

NTT Data

Security Risk and Compliance

Contractor

Developing a formal framework for assessing and gathering documentation for security governance, risk, and compliance

Leading, reviewing, documenting, and implementing security processes that adhere/ align to security policies and organizational regulations

Designing and performing periodic testing to ensure continued compliance

Performing gap analysis, preparing interim and final reports, and making recommendations for security compliance and remediation, including security definitions, testing, and management of residual risk, compensating controls, and process/ policy enhancements

Building a continuous improvement program (ECM, policies and procedures, RACI, reporting/ compliance tools, SMEs team, etc.)

February 2001 –

September 2018

State of Texas

Department of Information Resources (DIR) –Internal Audit Director

Department of Assistive and Rehabilitative Services (DARS) – Audit Manager

Texas Commission on Environmental Quality (TCEQ) –

IT Senior Auditor

Health and Human Services Commission (HHSC) –

IT Auditor

Department of Aging and Disability Services (DADS) – Senior Auditor

Conducted complex high risk projects, audits, consulting activities, non-audit services, investigations, and other reviews and assessments designed to evaluate and improve the agency's GRC, operations/ performance, regulatory/ compliance posture, and effectiveness of its programs (enterprise and agency contracts and procurement, accounting/ financial, security/ cybersecurity policy, guidance, and services, telecommunication services, shared services such as network, security, print-mail, applications, data center, multi-sourcing integration, server, mainframe, and cloud), data management services, statewide data portal services, IT planning, policy, and governance services, including project management)

Performed security assessments activities including evaluation of vendor controls and practices, process enhancements, performed on site assessments, reviewed security test reports, and analyzed and developed security requirements

Led the strategic vision, established direction, motivated team members, created an atmosphere of trust, leveraged views, coached, and encouraged staff, and provided meaningful and timely feedback

Communicated and tracked remediation plans with vendors and IT teams and recommended mitigating/ compensating controls

Reviewed work; managed day to day audit process (planning, fieldwork, reporting, follow-up); managed resource requirements, and project (scope, budget, and timeline)

Oversaw timely and accurate completion of work in accordance to required auditing standards and Texas Law

Prepared risk-based annual audit plans, reviewed audit programs, objectives, procedures, scope, methodologies, and designed tests to mitigate the risks identified including, and evaluated benchmarks

Conducted risk assessments (annual, project-based); SME for ERM

Evaluated the design and operating effectiveness of the controls in place

Developed and reported audit results (conclusions, issues/ findings, risks, recommendations) to management, executive leadership, the Finance and Audit Subcommittee, and Board

Conducted and participated in fraud investigations

Ensured conclusions, work papers, and issues were supported by evidence

Assessed the adequacy and timeliness of management’s plans for addressing and correcting audit findings/ issues through follow-up procedures

Collaborated with clients, outside of audit projects, to provide recommendations for improving strategic and functional initiatives, and participated in governance boards, workgroups, and committees

Interpreted and applied regulations, standards, frameworks, and project management for compliance

Evaluated control mechanisms, the processes for development/ acquisition, and testing of systems and/or infrastructure, the readiness of the system and/or infrastructure for implementation and migration into production

Assessed service level management practices, operations management, data administration, the use of capacity and performance monitoring tools and techniques, change, configuration, problem and incident management practices, and the functionality of the IT infrastructure

Reviewed the design, implementation, and monitoring of logical access controls, network infrastructure security, design, implementation, and monitoring of logical, environmental, and physical controls

Evaluated the process and procedures used to store, retrieve, transport, and dispose of confidential information, and service level agreements

Assessed the adequacy of backup and restore provisions, the agency's disaster recovery plan, and agency business continuity plans to ensure the agency's ability to continue essential business operations during the period of an IT disruption

Conducted third party reviews of contractors’ processes, service level managements, deliverables, and performance

Worked with contractors to evaluate the design and test the operating effectiveness of controls for Sarbanes-Oxley (SOX)

Successfully served as a liaison for internal business and external stakeholders

Additional undertakings included:

Implemented an audit management system, an audit client survey system, and a staffing strategy for internal and contracted audit projects

Developed and implemented a Quality Assurance Improvement Program (QAIP), operational policies and procedures, performance measures, a risk assessment process, a governance model, an audit process, including a library of templates, a Team Site (SharePoint Site), a project management process, and an Internal Investigations Program

Built a relationship system with executive leadership, the Audit Subcommittee, and the Board

Fully staffed the IA function; increased audit resources (staff and funding)

Achievements

Reported 35 recommendation based on the review conducted of print mail process using ITIL standards with focus on service level management, financial management (accounting, reconciliations, chargeback, utilization, invoicing, and billing), contract management and compliance. The process improvement resulted in substantial savings on a contract value of 17 million.

