Summary
Dynamic and visionary professional driving positive change and with 17+ years of progressive experience in the auditing/ assurance, consulting, risk, compliance, financial/ accounting, and IT/ security fields delivering risk-based audit plans, deploying audit/ assurance resources efficiently and effectively through risk-assessment processes, and using the audit process to identify opportunities for improving quality, performance, and operations. Extensive experience reporting relevant issues and recommendations to executive leadership, Audit Subcommittee, and Board, and following up on corrective actions plans and recommendations to ensure issues are addressed and risk is mitigated. Excellent interpersonal, leadership, project management, and collaboration skills essential to effectively build confidence and trust with the team, management, and clients. Strategic and analytical thinker, coach, trainer, and mentor who likes to participate and support the team, fast-paced, results driven, attentive to detail, and flexible. Communicate effectively verbally and in writing (fluent in English and Spanish). Inspire teamwork and innovate to enhance the effectiveness of deliverables and services. Trusted and respected by clients and colleagues as a knowledgeable valued professional. Produce timely and quality work. Enjoy building and maintaining networks of client and stakeholder relationships. Available to travel 50%+ of time.
Expertise Highlights
Functional Expertise
Technical Expertise
Leadership Expertise
Auditing and consulting
Root cause analysis
Project management
Audit plan/ program development
Risk assessments and management (enterprise, project, annual)
Internal control process
Auditing and accounting standards and frameworks (GAGAS, GAAS, GAAP, COSO, IPPF, etc.)
Financial management
Business development
Benchmarks evaluations
Continuous monitoring
Pre/ post implementation reviews
Process improvement
Accounting
Liaison with internal/ external entities
Reporting mechanisms
Strategic planning
Corrective action plans
Business consulting
Compliance management
Business operations
Audit planning, scoping, initiation, execution, and delivery
Stakeholder management
Performance measures/ metrics
Peer reviews
Governance and ethics maturity assessment
Recommendations for improvement
Fraud and ethics compliance and management
IT management/ project management
IT systems analysis, evaluation, and enhancement
IT/ security risk assessments and management
IT/ security/ cybersecurity and regulatory compliance and frameworks (FISMA, NIST, SOC/ SSAE, PCI, TAC, HIPAA, CoBIT, ISO 27000, SOX, GDPR, CMMI, PMBOK, CFR, CJIS, SAP, etc.)
ERP security controls
IT general and process controls
Application controls
Logical access controls, physical, and environmental controls
System validation controls
Development process and methodologies (Hybrid, Waterfall, Agile, etc.)
Data and gap analysis
Data reliability assessments
Service level management
Governance, risk, data, and privacy compliance
Issue tracking and management
Incident management
Data management and classification
Back-up, recovery, continuity of operations
RACI charts
Tools: MS Office (Word, Excel, Access, PowerPoint, Notes), TeamMate, SharePoint, Visio, scanning (Nessus, Oscanner, NMAP, App Scan), SalesForce, IT Service Management (Remedy), IT Financial Management, Service Flow, ColorCodeIT, RSA Archer
Leadership and management
Strategic oral and written communication
Presentation and public speaking skills
Team building
Executive level engagement, negotiation, and collaboration
Staff development
Performance management
Anticipation of issues/ problem solver
Training/ coaching/ supervision
Work History
Duration
Company
Work Experience
October 2018 – present
NTT Data
Security Risk and Compliance
Contractor
Developing a formal framework for assessing and gathering documentation for security governance, risk, and compliance
Leading, reviewing, documenting, and implementing security processes that adhere/ align to security policies and organizational regulations
Designing and performing periodic testing to ensure continued compliance
Performing gap analysis, preparing interim and final reports, and making recommendations for security compliance and remediation, including security definitions, testing, and management of residual risk, compensating controls, and process/ policy enhancements
Building a continuous improvement program (ECM, policies and procedures, RACI, reporting/ compliance tools, SMEs team, etc.)
