IT Auditor/Application Auditor

Job Description

Job Description

Position : IT Auditor / Application Auditor Duration : 24 Months Location : Minnesota (Remote work) Description of Project : This assessment is required by Minnesota Statute 16E.04 Subd. 3. for risk assessment and mitigation, and to ensure that business requirements, project / program efforts comply with MNIT Information Security Policies and Standards available here : https : / / mn.gov / mnit / government / policies / security / , and Accessibility Policies and Standards, available here : https : / / mn.gov / mnit / government / policies / accessibility / . Phase 1 Deliverables Deliverable # 1 - Initial Risk Assessment : A structured assessment of internal and external factors leading to the identification of uncertain events or conditions (risks) that could negatively or positively impact a project. The assessment will also determine the likelihood and severity of each event and provide measures, processes, and controls to reduce or enhance the impact of the risks to the project. The risk assessment should, at a minimum, produce the following deliverables : Detailed Risk Management Plan : Description of how the vendor will conduct the assessment, including but not limited to :

• the methods to be used to investigate risk, particularly around security and fraud
• the methodology for assessing the type, likelihood, and severity of risks, including fraud risks
• how risks and responses will be validated
• timeline for work and ETA for deliverables
• The initial risk review will also support a clear identification of what additional and ongoing auditing is needed over the course of the work
• Risk Log with mitigation strategies for each identified risk
• Final Risk Report that summarizes the work performed and outcomes, highlights the key risks and mitigation strategies, and includes supporting materials
• Formal presentation by the vendor to review the assessment and recommendations to key business and technical executives
• A review & assessment of the application build roadmap, scrum of scrums documentation, team documentation in Confluence (requirements and user stories) as well as the epics, features and product backlog items in Azure Dev Ops. This could also include reviews of work in GitHub as well as operational program integrity and internal control strategy.
• Review and assess the plans and approach to integrate tracking and monitoring of program integrity (creating policies, processes and controls designed to prevent and detect fraud, combat risk, and ensure compliance for all program operations) within the technology stack such
• identity verification of applicants and employers, validation of authenticity of evidence documentation, audit trails of the clicks within our systems, etc.

Deliverable #2 - Initial Project Audit : A structured review to determine whether project activities comply with applicable policies and standards and assess how well-positioned the project is to be successful. The audit will identify issues affecting the project's likelihood of success, investigate the root causes of the issues, and develop actionable recommendations to guide on-going management of the project. The project audit should, at a minimum, produce the following deliverables : Audit Plan : Description of how the vendor will conduct the audit, including but not limited to : the methods and methodology used to perform the audit how findings will be validated timeline for work and ETA for deliverables Audit Findings Remediation Plans Final Audit Report that summarizes the work performed and outcomes, and includes supporting materials Future Phases Deliverables To be determined scope of future phases will come at the completion of Phase 1, but would include :

Architecture Review : A mechanism for examining the fundamental organization of a system, embodied in its components, their relationships to each other and the environment, the principles governing its design and evolution, and the effectiveness of system, processes, risks, and controls. Technology Solution Assessment : The evaluation of a proposed or existing technology solution to ensure it is an appropriate solution to deliver business needs in a secure, accessible, and cost-effective manner. This could include, but is not limited to, assessing a system's infrastructure, platform, code used for development, user interface and user experience, extent of configuration versus business process reengineering needed, integration feasibility, and expertise, tools, and costs required to maintain the system. Security Review : An evaluation to ensure purchased, outsourced, or internally developed MNIT systems and applications are designed and implemented to meet the applicable State of Minnesota's security architecture and secure coding standards, and to ensure that identified security defects are addressed prior to production release. Enterprise Information Security Policies and Standards can be found at : https : / / mn.gov / mnit / about - mnit / policies / security / Accessibility Review : An evaluation of the processes used and decisions made when selecting and implementing a technology solution to assess compliance with Minnesota State Accessibility Standards (WCAG 2.1 and Section 508). Additionally, testing of a technology solution to assess its level of accessibility. Testing may include automated, human, and / or human with adaptive technology, and will inform what accommodations may be necessary for users of the technology solution. Desired Qualifications :

Desired Qualifications of Resource (s)

Certifications related to area(s) of responsibilities such as :