IT Auditor, Application Security

Your role:

Reporting to the Vice President, Finance, the IT Auditor – Application Security, you will evaluate the design and operating effectiveness of controls related to application security, secure software development, and DevSecOps practices across the software development lifecycle (SDLC). You will assess how security controls and secure development practices are implemented across engineering, security, and operational environments, identifying risks, evaluating control effectiveness, and providing actionable, risk-based recommendations to strengthen Global Relay’s overall security posture.

As part of the Internal Audit function, you’ll work cross-functionally with Engineering (Developers & DevOps), Information Security, IT Operations, and Product teams to understand technical implementations and independently assess the effectiveness of application and technology security controls within the environment.

You’ll primarily focus on application and secure development practices while also supporting broader technology and security audit activities where required.

Your responsibilities:

• Assess application security and engineering programs, policies and software development governance practices
• Evaluate the secure software development lifecycle (SDLC) and DevSecOps practices, including the integration of security controls within the CI/CD pipelines and alignment to industry frameworks such as OWASP
• Evaluate secure coding practices across engineering and development teams including the use of AI in development processes
• Review and analyze application security testing activities and outputs including SAST, DAST, API security testing, container security scanning and manual security testing results
• Assess vulnerability management and penetration testing processes, including identification, prioritization, remediation, validation, exception handling and reporting practices
• Review maturity and security of automation practices, controls across virtualized and container environments
• Identify recurring security findings, systemic risks and broader control weaknesses across applications, infrastructure and supporting technology environments
• Participate in risk-based audit planning activities, including audit scoping, risk assessments, and control identification for technology and security audits
• Perform testing and validation of application and technology security controls to assess their design and operating effectiveness
• Document audit observations, risk impacts, root causes and control deficiencies and develop practical, risk-based recommendations for improvement
• Prepare and communicate audit findings and technical assessments to both technical and non-technical stakeholders, including Engineering, Security, Product, IT Operations and leadership teams
• Prepare and deliver presentations, reports, and supporting materials to communicate audit activities, findings, technical assessments, and recommendations to management and relevant stakeholders.
• Support audit issue tracking, remediation, validation and follow up activities to assess the effectiveness and timeliness of corrective actions
• Stay informed of emerging threats, vulnerabilities, technologies and industry trends related to application security and secure development practices

About You:

• 3-5 years of experience in IT Audit, Application Security, Cybersecurity, DevSecOps, Software Engineering or Technology Risk
• Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), CIA (Certified Internal Auditor) or equivalent certifications considered an asset
• Experience evaluating application security controls and secure software development practices within the software development lifecycle (SDLC) and DevSecOps environments
• Familiarity with application security testing methodologies and tools, including manual testing, DAST/SAST Scan, API security scanning, and software composition analysis (e.g. Jfrog X-Ray)
• Familiarity with code repositories and version control systems (e.g. Bitbucket or similar platforms)
• Understanding of common application security risks and frameworks (OWASP Top 10)
• Understanding of software development lifecycle (SDLC) processes and secure development practices
• General understanding of infrastructure and security concepts, including access control, network security, and vulnerability management
• Strong analytical and critical thinking skills
• Attention to detail and quality-oriented mindset
• Ability to translate technical concepts into risk and control implications
• Effective communication skills with the ability to explain technical findings to both technical and non-technical stakeholders
• Ability to manage multiple priorities and work across different audit activities, maintaining organization and consistency in deliverables
• Cooperative, team-oriented, with a proactive approach to understanding new technologies, tools, and emerging risks