Lead, Audit and Assurance

Basic Function

The Lead, Audit & Assurance is a senior individual contributor responsible for owning and advancing the company’s audit and assurance strategy, with direct accountability for external audit success, internal audit maturity, and overall control effectiveness. As the organization’s primary authority on audit, controls, and assurance, this role leads cross-functional

efforts to design and continuously improve scalable, technology-enabled GRC processes, driving measurable gains in audit efficiency, risk visibility, and control performance. Building on the Information Assurance foundation, the role expands into enterprise audit leadership, continuous assurance, and AI-enabled GRC transformation, including identifying and implementing automation and AI-driven solutions to enhance the efficiency, accuracy, and scalability of assurance activities.

Essential Functions and Responsibilities:

• Own end-to-end execution of Lumin’s external audit and assessment portfolio (SOC 2, PCI DSS, ISO 27001, HIPAA regulatory exams, and client audits), serving as the primary liaison to external auditors and ensuring successful, low-friction outcomes
• Design, mature, and lead a scalable, risk-based internal technical audit program: Establishing methodologies, scoping criteria, testing strategies, and reporting standards that produce independent, decision-ready assurance for leadership
• Strategically manage and continuously evolve Lumin’s risk and control mappings in the GRC platform, ensuring the framework accurately reflects the company’s technology footprint, regulatory obligations (FFIEC, PCI DSS, NIST CSF/800-53, ISO 27001), and contractual commitments to clients
• Replace manual evidence collection and synchronous walkthroughs with continuous control monitoring, automated evidence pipelines, and AI-assisted testing to drive measurable reductions in audit cycle time, evidence-request volume, and control drift. This responsibility means Lumin is always ‘audit-ready’.
• Lead the identification, evaluation, and adoption of AI and automation capabilities across the assurance lifecycle, and develop the audit approach for AI systems Lumin builds and deploys internally, including model risk, data lineage, and contributing to third-party AI governance considerations
• Partner with technology teams across the enterprise to embed control design into systems and pipelines from the outset, enforcing controls through technology rather than process where feasible
• Oversee the enterprise remediation lifecycle for audit findings and control gaps, ensuring risk-based prioritization, evidence-backed validation, and clear executive visibility into trends and residual risk ● Produce executive-ready reporting and real-time dashboards on control performance, audit posture, and assurance KPIs/KRIs, and represent Lumin’s assurance posture to clients, prospects, and regulators in due diligence, RFP, and examination contexts
• Perform other duties assigned

Position Specifications

Education:

• Bachelor’s degree in Information Assurance, Cybersecurity, Information Systems, Accounting (Audit), or related field is required; or equivalent combination of education and experience with demonstrated command of modern audit methodology, control frameworks, and assurance technology
• Certifications such as CISA, CISM, CRISC, or GSNA are strongly preferred; PCI ISA, ISO 27001 Lead Auditor, or AI governance credentials (e.g., AIGP) are a plus

Experience:

• Eight (8) or more years of progressive experience in technical audit, information assurance, or GRC within regulated industries (financial services, fintech, healthcare, or similar), with at least three (3) years operating at a lead or senior individual-contributor level required
• Demonstrated ownership of external audit engagements with consistently clean or low-finding outcomes required
• Hands-on experience configuring and operating a modern GRC platform (e.g., Drata, Vanta, AuditBoard, OneTrust, ServiceNow GRC, LogicGate, or equivalent), including multi-framework control mapping, evidence automation, and continuous control monitoring required
• Direct experience designing, implementing, or significantly maturing an internal technical audit program in a cloud-native SaaS environment is required
• Practical experience evaluating or deploying AI-enabled or automation-driven assurance capabilities (e.g., automated evidence collection, control testing, anomaly detection) preferred
• Experience in influencing cross-functional engineering, security, and product stakeholders and driving enterprise-wide assurance initiatives is required

Knowledge, Skills, & Abilities:

• Expert command of security and compliance frameworks relevant to SaaS fintech, including SOC 2, PCI DSS, ISO 27001/27002, NIST CSF, NIST 800-53, CIS Controls, and FFIEC IT Examination Handbook expectations ● Deep technical fluency with cloud-native SaaS environments (AWS/Azure/GCP shared-responsibility models, Infrastructure-as-Code, CI/CD pipelines, identity and access management, encryption, logging) — sufficient to evaluate control design and operating effectiveness independently and to challenge engineering on technical specifics
• Demonstrated ability to translate manual, evidence-heavy assurance activities into automated, continuous, system-enforced controls, and to articulate the risk and audit implications of doing so to both technical and executive audiences
• Working knowledge of how AI and machine-learning systems are designed, deployed, and governed within enterprises, including the unique control considerations they introduce (model risk, data lineage, prompt and output handling, third-party AI services, emerging regulatory expectations)
• Skill in setting and defending audit scope, written plans, sampling methodology, and evidentiary standards in dialogue with external auditors and regulators, including the ability to push back on inappropriate scope expansion or evidentiary requests
• Sharp analytical judgment with a proactive eye for systemic risks, control gaps, and improvement opportunities ahead of formal findings
• Calm, technically credible demeanor with the composure to navigate high-stakes, high-friction conversations with internal stakeholders, external auditors, and clients — holding firm on defensible, risk-based positions while sustaining collaborative working relationships and earning trust even when delivering difficult messages
• Strong written and verbal communication skills with a track record of producing executive-ready audit reports, board-level summaries, and client-facing assurance documentation
• Ability to operate as the senior technical voice on assurance matters — comfortable being the person who sets the standard rather than the one who follows it, and able to teach and elevate the practice of others without direct reporting authority
• Ability to prioritize tasks, exercise sound judgment, and maintain confidentiality with sensitive information ● Ability to work remotely while maintaining a high level of productivity and effectiveness with limited or no supervision
• Must be able to pass requisite background checks to access sensitive information

Travel:

• Minimal, generally 12 days or less per year, ~2X team get-togethers a year.