February 2001 –
September 2018
State of Texas
Department of Information Resources (DIR) –Internal Audit Director
Department of Assistive and Rehabilitative Services (DARS) – Audit Manager
Texas Commission on Environmental Quality (TCEQ) –
IT Senior Auditor
Health and Human Services Commission (HHSC) –
IT Auditor
Department of Aging and Disability Services (DADS) – Senior Auditor
Conducted complex high risk projects, audits, consulting activities, non-audit services, investigations, and other reviews and assessments designed to evaluate and improve the agency's GRC, operations/ performance, regulatory/ compliance posture, and effectiveness of its programs (enterprise and agency contracts and procurement, accounting/ financial, security/ cybersecurity policy, guidance, and services, telecommunication services, shared services such as network, security, print-mail, applications, data center, multi-sourcing integration, server, mainframe, and cloud), data management services, statewide data portal services, IT planning, policy, and governance services, including project management)
Performed security assessments activities including evaluation of vendor controls and practices, process enhancements, performed on site assessments, reviewed security test reports, and analyzed and developed security requirements
Led the strategic vision, established direction, motivated team members, created an atmosphere of trust, leveraged views, coached, and encouraged staff, and provided meaningful and timely feedback
Communicated and tracked remediation plans with vendors and IT teams and recommended mitigating/ compensating controls
Reviewed work; managed day to day audit process (planning, fieldwork, reporting, follow-up); managed resource requirements, and project (scope, budget, and timeline)
Oversaw timely and accurate completion of work in accordance to required auditing standards and Texas Law
Prepared risk-based annual audit plans, reviewed audit programs, objectives, procedures, scope, methodologies, and designed tests to mitigate the risks identified including, and evaluated benchmarks
Conducted risk assessments (annual, project-based); SME for ERM
Evaluated the design and operating effectiveness of the controls in place
Developed and reported audit results (conclusions, issues/ findings, risks, recommendations) to management, executive leadership, the Finance and Audit Subcommittee, and Board
Conducted and participated in fraud investigations
Ensured conclusions, work papers, and issues were supported by evidence
Assessed the adequacy and timeliness of management’s plans for addressing and correcting audit findings/ issues through follow-up procedures
Collaborated with clients, outside of audit projects, to provide recommendations for improving strategic and functional initiatives, and participated in governance boards, workgroups, and committees
Interpreted and applied regulations, standards, frameworks, and project management for compliance
Evaluated control mechanisms, the processes for development/ acquisition, and testing of systems and/or infrastructure, the readiness of the system and/or infrastructure for implementation and migration into production
Assessed service level management practices, operations management, data administration, the use of capacity and performance monitoring tools and techniques, change, configuration, problem and incident management practices, and the functionality of the IT infrastructure
Reviewed the design, implementation, and monitoring of logical access controls, network infrastructure security, design, implementation, and monitoring of logical, environmental, and physical controls
Evaluated the process and procedures used to store, retrieve, transport, and dispose of confidential information, and service level agreements
Assessed the adequacy of backup and restore provisions, the agency's disaster recovery plan, and agency business continuity plans to ensure the agency's ability to continue essential business operations during the period of an IT disruption
Conducted third party reviews of contractors’ processes, service level managements, deliverables, and performance
Worked with contractors to evaluate the design and test the operating effectiveness of controls for Sarbanes-Oxley (SOX)
Successfully served as a liaison for internal business and external stakeholders
Additional undertakings included:
Implemented an audit management system, an audit client survey system, and a staffing strategy for internal and contracted audit projects
Developed and implemented a Quality Assurance Improvement Program (QAIP), operational policies and procedures, performance measures, a risk assessment process, a governance model, an audit process, including a library of templates, a Team Site (SharePoint Site), a project management process, and an Internal Investigations Program
Built a relationship system with executive leadership, the Audit Subcommittee, and the Board
Fully staffed the IA function; increased audit resources (staff and funding)
Achievements
Reported 35 recommendation based on the review conducted of print mail process using ITIL standards with focus on service level management, financial management (accounting, reconciliations, chargeback, utilization, invoicing, and billing), contract management and compliance. The process improvement resulted in substantial savings on a contract value of 17 million.
