Internal Audit and Compliance Management Leader
Resume:
PAUL JENNINGS 571-***-**** *********@*******.*** Winchester, VA 22602
LinkedIn: https://www.linkedin.com/in/pjennings925/ U.S. Citizen Secret Clearance Professional Summary Internal Audit, Compliance, and Risk Management Leader with an MBA and CRCMP certification. Proven success delivering high-impact audit, risk, and compliance programs across global private sector firms (including Microsoft environments), federal government agencies (DoD and Army), and financial institutions. Expertise in IT audit, operational and financial audits, and integrated risk management using COSO, COBIT, ISO 27001, NIST SP 800-53, GAO Greenbook, and Yellowbook. Skilled in regulatory compliance and control testing across SOX, SOC 1 & 2, FDIC, Dodd-Frank, AML/BSA, and FISMA. Experienced managing 1LOD/2LOD/3LOD engagements, performing risk assessments, developing corrective action plans, and leading compliance reviews with tools including Archer, ServiceNow, and Microsoft Purview. Currently preparing for the CISA exam. Professional Experience
Manager – Audit & Compliance Microsoft, Alexandria, VA, November 2023 – November 2025
• Improved audit readiness of the MAICPP program and stakeholder business units while ensuring partner compliance with Microsoft frameworks and program requirements.
• Built compliance culture and matured the compliance program, enhancing effectiveness and efficiency across global operations.
• Reduced reputational, financial, IT security, and operational risks with focus on anti-corruption, fraud prevention, and partner agreement compliance.
• Served on the PP&E GRC Council, presenting monthly MAICPP Compliance Reports and scorecard metrics.
• Oversaw compliance reviews and approvals for Microsoft IT product launches, AI initiatives, and global partner program enhancements as a core project team member.
• Developed efficient audit and compliance processes, built decision-making capabilities in stakeholder teams, and implemented data-driven risk assessments with ongoing remediation plans.
• Designed and implemented a new EUC tool to streamline compliance reviews, performance evaluations, and approvals. Wrote and executed corrective action plans (CAPs) in response to 3LOD audits; monitored and reported progress.
• Supported SOX compliance activities and monitored fraud detection systems with incident response and reporting to Microsoft security units.
Manager – IT Audit & Risk Ernst & Young, US Army GFEBS Audit, Alexandria, VA January 2021 – November 2023
• Served on the Army GFEBS Audit Committee and led two senior associates in risk-based financial and IT risk assessments supporting the Army’s Financial Improvement and Readiness (FIAR) program.
• Analyzed data and trends in financial statements and IT processes for the Army Working Capital Fund, focusing on internal controls over financial reporting (ICOFR).
• Produced risk and control matrices, heat maps, process narratives, Visio flows, and updated the full GFEBS Management Description of the System (MDS) for submission to KPMG.
• Supervised internal validation testing and developed audit prep documents/scripts for client SMEs; prepared training and coached on TOD, TOE, and ITGC walkthroughs.
• Developed and monitored corrective action plans to remediate KPMG findings/NFRs; contributed to SOC 1 and SOC 2 audit processes and reporting.
• Maintained audit cycle metrics and graphical presentations; supported PBC responses and briefings for Ernst & Young leadership and Army stakeholders. Manager – Governance, Risk & Compliance Microsoft, DoD JEDI Program, Alexandria, VA, January 2020 – December 2020
• Developed PMO GRC frameworks and policies compliant with GAO Greenbook, Yellowbook, DoD frameworks, and OMB Circular 123-A.
• Designed and implemented GRC operating procedures, internal controls, and testing processes; provided ongoing compliance coaching and training to PMO staff.
• Acted as primary point of contact for DoD 2LOD and 3LOD offices; supported formation and administration of the PMO GRC Council with monthly meetings and reporting.
• Managed risk assessments (including RCSAs), evaluated preventative/detective controls, and tracked remediation trends and emerging DoD risks.
