Chedraui USA
Manager, IT Risk & Compliance
at
Chedraui USA
Location: 600 Citadel Drive, Commerce, CA 90040. Work in the Store Support Center.
Summary The IT Risk & Compliance Manager supports the overall vision of the IT Risk & Compliance Program at Smart & Final, governing IT risk and compliance activities to ensure internal and external regulatory compliance, minimize risk, and align the control environment with company strategy. The role requires deep knowledge of compliance, strong understanding of IT systems, regulations (SOX, PCI, NIST, CCPA), audit methodologies, and excellent communication and leadership skills.
Essential Duties and Responsibilities
Act as project manager and business/audit liaison for external and internal IT audits, responsible for strategy, plan, and results of annual SOX and PCI audits with relation to IT controls.
Provide support for audit‑related matters, including oversight, internal facilitation, review, and remediation efforts.
Perform detailed reviews of IT systems, processes, and controls to assess compliance with regulatory requirements and internal policies.
Evaluate the design and operating effectiveness of IT controls, including information security, data privacy, change management, and disaster recovery.
Identify control gaps, potential risks, and areas for improvement.
Prepare comprehensive reports detailing findings, recommendations, and action plans to remediate gaps in controls.
Independently manage small and large IT compliance projects, engagement reviews and initiatives to ensure compliance prior to completion.
Advise project teams on specific IT Risk & Compliance requirements, engaging on IT‑led projects, advising on policy matters, assisting teams with designing compliant processes and technical controls, reviewing compliance documentation, and demonstrating mastery of internal controls, processes, and company policies.
Support the development and execution of IT Risk, Cybersecurity and Compliance training curriculum and training materials/content.
Manage or support targeted compliance reviews on behalf of the IT Risk & Compliance department.
Support the development of IT risk treatment plans and manage continuous improvement programs.
Stay updated on evolving IT regulations, industry trends, and emerging technologies that may impact compliance requirements.
Assess the impact of regulatory changes on the organization’s IT compliance framework and advise management on necessary actions to maintain compliance and mitigate risks.
Responsible for setting company policy as it relates to IT Risk and Compliance.
Drive the development of internal compliance and risk dashboards and management reporting.
Review draft policies, participate in feedback channels, and incorporate necessary changes to internal documentation and supporting policy meta‑model.
Advise the IT department on corporate control environment as it relates to COSO 2013, SOX ITGCs, PCI‑DSS controls, and corporate policy.
Serve as a policy and controls subject matter expert to both internal and external teams.
Review and endorse aids, implementation guides, education material and other templates to support project, department and organization‑wide compliance training and awareness efforts.
Review and endorse in development and review of technical and process related documentation, including operating procedures, control manuals, business requirement documents.
Drive continuous improvement by tracking compliance gaps and recommendations to ensure timely resolution, identify opportunities to streamline and automate processes for increased efficiency and develop and deliver training programs to raise awareness of compliance requirements and best practices.
Promote awareness of internal control and security issues among management and ensure sound security principles are reflected in the organization’s vision and goals.
Engage with stakeholders cross‑organizationally to ensure IT Risk & Compliance issues or inquiries are properly addressed.
Contribute to internal knowledge repository for IT Risk & Compliance team.
General Duties
Oversee the design, development, and implementation of software and hardware solutions, systems, or products to ensure compliance with company standards and regulatory requirements.
Assess risks and identify/implement mitigations related to grocery business functions like POS systems, self‑checkout technology, payment processing infrastructure, supply chain and e‑commerce platforms.
Lead PCI‑DSS compliance program across all payment channels.
Maintain compliance with state and federal data privacy laws including CCPA, CPRA, and emerging state regulations.
Oversee compliance with food safety data regulations and traceability requirements (FDA FSMA).
Establish and maintain regular written and in‑person communications with executives, department heads, and end users for related IT activities.
Understand organizational behavior and how it influences business solutions.
Use strong meeting management skills to engage participants in productive work sessions.
Develop business case justifications and cost/benefit analyses for IT spending and initiatives.
Approve and oversee projects and project portfolios.
Manage financial aspects, including purchasing and budgeting.
Negotiate and administer 3rd‑party vendors, manage services and consultant contracts to ensure compliance with defined IT policies.
Manage a team, including recruitment, supervision, scheduling, development, evaluation, and disciplinary actions for internal and 3rd‑party resources.
Successfully engage in multiple initiatives simultaneously.
Deliver assigned projects on time and on budget.
Leverage negotiation skills to challenge business and IT users on assumptions and help craft innovative and effective solutions.
