SIVA NATARAJAN
MBA CISA
Tel : 919-***-****
E-mail: *********@*****.***
SUMMARY:
• Configured and administered Access control ‘SAP GRC’ for 2 clients and implemented SOD conflicts administration strategies and remediation.
• Worked for 3 ½ years as SAP Senior Security Audit Consultant in the ASCA team of IBM at Raleigh, North Carolina.
• 9 years of experience in IT audits in manufacturing, refining, mortgage
industries and Big4.
• Strong knowledge of section 302 and 404 of Sarbanes-Oxley Act (SOX), COBIT framework and business processes.
• Provided guidance and direction for IT Operational Risk and Compliance, including Sarbanes Oxley, SDLC, Projects off shored.
• Identified and evaluated risks / controls of System Development Life Cycle (SDLC), including design, testing/QA, and implementation of systems and upgrades. Assisted in the preparation of SDLC manual, designing of controls around project management methodology, tested the controls, and guided the project teams in the remediation process.
• Good understanding of SAP IT and process controls (configurable, automated
and manual controls - SAP GRC
• Performed GCC / SOX compliance engagements for two Big 4 accounting firms, IBM and Valero Energy Corporation in the last seven years.
• Prepared the roadmap for design of SOX IT controls, drafted the testing steps and quarterly assessments
• Assisted in determining the scope of the IT Applications from SOX perspective and negotiated with external auditors for their concurrence.
• Designed the IT controls with main focus of eliminating redundancy in quarterly assessments. Saved millions in this regard.
• Assisted in preparation of IT security standards / procedures to comply with control criteria that included daily monitoring and escalation of exception / closures.
• Guided and trained IS teams in preparation for performing ‘assessment and review of IT General controls Documentation’ in IT Processes that included determination of Scoping and Planning, Risk Assessment Framework, Infrastructure areas like Change management, Problem management, IS processing, Network, SDLC, Operating systems and Databases.
• Implemented the ‘re-write’ of control process and remediation actions for the exceptions identified during the over-testing of GCCs.
• Developed proactive plans to manage open issues, avoid known issues in the mitigation process.
EDUCATION:
Masters of Business Administration – MIS / Accounting, Univ. of Central Oklahoma, Edmond, Oklahoma. (1993)
Masters in Accounting, University from South India.
CISA Certified IT Auditor
(Working on PMP certification exam)
TECHNICAL TRAINING
- IS Audit & Controls Training - MIS Training Institute, Massachusetts.
- Oracle DBA Training - SequalSoft Inc., Dallas, TX.
- SAP R/3 (FI / CO) Compu Con Inc., Irving, TX.
- SAP GRC 5.2 and 5.3 Elevate Consulting, New Delhi
- Auditing Active Directory / Windows MIS Training Institute, Massachusetts.
EXPERIENCE:
Benetton July 2009 to Oct 2009
Worked as a SAP GRC Controls Consultant. Managed SOX Compliance Remediation tasks to comply with SOX/SOD requirements . Project scope included Asia Pacific for 7 countries for 1800 SAP users.
Configured SAP GRC components RAR, CUP, ERM and SPM.
Assisted and trained the Functional teams in performing risk analysis using SAP GRC, remediation and mitigation processes.
Helped the Basis team in process of implementing SAP security procedures.
Subros Mar 2009 – June 2009
SAP GRC Compliance Consultant
The role involved Redesigning SAP Security for Sarbanes Oxley using GRC VIRSA tools, Configuration and Training on Compliance Calibrator, Firefighter Risk Terminator, Security analysis for upgrade from SAP 4 to ECC 6.0. Configured all 4 components of SAP GRC with successful cutover. Designed the SAP security procedures.
I went through GRC Implementation training provided by ELEVATE Consulting for one month
Verizon Jan 2009 – Mar 2009
IT Compliance Audit Specialist (Contractor)
I was part of the 'IT Compliance Audit team' for operations at Off-shore.
The role involved
(a) Performing an initial assessment of IT Process, systems and applications from 'data confidentiality' perspective.
(b) Identifying / finalizing the control points interacting with the Security and Legal teams.
(c) Creation of procedures for the controls created.
(d) Evaluation of control effectiveness using testing procedures.
Freddie Mac Feb 2007 – Oct 2008
SOX / IT Controls Consultant
I was part of 'SOX IT Compliance' and 'SDLC IT Control Assessment' teams.
We tested and assessed the control effectiveness of IT controls for 6 IT Applications prior to 'Go Live' and assisted the teams in the remediation process.
As part of SDLC IT Control Assessment team, we assisted finalizing the framework of the SDLC manual from Controls perspective.