Assessed the design and operating effectiveness of agency governance processes, including IT governance alignment with strategic goals and objectives.

Reviewed existing agency programs for business, IT, security, and cybersecurity controls, policies, procedures, practices, service level management, deliverables, and contract requirements and processes against CJIS, NIST, HIPAA, PCI, TAC, CMMI, PMBOK, ITIL, SOX, CoBIT, and other frameworks based on risk, scope, and applicability.

In order to assess the operating effectiveness of the IT Department, performed review of IT functions such as help desk, change management, application support, software compliance, and project management.

The IT Department effectiveness analysis was conducted using CMMI, NIST, TAC, CJIS, and PMBOK frameworks. The project resulted in the identification of 24 issues based on the current governance practices and the goal state of maturity identified.

Evaluated the maturity of the agency’s Ethics Program using the CMMI maturity model as a baseline. The review consisted of a study of ethics policies, procedures, standards, culture, consistency, training and awareness, structure, accountability, and integration resulting in identification of 6 major gaps.

Evaluated and improved the effectiveness of IT, security, cybersecurity, risk management, control, governance, and maturity using frameworks such as: HIPAA, NIST, ISO 27000, TAC, CoBIT, CMMI, CJIS, ITGC, IPPF, and ITAC, among others.

Developed control objectives with external/ public auditors for SOC, SOX, and PCI compliance, testing, and reporting.

Improved the operational controls over the accuracy, completeness, and timeliness of vendor self-reported sales reports and fees paid.

Improved the data analysis/ testing, contract management and oversight functions, and the reliability of the IT contract-related data. A total of cost savings of $274.7 million and over $2 billion in customer purchases.

Evaluated service level management practices (ITIL, CJIS, NIST) operations management, data administration, capacity utilization, performance monitoring tools and techniques, change and configuration management, and problem and incident management practices.

Evaluated the design, implementation, and monitoring of logical access controls, including remediation, network infrastructure security, environmental and physical controls, procedures to store, retrieve, transport, and dispose confidential information, backup and recovery, disaster recovery, and business continuity. Used security tools such as Nessus, NMAP, and OWASP to evaluate against NIST, CJIS, HIPAA, TAC, CFR, etc.

Reported 28 recommendations to improve vendor performance and management for a data center services (DCS) contract of approximately $127 million, including service level management, service desk support, project management, IT security, business continuity, disaster recovery, and financial management.

Conducted a detailed review of the network security operation compliance with regulations and industry best practices (NIST, CPI, ITIL, etc.). Other review considerations included adoption of TAC rules, SLA management, security domains, security policies/procedures, etc. The review resulted in identifying 8 gaps.

Enhanced the enterprise contract management, monitoring and oversight, contract compliance, inspection/ approval/ acceptance of product/ service deliverables, accuracy of invoices, and authorization of payments for a data center contract with total expenses of $216.9 million in consolidation efforts. Reported 12 recommendations to improve the efficiency and effectiveness of business processes and reduce risk.

Improved the adequacy of 25 controls over the collection, calculation, review, and data accuracy and reporting of key performance measures, including IT performance measures for DIR.

Improved operations, increased production, augmented resources (staff and budget), and timely delivery by almost 50% along with significant improvement in quality and report accuracy.

To mitigate data anomalies with data entries on the source systems, established and enforced controls like drop downs, forced validations etc. where possible and necessary.

Established partnership with IT systems group/ data stewards to ensure continuous improvement in data collection methods and underlying data systems to adequately support advancements in our data products and improve our insights.

Led a cross-functional project team and collaborated with business partners to determine and translate business requirements into technology solutions. The team included audit directors, IT analysts, business analysts, contract managers, attorneys, subject matter experts, and a purchaser. Led a team and performed user acceptance testing for software implementation.

Applied knowledge of data analytic methods, principles, sampling, statistical concepts, methods, and their application to data analysis, testing, and visualizations.

Education Certifications

BSBA, University of Puerto Rico, major in Accounting

Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC)

Contact this candidate