• Established communication networks for consistent GRC guidance and fostered a culture of compliance to meet contract deliverables and risk remediation goals. Audit Manager (Short-term Contract) Wells Fargo Bank, Philadelphia, PA (Offshore Business Units), September 2019 – January 2020
• Performed integrated audit of offshore business units in Asia and the Middle East; supervised two junior auditors and mentored them on the AMP audit automation platform.
• Designed audit coverage, coordinated remote walkthroughs and fieldwork, and applied banking knowledge across IT, operations, financial, lending, and regulatory areas.
• Identified control weaknesses, developed remediation recommendations, and authored risk-based findings communicated to management.
Manager – Internal Control & Finance Enterprise Management Systems, Manassas, VA April 2017 – September 2019
• Directed internal controls, finance, and operations for DoD contracts, including ERM for US Army Medical Command Electronic Health Record (EHR) programs.
• Authored comprehensive compliance policies and enhanced IT security/control testing based on GAO Greenbook/Yellowbook, NIST, and DoD/OMB Circular 123-A requirements.
• Performed ongoing risk-based control assessments, updated RCSAs semi-annually, and reported remediation progress.
• Led implementation of new budget/financial planning and automated Travel Management Systems, improving cash flow, profitability, and regulatory compliance.
• Collaborated with CEO, Aronson CPAs, and project teams to strengthen GRC functions and insurance/liability coverage.
Program Manager – SRM Audit & Risk Freddie Mac, McLean, VA September, 2013 – March 2017
• Established and led the Servicing Remedy Management (SRM) Audit & Risk Team of 10 staff, overseeing policy development, risk/control management, compliance audits, and governance.
• Designed change management processes for FHFA compliance and audit readiness; contributed to quarterly/annual financial reporting.
• Owned development and audit module of the proprietary ARES GRC/audit platform; co-authored utilization policy and directed monthly risk/controls audits with published reports and remediation plans.
• Processed 8,000 remedy referrals and collected $50 Million from sellers/servicers violating Freddie Mac guidelines.
• Supported SOX, AML, fraud, and Dodd-Frank functions; produced monthly management reports for upper management and the board.
Additional Experience: Manager – Audit & Regulatory Compliance SGI Bank Holding Co., St. Paul, MN, April 2006 – June 2013
• Led internal audit and GRC programs across regulatory, IT/security, operations, credit/lending, and investment areas; managed a team of three auditors and reported to the board audit committee.
• Published monthly/quarterly audit reports, maintained risk register and RCSAs, and authored/updated key policies.
• Designed and delivered institution-wide regulatory compliance, policy, and IT security training programs.
Education Master of Business Administration (MBA), University of St. Thomas, Minneapolis, MN Mini-Master of Project Management (post-MBA concentration), University of St. Thomas, Minneapolis, MN Bachelor of Arts (BA) in Business Administration, Concordia College, Moorhead, MN Certifications Certified Risk and Compliance Management Professional (CRCMP), International Association of Risk and Compliance Professionals Certified Lender Business Banker (CLBB), American Bankers Association Certified Information Systems Auditor (CISA), Currently Enrolled in ISACA Online Instruction Preparing for Exam
Core Skills Risk Assessments, Controls Testing, Corrective Action Plans (CAP), Risk & Controls Self- Assessment (RCSA), Internal Controls Over Financial Reporting (ICFR), IT General Controls (ITGC), Governance Risk & Compliance (GRC), Enterprise Risk Management (ERM), Audit Planning & Scoping, Audit Fieldwork & Reporting, Compliance Management, Fraud Detection & Remediation, Policy Development
Tools Archer, ServiceNow, Microsoft Purview, Microsoft Power BI, Deltek, ARES, AMP, Microsoft 365 Suite
Frameworks & Regulatory COSO, COBIT, ISO 27001, NIST SP 800-53 / 800-171 / CSF 2.0, GAO Greenbook & Yellowbook, FISMA, FedRAMP, SOX, SOC 1 & 2, Dodd-Frank, AML/BSA, FDIC, OMB Circular 123-A, DoD FIAR / DoDI standards
Military Service US Army Captain, Regular Army, Infantry (ROTC Distinguished Military Graduate, University of North Dakota)
Contact this candidate