Lead Compliance Analyst
Macys Technology - September 2022 - January 2026
A seasoned GRC and compliance leader with deep expertise driving enterprise audit programs across SOX, PCI DSS, TIPSA, SOC 1/SOC 2, and emerging regulatory frameworks including self taught DORA, NIST AI RMF, ISO/IEC 42001, and the EU AI Act. Known for strengthening governance across cloud and on‑prem environments, enhancing cloud compliance through automation platform, and unifying control frameworks to reduce audit fatigue and accelerate readiness. Adept at managing the full lifecycle of issues remediation, partnering with cross‑functional leaders, and delivering scalable, efficient compliance operations using GRC platforms. Recognized for strategic thinking, strong execution, and the ability to elevate organizational control maturity while aligning technology, security, and financial reporting objectives.
Key Accomplishments:
Directed critical, full-cycle audits (SOX, PCI DSS, TIPSA), successfully.
Achieved a 100% on-time audit closure rate by meticulously managing and tracking remediation activities in GRC tools.
Strengthened cloud governance by implementing GCP compliance..
Planned, led, and executed the full lifecycle of SOX 404 ITGC and automated application control testing, ensuring appropriate control scope and effective mitigation of key financial reporting risks across all key financial applications (KFAs).
Served as the primary liaison between IT, Finance, and Internal/External Audit, aligning SOX scope, testing schedules, walkthroughs, and documentation requirements across the enterprise.
Oversaw timely and accurate execution of IT control activities, including user access reviews, change management, SDLC controls, and backup/recovery procedures, ensuring control owners maintained complete and compliant documentation.
Maintained comprehensive SOX documentation in Workiva, including RACMs, process flows, system diagrams, narratives, and control procedures.
Coordinated with Internal Audit and Big Four external auditors on testing, walkthroughs, and evidence requests, ensuring reliance on management testing where appropriate.
Monitored IT test results and selfassessments to identify design and operating deficiencies; led root cause analysis, corrective action planning, and validation of remediation effectiveness.
Provided subjectmatter expertise on IT control design for new systems, upgrades, and process changes, ensuring strong ITGC and application control coverage from the start.
Trained and coached control owners on SOX requirements, ITGC best practices, documentation standards, and audit readiness expectations.
Identified opportunities to streamline and automate IT controls, enhance monitoring, and strengthen governance practices across KFAs and supporting systems.
Developed and delivered executivelevel reporting on SOX program status, testing progress, issues, and remediation activities, ensuring transparency and timely escalation.
Promoted a culture of integrity, accountability, and collaboration, strengthening relationships across IT, Finance, Audit, and business teams.
SOX 404 Expertise: Deep understanding of ITGCs (access, change management, operations, backup/recovery) and IT risk management principles.
Audit Partnership: Experienced in working with Big Four firms on walkthroughs, testing, and control assessments.
Analytical & ProblemSolving: Skilled at evaluating IT risks, identifying deficiencies, and developing practical remediation plans.
Assisted the enterprise GRC program, ensuring alignment across SOX, PCI DSS, TIPS/A, privacy, and IT risk frameworks while driving a unified control strategy across business and technology teams.
Built and matured governance structures, including steering committees, control owner forums, and cross functional working groups to strengthen accountability and oversight.
Established enterprise wide compliance roadmaps, KPIs, and risk dashboards to provide leadership with clear visibility into control health, audit readiness, and emerging risks.
Championed a culture of compliance by developing training programs, communication plans, and awareness campaigns that elevated organizational understanding of ITGC and regulatory obligations.