GRC Analyst – Controls Testing & Assurance in Bury St Edmunds

Role Purpose

The GRC Analyst will sit within the second line of defence and is responsible for testing and assessing the design and operating effectiveness of IT General Controls (ITGCs) and cybersecurity controls across JD Sports. The role is focused on executing control testing, evaluating evidence, identifying control gaps and supporting audit readiness. The GRC Analyst will work closely with Technology, Internal Controls and Audit teams to ensure that the JD Sports control environment meets regulatory audit and internal risk management and control requirements. This is a technically focused GRC role requiring a strong understanding of ITGC and cybersecurity frameworks, audit methodologies and enterprise IT environments. The successful candidate will be instrumental in supporting external audit readiness, identifying control gaps and driving remediation activity across JD Sports.

Key Responsibilities

• Control Testing & Assurance
  • Plan, execute and document risk-based testing of IT General Controls and cybersecurity controls across key domains including identity and access management, change management, computer operations and third-party risk.
  • Assess controls for design adequacy and operating effectiveness in line with recognised frameworks such as COBIT, SOX ITGC, ISO 27001 and NIST.
  • Collect, review and evaluate control evidence, applying professional scepticism and audit rigour.
  • Identify control deficiencies and gaps, articulating root causes, risk impact and recommended remediation actions.
  • Maintain accurate and complete working papers and test documentation.
• Control Framework & Oversight
  • Support the development and maintenance of the Technology Controls Framework and ITGC and cybersecurity control library, ensuring controls remain aligned to risk appetite and evolving business requirements.
  • Monitor and track control remediation activity, escalating overdue or high-risk items to senior stakeholders in a timely manner.
  • Operate and provide input into Control Self-Assessment (CSA) processes, contributing ITGC-specific insight to the broader enterprise risk framework.
• Audit Support & Stakeholder Management
  • Support the GRC Controls Lead with internal and external auditors during IT audit cycles, coordinating evidence requests, facilitating walkthrough and managing the audit relationship professionally.
  • Support preparation for inspections and audits, ensuring documentation and evidence packs are accurate, complete and audit-ready.
  • Build effective working relationships and support cross-functional collaboration with other teams and functions such as Technology, Internal Controls, Internal Audit, Enterprise Risk, Legal and Procurement.
• Issue Management & Reporting
  • Support in the development of clear and concise testing reports and exception summaries for consumption by technical and non-technical audiences, including senior management and board-level committees.
  • Maintain GRC tooling, dashboards and metrics relating to ITGC and cybersecurity control coverage, testing progress, deficiency status and remediation timelines.
  • Present findings and recommendations with clarity and confidence, supporting informed risk-based decision making.
• Continuous Improvement
  • Identify opportunities to improve the efficiency and effectiveness of the ITGC testing programme, including automation, tooling and methodology enhancements.
  • Support enhancements of GRC policies, standards and procedures relating to technology risk and control.
  • Stay current with changes to relevant regulatory requirements, audit standards and industry best practice.

Skills & Experience

Essential

• 2-5 years of demonstrable experience in controls testing, IT audit, or GRC function within a fast-paced and complex organisation.
• Strong understanding of IT General Controls domains such as identity and access management, change management, computer operations, programme development and third-party risk.
• High-level and working knowledge of cybersecurity control domains such as vulnerability management, incident response, logging and monitoring, data protection and encryption, cloud security and network security.
• Ability to assess both control design and operating effectiveness.
• Experience collecting, evaluating and challenging control evidence.
• Ability to identify control weaknesses, articulate risk impact and develop actionable remediation recommendations.
• Strong written and verbal communication skills, with the ability to produce clear and concise audit and assurance reports.
• Organised and methodical approach to workload management, with the ability to manage multiple priorities and deadlines.

Desirable

• Relevant professional certifications such as CISA, CRISC, CISSP or equivalent.
• Familiarity with audit frameworks and standards including COBIT, SOX ITGC, ISO 27001 and NIST.
• Experience in a retail, e-commerce or large global enterprise environments, supporting Big 4/external audit or internal audit engagements in an ICFR / SOX / IT control capacity.
• Familiarity with GRC tooling platforms such as AuditBoard or similar.

Behaviours & Competencies

• Independence and objectivity: Operates with integrity and professional scepticism, providing impartial assurance regardless of organisational pressure.
• Analytical thinking: Applies a structured, evidence-based approach testing.
• Stakeholder engagement: Builds credible and effective working relationships with first line teams, auditors and senior stakeholders.
• Attention to detail: Maintains a high standard of accuracy in testing documentation, evidence review and reporting.
• Continuous improvement: Seeks opportunities to improve processes and outcomes.