Governance, Risk & Compliance (GRC) Analyst (AFFIAR)

Overview

Governance, Risk & Compliance (GRC) Analyst (AFFIAR):

Bowhead seeks a Governance, Risk & Compliance (GRC) Analyst to support the AF FIAR contract located at Joint Base Andrews, MD. AF FIAR provides audit and audit system remediation services for beginning-to-end support as it relates to audit remediation, sustainment, and financial statements reporting and analysis. The GRC Analyst will be experienced with risk management and internal controls (RMIC) with deep experience implementing OMB Circular A-123, GAO Green Book/FAM, and DoD internal control guidance, leveraging eGRC/ServiceNow to produce audit-ready process and control documentation and deliver executive-level briefings. As well as being skilled in driving DAF-wide RMIC progress through organizational change management and cross-stakeholder coordination, while consuming and consolidating large datasets to support enterprise reporting and third-party/IT control monitoring.

Responsibilities

• Sustain the current A-123 and RMIC programs by incorporating the control environment to manage risk and shall advance and achieve goals surrounding the financial statement audit as it evolves
• Develop a schedule for the full cycle of A-123, to include timelines and deliverables.
• Conduct annual scoping and planning activities that include a documented risk-based assessment of business areas
• Perform Test of Design (TOD) and Test of Operating Effectiveness (TOE), perform gap analysis, and conduct process improvement.
• Develop and/or update existing internal control documentation based on business process cycles
• Draft Self-Identified Deficiencies (SIDs)
• Report testing results to AU process owners
• Populate the Enterprise Governance Risk and Compliance (eGRC) system with deliverables
• Process Cycle Memorandums (PCM), Control Evaluation Matrix (CEM), Control Testing Documentation, Self-Identified Deficiency Documentation, Test Result Briefing
• Develop and maintain a framework for the management of DAF's third-party risk as it impacts DSCA FIAR business processes.
• Complete the Service Provider Assessment Workbooks
• Submit CUEC Assessment Summary Survey
• Monitor remediation of deficiencies and gaps identified during review of third-party control environments and track progress on corrective actions through follow-up reviews and testing
• Contribute to the ongoing assessment of needs for Audit Support MOUs
• Track and facilitate metrics reporting for monitoring and oversight;
• Support the development of meeting agendas, briefing materials, and meeting minutes
• Create desk procedures/standard operating procedures for continuity purposes
• The identify knowledge gaps, and develop and provide training to personnel
• Other duties as assigned

Qualifications

• BA/S in a relevant technical field preferred. An additional four (4) years of relevant work experience may be substituted for education requirement
  Two (2+) years of experience with financial/business process transformation, strategic or transformational change, automation, or other relevant field

Technical Skills:

• Internal control framework execution: design and perform A-123/GAO Green Book/FAM/DoD PCN-aligned control work, including process/control documentation and audit-ready deliverables
• Walkthroughs & gap assessment: plan, conduct, and document walkthroughs; perform Process Control Matrix (PCM) analysis to identify and document control gaps and remediation needs
• Stakeholder quality & change enablement: provide technical review/standardization feedback across DAF-wide stakeholders; apply change management practices and strong technical writing to mature RMIC artifacts (policies, SOPs, agreements)

Communication & Interpersonal Skills:

• Executive communication: develop and deliver senior-leader briefings on walkthrough results, findings, recommendations, and RMIC status
• Cross-stakeholder facilitation: lead discussions and align requirements across functional/financial teams and DAF-wide/external stakeholders (e.g., IPA, service auditors, AUs, system owners, service providers)

Technical writing:

• Produce clear, concise, audit-ready documentation (e.g., process control matrices (PCMs)) with strong attention to detail and accuracy
• Expertise with Regulations and Guidance:
  
  • Office of Management and Budget (OMB) Circular No. A-123: Management's Responsibility for Enterprise Risk Management and Internal Control
  • Government Accountability Office (GAO) Green Book (GAO-14-704G): Standards for Internal Control in the Federal Government
  • Department of Defense Instruction (DoDI) 5010.40: DoD Enterprise Risk Management and Risk Management and Internal Control (RMIC) Program
  • Additional desired skillsets (nice to haves but not necessarily required):
  • Expertise with Regulations and Guidance:
  • GAO Framework for Managing Fraud Risks (GAO-15-593SP)
  • GAO Financial Audit Manual (FAM) (GAO-22-105895): Vol. 1 (Jun 2024) and Vol. 2 (Jun 2025)

Technical Skills:

• ServiceNow eGRC / Integrated Risk Management (IRM) administration and workflow integration (test & production), including centralized internal controls repository management
• Data analytics & reporting: consolidate large, siloed RMIC datasets into enterprise-level reports, executive summaries, visualizations, and annual Statement of Assurance (SoA) deliverables
• Third-party/IT controls oversight: assess service-provider controls (including SSAE 18), evaluate materiality, and monitor Complementary User Entity Controls (CUECs) impacting financial reporting

Preferred:

• Experience with Air Force policies, systems and procedures for financial management, personnel, acquisition, inventory, property and material management

Physical Demands:

• Must be able to lift up to 25 pounds
• Must be able to stand and walk for prolonged amounts of time
• Must be able to twist, bend and squat periodically

SECURITY CLEARANCE REQUIREMENTS: Must be able to maintain a security clearance at the Secret level. US Citizenship is a requirement for this contract.

#LI-JS1