ANDY WANG

Email: adatbf@r.postjobfree.com Telephone: 669-***-****

PROFILE:

* CISA, MS in Computer Science, MBA in Information Systems and Finance, and BS in Finance

* 18+ year Information security compliance, GRC, privacy, IT audit experiences in SaaS Startups, Fortune 500 companies and Big 4 (EY and KMPG)

* SSAE18 SOC 1, SOC 2, ISO 27001/2/17/18, PCI DSS, HIPAA, GDPR, CSA STAR, Privacy Shield/Safe Harbor, NIST SP 800-53, cloud/information security, vendor risk assessment, SOX 404, ITGC, ITAC, COBIT, COSO

* Solid technical and analytical skills, strong project management skills, team player, self-starter, detail oriented, strong customer focus, good listening, negotiation and problem-resolution skills

EXPERIENCE:

InCountry - Security Compliance Program Lead 06/2019 to Present

* Manage first year SOC2 Type I/Type II, PCI and HIPAA consolidated audit projects;

* Create policies/procedures/controls from scratch; design and implement security compliance controls across the Company, collaborate with various internal groups including engineering, product, operations, security, IT, legal and HR for gap remediation, and educate internal groups for SOC2/PCI/HIPAA compliance;

* Establish very good relationships with external auditors and always deliver results on time.

Cloudflare - Security Compliance Specialist 08/2018 to 03/2019

* Successfully initiated 1st year SOC 2 compliance project after the Company tried two years; performed risk assessment; created SOC2 control matrix from scratch; drafted/enhanced various IT policies and procedures, designed and implemented security controls, and educated various business group owners for SOC 2 and PCI compliance;

* Participated various security compliance projects including PCI annual audit, FedRAMP gap analysis, ISO 27001 certification preparation; enhanced security compliance program across the Company;

* Involved customers security and compliance questionnaires and reviewed vendor SOC/PCI ROC reports.

Anaplan - IT Security Auditor 11/2016 to 08/2018

* Managed bi-annual SOC 1 and SOC 2 audits, various cloud/cyber security, privacy, regulatory compliance and internal audit projects, such as GDPR, ISO 27001/27002 readiness assessment, FedRAMP, HIPAA gap analysis, Privacy Shield self-assessment; facilitated external auditor/consultant requirements; collaborated with legal, engineering, SecOps, TechOps, IT, sales and finance; always met the deadlines;

* Performed IT risk assessments across the Company bi-annually; updated/enhanced IT policies/processes, identified process improvements and led remediation; managed security training program across the Company; participated 1st year SOX 404 ITGC and application control audit;

* Led GDPR project including GDPR training for key functional groups, inventorying IT system, and mapping the data; performed vendor security review including SOC1, SOC2, PCI ROC, ISO 27001 reports;

* Cooperated with sales and legal team to clarify security and compliance related questions for customer proposals (RFPs).

SS&C Advent- IT Security Auditor 8/2012 to 6/2016

* Planed and executed annual SSAE 16 SOC 1 and 2 audit for various production lines and a major subsidiary, and facilitated various external audit requirements and always delivered results on time;

* Managed the planning and execution of annual Sarbanes-Oxley 404 audit for IT general controls and Application/Automatic controls; no any audit exceptions in past four years

* Performed security reviews for the new product release ensure adequacy of security, prepared the security section for marketing materials, worked with legal, sales and customer support team to response various security related questions from customers;

* Executed various operational IT audits including physical and logical access control, datacenter audit, SDLC, change management, network security, new system implementation, regulatory compliance, Safe Harbor certification, software export license application for various company’s products.

Omnivision - Senior IT Auditor 1/2008 to 8/2012

* Managed Sarbanes Oxley compliance in both ITGC and Application Controls including planning, updating key process documentation, reviewing new control design, streamlining controls, field working, reporting and evaluating testing issue/gap and remediation consulting;

* Identified and evaluated the organization’s risk areas and provided key input to the development of the annual audit plan, built the automated auditing tool to streamline Internal Audit work process;

* Led Oracle 11i system pre and post implementation review;

* Worked with internal developer to build an audit tool to manage the whole audit procedure, including risk assessment, testing plan, detailed testing working paper and evidence repositories.

Ernst & Young, LLP - Senior IT Auditor 3/2006 to 6/2007

* Managed Apple iTunes first year SOX 404 project including IT general control and application control testing, saved budget time and help iTunes pass SOX 404 testing;

* Led multiple assurance, risk advisory engagements as auditor-in-charge by focusing on the evaluation of IT systems, provided independent assessments of business risk, regulatory compliance, SAS 70/SSAE 16 review, IT systems compliance, internal control assessment;

* Performed IT General Control, IT infrastructure, network security and IT application control testing including UNIX/Solaris, Windows system, SAP R/3, Oracle.

Alcatel-Lucent - Internal Audit Manager 6/2004 to 8/2005

* Planned, led and participated in operation, finance, regulatory, FCPA and IT audits projects, as well as various ad-hoc management requests and special projects;

* Developed first year SOX testing methodology, allocated resource, designed control audit plan and updated current testing status; coordinated and consulted with functional groups to conduct detailed SOX testing, presented result to various levels of management, and assisted the remediation of gaps; and

* Identified and facilitated process improvements, cost saving and efficiencies, ensured accuracy of records/systems, compliance with company standards, policies and procedures.

Siemens China - Finance Manager 7/1998 to 8/1999

* Analyzed, consolidated monthly, quarterly and year-end financial results from 30+ Siemens Joint Ventures (SJVs) in Hyperion and SAP/R3, always delivered reports on time;

* Implemented the SAP/R3 system for local SJVs, provided SAP/R3 training to local accountants, conducted backup and recovery plans to ensure system productivity;

* Developed standard reporting templates and work tools to support; and accelerate financial reporting, forecasting and budgeting, and supervised the reporting procedure in 30+ SJVs.

KPMG - Audit Supervisor 1/1996 to 7/1998

* Led and participated in pre-IPO audit, annual statutory audit, tax consulting and due diligence reviews within various industries including financial institutes, high-tech, consumer product, and manufacturing;

* Assessed client's financial application and internal controls, performed various analytical tests to address audit risk, recommended control remediation and improvement, and presented the auditing findings to client's senior management;

* Established efficient auditing teams, supervised and reviewed work of staff auditors on various audit engagements, and ensured the high quality of fieldwork.

EDUCATION:

University of Pennsylvania Master of Computer Science 2004

University of Maryland MBA 2001

Capital University of Economics and Business Finance 1996

CERTIFICATION: CISA; CompTIA Security+

APPLICATION: Windows, UNIX, Linux, Microsoft Office, Salesforce, JIRA, Confluence, SharePoint, Workday, Okta, ZenGRC, Oracle, SAP, SQL, Access

Contact this candidate