SAP GRC Advisor / IT Audit & Compliance Manager

Vaco is actively seeking an IT Audit & Compliance Advisor (with SAP GRC experience) to support our client’s continued growth by ensuring a well-defined IT security and compliance posture. This is a unique direct-hire opportunity to join a stable and growing organization that is a respected leader in their field.


Position Overview:

The IT Compliance & Application Security Manager is responsible for leading enterprise-wide IT compliance and application security initiatives within a complex Manufacturing / Logistics setting.

The role requires a strong emphasis on SAP GRC, secure development practices, and OWASP-aligned application security controls. Responsible for internal control environments across multiple systems are risk-resilient, audit-ready, and aligned with regulatory and cybersecurity best practices.

This leader will collaborate with development teams, GRC analysts, IAM stakeholders, and auditors to drive secure systems design and sustainable compliance strategies across both centralized systems like SAP and decentralized custom applications.


Key Responsibilities:
 

• Control Framework Ownership - Establish, maintain, and enhance application-specific control matrices (e.g., secure SDLC checkpoints, SoD rules, privileged access). Align practices with COSO, COBIT, NIST, and SAP GRC control architecture.
• Secure Development & OWASP Integration - Champion secure software development by embedding OWASP Top 10 and secure coding best practices across all custom and third-party applications. Integrate security checkpoints into CI/CD pipelines and partner with developers to ensure secure-by-design implementations.
• Policy Implementation & Enforcement - Translate enterprise-wide security policies into operational controls across systems by leveraging SAP GRC and other platforms for policy automation, control testing, and issue tracking.
• IAM & SoD Governance - Lead governance for identity provisioning, access reviews, role management, and segregation of duties. Collaborate with IAM teams to enforce least-privilege access and manage exception processes via SAP GRC.
• Audit & Compliance Execution - Serve as primary contact for internal/external auditors and compliance assessors. Prepare SOX documentation, perform walkthroughs, and manage control testing including automated controls within SAP GRC.
• Risk Metrics & Reporting - Define KPIs and KRIs related to IT compliance posture. Deliver executive-ready dashboards and trend analysis using Excel, Power BI, or similar tools.
• Cross-Functional Collaboration - Engage with cybersecurity architects, application owners, internal auditors, and vendors to ensure consistent compliance and risk mitigation across business functions.
• Documentation & Education - Develop and maintain policies, control procedures, and audit documentation. Conduct ongoing training for system owners and developers on secure development, risk ownership, and control assessments.

Technical Skills & Knowledge:
 

• SAP GRC Expertise - Hands-on experience managing access controls, risk analysis, control automation, and reporting in SAP GRC Access Control and Process Control modules - Preferably within a manufacturing or logistics setting.
• Secure Development Lifecycle (SDLC) - Strong working knowledge of secure coding practices, secure design, and security testing methodologies in line with OWASP Top 10, SANS, and ISO 27034.
• Cybersecurity Frameworks - Proficiency in NIST CSF, ISO 27001, and knowledge of vulnerability management, incident response, and threat modeling.
• Audit Standards & Regulatory Compliance - Familiarity with PCAOB, ISACA, and compliance frameworks including SOX 404, GDPR, HIPAA, and PCI-DSS.

Additional Details:
 

• Employment Type: Direct-Hire / Perm
• Start Date: Immediate
• Location: Remote
• Cadence: CST business hours / Monday - Friday
• Travel: Limited
• Target Compensation: $140k - $165k depending on skills and experience
• Engagement Status: No form of sponsorship or employment arrangements are being considered at this time.

Interested Candidates are Encouraged to Apply for Immediate Consideration!




Determining compensation for this role (and others) at Vaco/Highspring depends upon a wide array of factors including but not limited to the individual’s skill sets, experience and training, licensure and certifications, office location and other geographic considerations, as well as other business and organizational needs. With that said, as required by local law in geographies that require salary range disclosure, Vaco/Highspring notes the salary range for the role is noted in this job posting. The individual may also be eligible for discretionary bonuses, and can participate in medical, dental, and vision benefits as well as the company’s 401(k) retirement plan.