Process Assurance Project Manager

Published on March 19, 2024

Hannah is a Process Assurance Project Manager for a large financial services firm. Based out of Danbury, CT, Hannah is responsible for the IT risk and control for an application development team. She uses her extensive audit experience to manage the risk assurances, which can range from corrupted code in the back-end to keeping unauthorized users from using the system software.

Transcript

My name is Hannah Micsell, and right now I work as a process assurance project manager which means I'm in an IT risk and control function. So right now I work, like I said, for an application development team in an IT function for a large financial services firm. And what I do is I leverage my audit background to provide them with some assurance over their common risks and the types of controls they should have. In the function like theirs, they might have the risk of inappropriate access, folks who shouldn't have access to certain applications, systems or servers might need to have that access periodically reviewed to make sure that it's appropriate. Another risk might be corrupted code deployed to production that could pose a vulnerability to the application systems and servers they're trying to use. So in auditing, you learn how to map out the proceesses in any organization or department. Identify the key risks that could potentially pose a threat to that organization or function and then help that team assess their controls or maybe identify gaps where they need new controls. So that's what I started doing on the financial side and then later, I moved into IT. So I help management pay attention to the portfolio of applications that they build and maintain and we try to risk rank those to have an idea where we should start. There's so much to do, we can't pay attention to everything so we try to prioritize, I work that way. Once we've started decided what we're gonna do and how we're gonna do it, I'll work with the folks that own those applications to perform any activities they need to. If I'm aware of any gaps, I'll bring it to their attention and vice versa. And then I provide regular reporting to management on how we're doing with those activities. One thing that we did last year when I first came on board was we did our first risk and control self assessment, so we took some industry standard risks and controls leveraging certain industry standard control frameworks like COBIT is an example some people may have heard of. So we took those expected controls and map them against what we thought was actually present in the organization. Since it was the first time we had done that exercise, it was really neat to be a part of building that framework for the company I work at.

Download transcript