Make timely recommendations to effectively solve problems, using independent judgment consistent with standards, practices, policies, procedures, regulations, and/or law.
Design, train and manage Cybersecurity, Risk and Compliance training for the company associates using tools such as KnowBe4.
Lead identity and access management (IAM), vulnerability management, and incident response working with the Cybersecurity function.
Education Bachelor’s degree (BA/BS) from an accredited institution required. Computer Science, Accounting, Economics, or Business preferred.
Experience
Prior experience at a public accounting firm or internal audit at a publicly traded company required.
5+ years of IT policy, controls, assessment and audit experience required.
Prior experience working within or auditing an IT organization, supporting enterprise‑level IT functions and processes required.
Big Four accounting firm experience a plus.
Experience in Management Consulting, IT Governance, Internal Audit, or Information Security a plus.
4+ years of program and project management experience a plus.
Demonstrated expertise in ISO, CIS, NIST, COBIT or other information security / IT controls frameworks.
Demonstrated familiarity with cloud control frameworks, including CSA Star, ISO 27017, COBIT for Cloud Assessments or other information security / IT controls.
Deep understanding of IT audit, compliance, and risk management methodologies and/or approaches.
Basic understanding of present Information Security frameworks, risks, and industry/common technologies.
Demonstrated savvy with team discussions and executive presentation deck development.
IT Risk Management Frameworks: Proficiency with NIST, ISO 27001, COBIT, and COSO frameworks.
Regulatory and Compliance Knowledge: Familiarity with SOX, GDPR, HIPAA, PCI‑DSS, GLBA, CCPA, or other industry‑specific regulations.
IT Controls Assessment: Ability to design, assess, and monitor IT General Controls (ITGCs) and application controls.
Audit and Assurance Tools: Experience with GRC platforms such as Archer, ServiceNow/SAP GRC, MetricStream, or OneTrust.
Data Protection and Privacy: Knowledge of data classification, encryption, and privacy‑by‑design principles.
Certifications
One or more of the following certifications strongly preferred: CISA, CISM, CRISC, CGEIT (ISACA).
The following certification is a plus: ITIL v3 (any level).
Compensation The salary range for this position is $125,000.00 to $150,000.00. The actual starting pay will be determined by qualifications, including experience and relevant skills.
Our company provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability, or genetics.
#J-18808-Ljbffr
at
Chedraui USA
Location: 600 Citadel Drive, Commerce, CA 90040. Work in the Store Support Center.
Summary The IT Risk & Compliance Manager supports the overall vision of the IT Risk & Compliance Program at Smart & Final, governing IT risk and compliance activities to ensure internal and external regulatory compliance, minimize risk, and align the control environment with company strategy. The role requires deep knowledge of compliance, strong understanding of IT systems, regulations (SOX, PCI, NIST, CCPA), audit methodologies, and excellent communication and leadership skills.
Essential Duties and Responsibilities
Act as project manager and business/audit liaison for external and internal IT audits, responsible for strategy, plan, and results of annual SOX and PCI audits with relation to IT controls.
Provide support for audit‑related matters, including oversight, internal facilitation, review, and remediation efforts.
Perform detailed reviews of IT systems, processes, and controls to assess compliance with regulatory requirements and internal policies.
Evaluate the design and operating effectiveness of IT controls, including information security, data privacy, change management, and disaster recovery.
Identify control gaps, potential risks, and areas for improvement.
Prepare comprehensive reports detailing findings, recommendations, and action plans to remediate gaps in controls.
Independently manage small and large IT compliance projects, engagement reviews and initiatives to ensure compliance prior to completion.
Advise project teams on specific IT Risk & Compliance requirements, engaging on IT‑led projects, advising on policy matters, assisting teams with designing compliant processes and technical controls, reviewing compliance documentation, and demonstrating mastery of internal controls, processes, and company policies.
Support the development and execution of IT Risk, Cybersecurity and Compliance training curriculum and training materials/content.
Manage or support targeted compliance reviews on behalf of the IT Risk & Compliance department.
Support the development of IT risk treatment plans and manage continuous improvement programs.
Stay updated on evolving IT regulations, industry trends, and emerging technologies that may impact compliance requirements.
Assess the impact of regulatory changes on the organization’s IT compliance framework and advise management on necessary actions to maintain compliance and mitigate risks.
Responsible for setting company policy as it relates to IT Risk and Compliance.
Drive the development of internal compliance and risk dashboards and management reporting.
Review draft policies, participate in feedback channels, and incorporate necessary changes to internal documentation and supporting policy meta‑model.
