Job Description I. DESCRIPTION OF SERVICES
Office of the Attorney General of Texas requires the services of 1 IT Auditor 3, hereafter referred to as Candidate(s), who meets the general qualifications of IT Auditor 3, Security and the specifications outlined in this document for the Office of the Attorney General of Texas.
We are seeking a highly motivated and talented individual to join our cybersecurity team at the Texas Office of the Attorney General (TxOAG) as an IT Auditor. The IT Auditor is responsible for providing independent assurance over the organization’s information technology and cybersecurity control environment. The role supports risk management, regulatory compliance, and the overall effectiveness of cybersecurity governance.
Responsibilities May Include, But Are Not Limited To
- Plan, execute, and report on IT and cybersecurity audits to assess the effectiveness of security controls, risk management practices, and compliance with policies and regulations
- Evaluate the design and operating effectiveness of cybersecurity controls across areas such as identity and access management, network security, endpoint protection, cloud security, and data protection
- Conduct risk assessments and control testing aligned to recognized frameworks (e.g., NIST CSF, ISO 27001, CIS Controls, COBIT)
- Assess compliance with applicable regulatory and contractual requirements (e.g., SOX, PCI DSS, HIPAA, GDPR, SOC reports, internal policies)
- Review vulnerability management, incident response, disaster recovery, and business continuity processes to ensure preparedness and resilience
- Collaborate closely with GRC, and business stakeholders to understand systems, processes, and compliance
- Identify control gaps, root causes, and risk implications, and develop clear, actionable audit findings and recommendations
- Track and validate remediation efforts to ensure timely and effective resolution of audit issues
- Support third-party risk assessments, including reviews of vendor security controls and SOC reports
- Stay current on evolving regulatory changes, and industry best practices to continuously enhance audit approaches
- Contribute to the continuous improvement of audit methodologies, tools, and automation techniques
- Prepare and present audit results to management and, when required, senior leadership or audit committees.
The above job description and requirements are general in nature and may be subject to change based on the specific needs and requirements of the organization and project.
Minimum Requirements
II. CANDIDATE SKILLS AND QUALIFICATIONS
Candidates that do not meet or exceed the minimum stated requirements (skills/experience) will be displayed to customers but may not be chosen for this opportunity.
YearsRequired/PreferredExperience8RequiredPlan, conduct, and document IT and cybersecurity audits in accordance with approved audit methodologies and professional standards.8RequiredEvaluate the design and operating effectiveness of information security controls across systems, networks, applications, cloud environments, and data platforms.8RequiredAssess cybersecurity risks and controls in alignment with recognized frameworks and standards8RequiredPerform testing to assess compliance with applicable laws, regulations, contractual obligations, and internal policies.8RequiredReview and assess processes related to identity and access management, vulnerability management, incident response, disaster recovery, and business continuity.8RequiredIdentify control deficiencies, assess risk impact, and develop clear, well-supported audit findings and recommendations.8RequiredPrepare formal audit reports that communicate results, conclusions, and remediation requirements to management.8RequiredMonitor, track, and validate management remediation plans to ensure timely and effective resolution of audit issues.8RequiredAbility to resolve complex security issues in diverse and decentralized environments; to learn, communicate, and teach new information and security technologies; and to communicate effectively.8RequiredConduct forensic investigations on cyberattacks to determine how they occurred and how they can be prevented in the future.3PreferredCISSP, PMP certifications
III. TERMS OF SERVICE
Services are expected to start 03/02/2026 and are expected to complete by 08/31/2026. Total estimated hours per Candidate shall not exceed 1016 hours. This service may be amended, renewed, and/or extended providing both parties agree to do so in writing.
IV. WORK HOURS AND LOCATION
Services shall be provided during normal business hours unless otherwise coordinated through the Office of the Attorney General of Texas. Normal business hours are Monday through Friday from 8:00 AM to 5:00 PM, excluding State holidays when the agency is closed.
The primary work location(s) will be at OAG State Office located at 5500 E. Oltorf St, Austin, TX 78741. Teleworking is currently allowed for this contract position with management approval.. The working position is Hybrid - On Site and Telework. Any and all travel, per diem, parking, and/or living expenses shall be at the Candidate's and/or Vendor's expense. Office of the Attorney General of Texas will provide pre-approved, written authorization for travel for any services to be performed away from the primary work location(s). Pre-approved travel expenses are limited to the rates and comply with the rules prescribed by the State of Texas for travel by its classified employees, including any requirement for original receipts.
The Candidate(s) may be required to work outside the normal business hours on weekends, evenings and holidays, as requested. Payment for work over 40 hours will be at the hourly rate quoted and must be coordinated and pre-approved through Office of the Attorney General of Texas.
V. Other Special Requirements
The candidate(s) will be subject to a criminal background check that includes a DPS/FBI background check and fingerprinting.
