Information Security Auditor

Allentown PA or Sarasota FL | Enterprise Risk Management | Full-time | Fully remote


Company Overview:

Andesa Services, Inc is a service and technology company. We are proud to serve the Life Insurance and Annuity industry through custom Software as a Service (SaaS) technology solutions and dedicated business support to end-users such as clients, brokers or policy holders. More information on these services can be found on our website at

Andesa was established in 1983 and has locations in Allentown, PA and Sarasota, Fl. We are a 100% employee-owned company via an Employee Stock Ownership Plan (ESOP), which means when you join our team, you will not only become an employee-owner, you will be contributing to and taking part in the success and longevity of the company!

Career Opportunity:

We are currently seeking a driven and eager-to-learn individual to join our team as an Information Security Auditor.  An Information Security Auditor is responsible for the designing, testing, reporting, and maintaining of IT General Controls and Application level controls for Andesa in support of SOC-1/SOC-2/SOC-3 audits and client service level agreements.

 Training Objectives:

  • In the first 30-Days: You will meet with employee-owners across all levels of the organization to better understand your roles and responsibilities with respect to your department, while also gaining insight into the history and culture of Andesa. In your specific role, you will demonstrate proficiency in Microsoft Office, and Atlassian product suite, while gaining an understanding of the SOC and ICQ process, and  the ERMO periodic tasks.
  • In the first 60-Days: You will participate in dissemination and collection of ICQ, review ERMO documents (ISPP, IT Security Governance, Mobile device management) control catalog, and conduct an internal audit.
  • In the first 90-Days: Cultivate professional relationships with ISP Auditors, and Andesa control owners. Participate in developing Quarterly ICQ presentations, client inquiries, and incident reports.

 Primary Job Duties: 

  • Coordinate SOC-1,SOC-2, and SOC-3 reviews with external auditors.
    • Design and execute tests of key IT controls assigned to the Risk Management Office.
    • Assign control activities to “owners” and ensure that they carry out these activities.
    • Educate control owners as appropriate to ensure understanding of controls assigned.
    • Provide a sound basis for the “Management Assertion” in the SOC reports.
    • Respond to client inquires on the SOC2 reports – i.e. testing exceptions, control remediation, etc.
    • Assist external auditors in walk-thru visits of Andesa facilities and in collection of their requested test samples
    • Update SOC report narrative sections each year to ensure it accurately reflects Andesa’s product service offerings
    • Provide a written bridge letter and associated diligence for clients
    • Watermark and distribute the SOC reports to all clients and appropriate third parties
  • Drive the quarterly Internal Control Questionnaire (ICQ) process designed to assess the design and operating effectiveness of existing SOC controls.
    • Provide quarterly report to Senior Staff on the state of IT controls including control deficiencies in need of remediation.
  • Perform annual security training
  • Ensures IT compliance incidents are promptly addressed, documented and resolved; considers implications, makes recommendations and takes appropriate follow-up

 Identify IT controls, assess their design and operational effectiveness, determine risk exposures and develop remediation plans


  • Bachelor degree in Auditing, Information Systems or equivalent experience.
  • At least two (2) years relevant work experience (Auditing, IT Controls, etc.) 
  • Appropriate professional certification preferred – e.g., CISA.


  1. Strong communication skills
  2. Perform security reviews of Andesa’s systems and identify gaps in security architecture
  3. Business Continuity
  4. Review or conduct audits of information technology (IT) programs and projects
  5. Risk Management

 Physical Demands & Work Environment:

  • Physical Demands: While performing the duties of this job, the employee is regularly required to talk or hear. The employee frequently is required to sit/stand for long periods of time; routinely walk; use hands to finger, handle or feel; and reach with hands and arms.
  • Work Environment: This job operates in a professional office environment and routinely uses standard office equipment such as computers, phones, photocopiers, filing cabinets and fax machines. The noise level in the work environment is usually moderate.

 Additional Position Information:

  • Employment Status: This is a full-time (40-hours per week), exempt (salaried) position with benefit eligibility.
  • Work Schedule: Hours for this position shall encompass normal business hours to meet the needs our clients. 
  • Location: This position may report from or to our Allentown or Sarasota office in the office, remotely or on an agreed upon hybrid situation. Close proximity to Allentown is preferred. Some travel required.

Equal Opportunity Employer

  • In accordance with the law and in alignment with our values, Andesa seeks to hire talented individuals with diverse backgrounds and experiences to help us achieve our Andesa Forever vision. We are committed to creating a work environment that is inclusive and respectful to all potential and existing employee-owners. Therefore, we do not hire, fire, discipline, promote or make pay decisions based on characteristics that are protected by applicable laws and regulations. Protected classes may include, age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, pregnancy and/or sexual orientation.