Advise the IT department on corporate control environment as it relates to COSO 2013, SOX ITGCs, PCI‑DSS controls, and corporate policy.
Serve as a policy and controls subject matter expert to both internal and external teams.
Review and endorse aids, implementation guides, education material and other templates to support project, department and organization‑wide compliance training and awareness efforts.
Review and endorse in development and review of technical and process related documentation, including operating procedures, control manuals, business requirement documents.
Drive continuous improvement by tracking compliance gaps and recommendations to ensure timely resolution, identify opportunities to streamline and automate processes for increased efficiency and develop and deliver training programs to raise awareness of compliance requirements and best practices.
Promote awareness of internal control and security issues among management and ensure sound security principles are reflected in the organization’s vision and goals.
Engage with stakeholders cross‑organizationally to ensure IT Risk & Compliance issues or inquiries are properly addressed.
Contribute to internal knowledge repository for IT Risk & Compliance team.
General Duties
Oversee the design, development, and implementation of software and hardware solutions, systems, or products to ensure compliance with company standards and regulatory requirements.
Assess risks and identify/implement mitigations related to grocery business functions like POS systems, self‑checkout technology, payment processing infrastructure, supply chain and e‑commerce platforms.
Lead PCI‑DSS compliance program across all payment channels.
Maintain compliance with state and federal data privacy laws including CCPA, CPRA, and emerging state regulations.
Oversee compliance with food safety data regulations and traceability requirements (FDA FSMA).
Establish and maintain regular written and in‑person communications with executives, department heads, and end users for related IT activities.
Understand organizational behavior and how it influences business solutions.
Use strong meeting management skills to engage participants in productive work sessions.
Develop business case justifications and cost/benefit analyses for IT spending and initiatives.
Approve and oversee projects and project portfolios.
Manage financial aspects, including purchasing and budgeting.
Negotiate and administer 3rd‑party vendors, manage services and consultant contracts to ensure compliance with defined IT policies.
Manage a team, including recruitment, supervision, scheduling, development, evaluation, and disciplinary actions for internal and 3rd‑party resources.
Successfully engage in multiple initiatives simultaneously.
Deliver assigned projects on time and on budget.
Leverage negotiation skills to challenge business and IT users on assumptions and help craft innovative and effective solutions.
Make timely recommendations to effectively solve problems, using independent judgment consistent with standards, practices, policies, procedures, regulations, and/or law.
Design, train and manage Cybersecurity, Risk and Compliance training for the company associates using tools such as KnowBe4.
Lead identity and access management (IAM), vulnerability management, and incident response working with the Cybersecurity function.
Education Bachelor’s degree (BA/BS) from an accredited institution required. Computer Science, Accounting, Economics, or Business preferred.
Experience
Prior experience at a public accounting firm or internal audit at a publicly traded company required.
5+ years of IT policy, controls, assessment and audit experience required.
Prior experience working within or auditing an IT organization, supporting enterprise‑level IT functions and processes required.
Big Four accounting firm experience a plus.
Experience in Management Consulting, IT Governance, Internal Audit, or Information Security a plus.
4+ years of program and project management experience a plus.
Demonstrated expertise in ISO, CIS, NIST, COBIT or other information security / IT controls frameworks.
Demonstrated familiarity with cloud control frameworks, including CSA Star, ISO 27017, COBIT for Cloud Assessments or other information security / IT controls.
Deep understanding of IT audit, compliance, and risk management methodologies and/or approaches.
Basic understanding of present Information Security frameworks, risks, and industry/common technologies.
Demonstrated savvy with team discussions and executive presentation deck development.
IT Risk Management Frameworks: Proficiency with NIST, ISO 27001, COBIT, and COSO frameworks.
Regulatory and Compliance Knowledge: Familiarity with SOX, GDPR, HIPAA, PCI‑DSS, GLBA, CCPA, or other industry‑specific regulations.
IT Controls Assessment: Ability to design, assess, and monitor IT General Controls (ITGCs) and application controls.
Audit and Assurance Tools: Experience with GRC platforms such as Archer, ServiceNow/SAP GRC, MetricStream, or OneTrust.
Data Protection and Privacy: Knowledge of data classification, encryption, and privacy‑by‑design principles.
Certifications
One or more of the following certifications strongly preferred: CISA, CISM, CRISC, CGEIT (ISACA).
The following certification is a plus: ITIL v3 (any level).
Compensation The salary range for this position is $125,000.00 to $150,000.00. The actual starting pay will be determined by qualifications, including experience and relevant skills.
Our company provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability, or genetics.
#J-18808-Ljbffr