Assessed the design and operating effectiveness of agency governance processes, including IT governance alignment with strategic goals and objectives.
Reviewed existing agency programs for business, IT, security, and cybersecurity controls, policies, procedures, practices, service level management, deliverables, and contract requirements and processes against CJIS, NIST, HIPAA, PCI, TAC, CMMI, PMBOK, ITIL, SOX, CoBIT, and other frameworks based on risk, scope, and applicability.
In order to assess the operating effectiveness of the IT Department, performed review of IT functions such as help desk, change management, application support, software compliance, and project management.
The IT Department effectiveness analysis was conducted using CMMI, NIST, TAC, CJIS, and PMBOK frameworks. The project resulted in the identification of 24 issues based on the current governance practices and the goal state of maturity identified.
Evaluated the maturity of the agency’s Ethics Program using the CMMI maturity model as a baseline. The review consisted of a study of ethics policies, procedures, standards, culture, consistency, training and awareness, structure, accountability, and integration resulting in identification of 6 major gaps.
Evaluated and improved the effectiveness of IT, security, cybersecurity, risk management, control, governance, and maturity using frameworks such as: HIPAA, NIST, ISO 27000, TAC, CoBIT, CMMI, CJIS, ITGC, IPPF, and ITAC, among others.
Developed control objectives with external/ public auditors for SOC, SOX, and PCI compliance, testing, and reporting.
Improved the operational controls over the accuracy, completeness, and timeliness of vendor self-reported sales reports and fees paid.
Improved the data analysis/ testing, contract management and oversight functions, and the reliability of the IT contract-related data. A total of cost savings of $274.7 million and over $2 billion in customer purchases.
Evaluated service level management practices (ITIL, CJIS, NIST) operations management, data administration, capacity utilization, performance monitoring tools and techniques, change and configuration management, and problem and incident management practices.
Evaluated the design, implementation, and monitoring of logical access controls, including remediation, network infrastructure security, environmental and physical controls, procedures to store, retrieve, transport, and dispose confidential information, backup and recovery, disaster recovery, and business continuity. Used security tools such as Nessus, NMAP, and OWASP to evaluate against NIST, CJIS, HIPAA, TAC, CFR, etc.
Reported 28 recommendations to improve vendor performance and management for a data center services (DCS) contract of approximately $127 million, including service level management, service desk support, project management, IT security, business continuity, disaster recovery, and financial management.
Conducted a detailed review of the network security operation compliance with regulations and industry best practices (NIST, CPI, ITIL, etc.). Other review considerations included adoption of TAC rules, SLA management, security domains, security policies/procedures, etc. The review resulted in identifying 8 gaps.
Enhanced the enterprise contract management, monitoring and oversight, contract compliance, inspection/ approval/ acceptance of product/ service deliverables, accuracy of invoices, and authorization of payments for a data center contract with total expenses of $216.9 million in consolidation efforts. Reported 12 recommendations to improve the efficiency and effectiveness of business processes and reduce risk.
Improved the adequacy of 25 controls over the collection, calculation, review, and data accuracy and reporting of key performance measures, including IT performance measures for DIR.
Improved operations, increased production, augmented resources (staff and budget), and timely delivery by almost 50% along with significant improvement in quality and report accuracy.
To mitigate data anomalies with data entries on the source systems, established and enforced controls like drop downs, forced validations etc. where possible and necessary.
Established partnership with IT systems group/ data stewards to ensure continuous improvement in data collection methods and underlying data systems to adequately support advancements in our data products and improve our insights.
Led a cross-functional project team and collaborated with business partners to determine and translate business requirements into technology solutions. The team included audit directors, IT analysts, business analysts, contract managers, attorneys, subject matter experts, and a purchaser. Led a team and performed user acceptance testing for software implementation.
Applied knowledge of data analytic methods, principles, sampling, statistical concepts, methods, and their application to data analysis, testing, and visualizations.
Education Certifications
BSBA, University of Puerto Rico, major in Accounting
Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC)