Associate IT Auditor (1684 Auditor II)

Recruitment #PEX-1684-071941


The Office of the Controller’s mission is to ensure the City and County of San Francisco’s financial integrity and promote efficient, effective and accountable government.  Its vision is to be a model for good government and to make the City a better place.  The City Services Auditor has actively and successfully assisted the Controller in fulfilling its mission by providing best in class audit services that assists City leadership in making strategic decisions to improve the economy, efficiency, and effectiveness of government services.  In the past six years the audit organization has:      

  • Received two national awards from the Association of Local Government Auditors recognizing the quality of audits and the impacts of how the audits have shaped city policies.
  • Passed (without deficiencies) the triennial peer review required by Generally Accepted Government Auditing Standards in 2011 and 2014.
  • Issued a total of 898 recommendations in the past two fiscal years, with a citywide recommendation implementation rate of 97 percent after two years.
  • Developed and successfully implemented a capital projects audit program.
  • Successfully managed a Whistleblower Program that received, investigated, and/or referred more than 300 complaints per year, and, on an average, sustained about 20 to 30 percent of those complaints.

The City’s 1996 Charter designates the Controller as the chief accounting officer and auditor for the City and County.  The City and County has a $9 billion budget of which two-tenths of one-percent is annually legislatively mandated to the City Services Auditor.  To fulfill his role as the City Auditor, the Controller designates his audit authority to the Director of City Services Auditor and together they fulfill these legislative mandates as a condition of his audit authority by:

  • Reporting on the level and effectiveness of San Francisco's public services and compare the City to other public agencies;
  • Conducting financial and performance audits of City departments, contractors, and functions;
  • Running a whistleblower complaints hotline and website and investigate reports of waste, fraud and abuse of City resources.


The position vacancy is for an IT Auditor for a new IT audit and cyber security team.

Under supervision, performs professional-level IT audit work.

Essential duties for this job include, but are not limited to:

  1. Performs information control reviews to include system development standards, operating procedures, system security, programming controls, communication controls, backup and disaster recovery, and system maintenance.
  2. Reviews internal control procedures and security for systems under development and/or enhancements to current systems.
  3. Prepares audit finding memoranda and working papers to ensure that adequate documentation exists to support the completed audit and conclusions.
  4. Prepares and presents written and oral reports and other technical information in a pertinent, concise, and accurate manner for distribution to management.
  5. Follows up on audit findings to ensure that management has taken corrective action(s).
  6. Assists in the analysis, development, and ongoing improvement of a comprehensive, flexible, and scalable IT Controls for regulatory requirements and organizational directives.
  7. Assists in IT policy management and security incident response as needed. 
  8. Proactively analyzes and reports on issues and produces metrics for an IT Dashboard.
  9. Executes ad hoc projects, such as due diligence reviews, readiness assessments, etc. 


Education:  Possession of a baccalaureate degree from an accredited college or university in business or public administration, accounting, finance, statistics, the social sciences, English, or a related field.

Experience:  Two (2) years of verifiable professional auditing experience or related analytical experience; functional understanding of local government operations; knowledge of government auditing standards and auditing principles and practices.


  • A master’s degree in business or public administration, accounting, finance, statistics, or a related field may be substituted for one (1) year of the required experience.

Desirable Qualifications and Experience

  • Professional certifications (e.g. Certified Information System Auditor (CISA), Certified Information System Manager (CISM), Certified in Risk and Information System Control (CRISC), Certified Information System Security Professional (CISSP), Cybersecurity Nexus (CSX), and Offensive Security Certified Professional (OSCP) are highly desirable.
  • Experience conducting information security audits and network penetration and vulnerability assessments for various applications and systems.
  • Proficient in using forensic and data analysis computer software (e.g., ACL, SQL, FTK, EnCase) and application systems.
  • Demonstrates knowledge of IT frameworks such as NIST, COBIT, ITIL and others.
  • Knowledge of business and IT processes and how they intersect with financial transactions.


    Applicants may be required to submit verification of qualifying education and experience at any point during the recruitment and selection process. If education verification is required, information on how to verify education requirements, including verifying foreign education credits or degree equivalency, can be found at


    Note: Falsifying one’s education, training, or work experience or attempted deception on the application may result in disqualification for this and future job opportunities with the City and County of San Francisco.

    Selection Plan

    Applications for City and County of San Francisco jobs are only accepted through an online process. Visit to register an account (if you have not already done so) and begin the application process.

    • Select the desired job announcement (PEX-1684-071941)
    • Select “Apply” and read and acknowledge the information
    • Select either “I am a New User” if you have not previously registered, or “I have Registered Previously”
    • Follow instructions on the screen

    Computers are available for the public (from 8:00 a.m. to 5:00 p.m. Monday through Friday) to file online applications in the lobby of the Dept. of Human Resources at 1 South Van Ness Avenue, 4th Floor, San Francisco.

    Applicants may be contacted by email about this announcement and, therefore, it is their responsibility to ensure that their registered email address is accurate and kept up-to-date.  Also, applicants must ensure that email from CCSF is not blocked on their computer by a spam filter.  To prevent blocking, applicants should set up their email to accept CCSF mail from the following addresses (,,,,,,,,,,

    Applicants will receive a confirmation email that their online application has been received in response to every announcement for which they file.  Applicants should retain this confirmation email for their records.  Failure to receive this email means that the online application was not submitted or received.

    All work experience, education, training and other information substantiating how you meet the minimum qualifications must be included on your application by the filing deadline.  Information submitted after the filing deadline will not be considered in determining whether you meet the minimum qualifications.

    Applications completed improperly may be cause for ineligibility, disqualification or may lead to lower scores.

    If you have any questions regarding this recruitment or application process, please contact the exam analyst, Carlos Benitez, by telephone at (415) 554-7530, or by email at .


    Conviction History

    As a finalist for a job, you will be fingerprinted, and your fingerprints will be sent to the California Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI). The resulting report of your conviction history (if any) will be used to determine whether the nature of your conviction (or arrest, in limited circumstances) conflicts with the specific duties and responsibilities of the job for which you are a finalist. If a conflict exists, you will be asked to present any evidence of rehabilitation that may mitigate the conflict, except when federal or state regulations bar employment in specific circumstances, such as:

    • Candidates applying for positions with the Unified School District and the Community College District may be disqualified from consideration should their conviction history not meet the standards established under the California Education Code.
    • Candidates applying for positions with the Recreation and Park Department may be disqualified from consideration should their conviction history not meet the standards established under California Public Resources Code 5164.

    Having a conviction history does not automatically preclude you from a job with the City.

    If you are selected as a finalist, the hiring department will contact you to schedule a fingerprinting appointment.


    General Information concerning City and County of San Francisco Employment Policies and Procedures:
    Important Employment Information for the City and County of San Francisco can be obtained at or hard copy at 1 South Van Ness Avenue, 4th Floor.

    Copies of Application Documents:
    Applicants should keep copies of all documents submitted, as these will not be returned.

    Right to Work:
    All persons entering the City and County of San Francisco workforce are required to provide verification of authorization to work in the United States.

    Issued:  October 28, 2016
    Micki  Callahan
    Human Resources Director
    Department of Human Resources
    Recruitment ID Number: 071941


    All employees hired on or after January 10, 2009 will be required (pursuant to San Francisco Charter Section A8.432) to contribute 2% of pre-tax compensation to fund retiree healthcare. In addition, most employees are required to make a member contribution towards retirement, ranging from 7.5%-13.25% of compensation. For more information on these provisions, please contact the personnel office of the hiring agency.

    For more information about benefits, please click here.


    Powered by JobAps