We identified the gaps in each phase (Scoping, Planning, Design, Implementation and close-out) and assisted to create the procedure for effective controls in each phase. Assisted in ‘modification of SDLC manual’
Part of ITGC / SOX IT controls testing team performing the testing of the effectiveness of the IT controls and helping the teams in remediation of the exceptions identified. Performing OE testing process on the SDLC controls and helping the project teams on the remediation.
Fannie Mae July 2006 – Jan 2007
SOX/ITGC Consultant (Contractor)
I was part of the SOX IT Controls Design/ Testing team and supported 9 IT Applications.
Performed walkthroughs to understand the IT Process for determining the gaps.
Created controls for the gaps identified.
Created control procedures.
Interacted with the IT teams for implementation of IT tools to carry out the procedure.
Performed the testing, identified the ineffective controls and assisted the teams to remediate the controls.
Ensured that required effective control design was implemented to the satisfaction of external auditors before year end 2006.
Part of SOX IT controls implementation team. Assisted the IT teams in the process of implementing controls on ‘logging & monitoring’ and ‘Access controls’ domains.
Designed IT control activities and testing guidance, assisted in performing self assessments of the control effectiveness.
Valero Energy Corporation Feb 2005 – July 2006
Senior SOX Controls Specialist
I was part of the SOX IT compliance team. Main application used was SAP with UNIX operating system.
We
(a) Streamlined the controls of various divisions / acquired companies.
(b) Identified redundant controls that saved millions of Dollars. Designed the template for walkthroughs. I was part of the team that implemented SAP Security procedures.
(c) Assisted the IT teams to create the procedure for Quarterly SOX compliance testing.
(d) Assisted in creation of procedure for installing the software RCTS (Risk Control Tracking System) to automate the SOX controls testing process
(e) Performed evaluation of the assessment on quarterly basis, identified 'ineffective controls', assisted the teams to determine the mitigation procedures
(f) Assisted the IT teams with the process of determining the deficiencies, created the procedure for determining whether it is a 'Significant Deficiency'
(g) Assisted the IT teams in the process / procedure to decisions on ‘significant deficiency’ and 'Material weakness'. Interacted with external auditors.
Ernst & Young LLP June 04 – January 05
Sr IT Audit Specialist
I was part of the IT Audit teams for engagements relating to 2 clients McCormick and Black & Decker. SAP was the main application used by these clients.
We performed
(a) walk-through of the IT and financial processes from SOX perspective,
(b) identified the controls that needed to be created
(c) performed the testing on these controls to determine the effectiveness of the controls.
In the process, provided our opinion on whether or not the auditors could form opinion on reliability of the financial statement of these clients.
We assessed the effectiveness of control framework determined by KPMG based on their initial assessment to identify the gaps.
IBM, Raleigh, NC Jan2001— June 2004
SAP IT Controls Consultant (Contractor)
Worked as Senior Security Audit Consultant in the ASCA team of IBM in ‘SAP Production’ at Raleigh, North Carolina. This team supported the Computer manufacturing operations of IBM including off shore locations like china, Singapore, Scotland and Mexico.
Our role was to assess the IT controls (mainly SAP) around new implementation / as well as changes to existing functionalities. Helped the team in creating control points, control procedures, testing and remediation. Before each release, we performed a walkthrough presentation to the Corporate IBM team on adequacy/effectiveness of the controls required/ created. Corporate team’s certification of each release was considered a significant / critical milestone
Kraftware Inc.
Systems Analyst July 00 – Dec 00
Streamlined the systems for Invoicing, Accounts Receivables, client development, training, and Accounts Receivables.
Introduced an effective system with controls for recording the timesheets, invoicing and monitoring the collections.
Deloitte & Touche LLP, Sept. 99 – June 00
Sr IT Auditor
I was part of IS Audit team 'Enterprise Risk Services' - ERS.
Assisted the Financial Audit teams by performing (a) Assessment of ITGC - IT General Controls (b) Provide our opinion whether or not the Financial audit team can rely upon the systems and applications in order for them to draw their conclusion on year end accounts (c) Perform substantive testing - a detailed testing procedure for specified area of ITGC to ascertain the effectiveness of controls on systems and applications (for example, SAP, UNIX, Windows, Network, Oracle database AS400 etc)
TECHNICAL SKILLS
ERP : SAP R/3
PLATFORM : Windows Active Directory, Unix, MS-DOS
PACKAGES : MS Office, Lotus 123, ACL
PROFESSIONAL MEMBERSHIPS:
Information Systems Audit and Control Association, Chicago, IL.
Institute of Internal Auditors, Florida.
I am a CITIZEN OF USA.
I DO NOT NEED ANY SPONSORSHIP.