Information Security Auditor (Consulting | AI & Automation)

Roboyo is a category shaper in Agentic Automation. We help leading brands embed autonomous, AI‑powered agents into their workflows, processes, products and services so they can scale faster and operate smarter.

Built on a strong automation heritage, we focus on seamless integration of AI into enterprise level organization, not just proving concepts, but owning outcomes and driving value in every industry we are present. At Roboyo, you’ll join a global team of builders, consultants and engineers that are top practitioners of taking solutions to the next level for clients in pursuit of excellence.

 

We’re looking for an Information Security Auditor (Consulting) to help our clients assess, improve, and evidence their security posture—especially where automation, AI solutions, cloud platforms, and modern engineering practices (CI/CD, DevSecOps) are involved.

This role is client-facing and combines audit execution, security assurance, and advisory. You will lead and contribute to security audits, control assessments, and compliance readiness engagements (e.g., ISO 27001, NIST, SOC 2), and you’ll partner with delivery teams to embed security controls into automation and AI-enabled processes.

What You’ll Do (Responsibilities)

1) Deliver Client Audits & Security Assessments

• Plan and execute risk-based security audits and control assessments for clients (internal controls, cloud, apps, DevOps, automation platforms, and third parties).

• Define audit scope, objectives, criteria, testing approach, and sampling aligned to standards and frameworks such as:

• ISO/IEC 27001/27002, NIST CSF / 800-53, CIS Controls, SOC 2, COBIT

• Perform fieldwork:

• Control design & operating effectiveness testing

• Evidence gathering, interviews, walkthroughs

• Access reviews, logging/monitoring validation, change management testing

• Vulnerability & patch management review

• Data protection controls verification (where relevant)

• Maintain high-quality working papers, traceability, and repeatable audit methodology.

2) Audit Readiness & Compliance Advisory (Consulting-led)

• Support client readiness for ISO 27001 certification, surveillance audits, and customer assurance requests.

• Assess regulatory and contractual security requirements relevant to client context (e.g., GDPR security requirements; NIS2 applicability depending on sector).

• Provide pragmatic remediation guidance:

• Prioritized improvement plans

• Control roadmaps & quick wins

• Evidence pack design for audits / customer questionnaires

• Conduct follow-up and verify remediation closure.

3) AI, Automation & Modern Engineering Assurance

• Assess how security is implemented in automation and AI/ML-enabled workflows, including:

• Secure automation (RPA / workflow orchestration), bot identities, credential vaulting, segregation of duties

• AI governance & risk controls (data lineage, model risk, prompt/data access controls, monitoring)

• Secure SDLC / DevSecOps controls: CI/CD, code scanning, secrets management, artifact integrity

• Review controls for:

• Cloud environments (Azure/AWS/GCP), M365 security posture

• API security and integration patterns used in automation

• Identity & Access Management (IAM), privileged access, MFA, conditional access

• Logging, monitoring, SIEM integration, incident response runbooks

4) Third-Party & Supplier Security (a key consulting stream)

• Perform supplier/third-party security assessments (questionnaires + evidence-based validation).

• Help clients establish third-party assurance models and risk scoring approaches.

• Support vendor onboarding security checks and contract security clauses alignment.

5) Client Communication, Reporting & Executive Storytelling

• Produce crisp, executive-ready deliverables:

• Audit reports with findings, risk ratings, impact, and recommendations

• Control matrices, evidence trackers, remediation plans

• Board/CISO/CIO-ready summaries

• Present results to client stakeholders and facilitate workshops to align on remediation plans.

6) Contribute to Growth (Consultancy DNA)

• Support pre-sales by contributing to:

• Proposals and statements of work (SoWs)

• Effort estimates, delivery plans, and approach decks

• Discovery sessions and scoping calls

• Help build our service offering: templates, accelerators, audit checklists, automation of evidence collection, and knowledge base.

What We’re Looking For (Required)

Experience & Knowledge

• 3+ years in one or more: Information Security, IT Audit, GRC, Security Assurance, or Security Engineering (adjustable by seniority).

• Proven experience conducting security control testing and writing audit-ready documentation.

• Working knowledge of at least one framework/standard:

• ISO/IEC 27001, NIST, CIS, COBIT, SOC 2

• Strong understanding of common security domains:

• IAM/PAM, logging/monitoring, incident response, vulnerability management, change management, backups/BCDR

Consulting & Soft Skills

• Comfortable in client-facing environments: workshops, interviews, challenging respectfully, influencing.

• Strong report writing and the ability to translate technical issues into business risk.

• Excellent organization, time management, and ability to handle multiple engagements.

Language

• English (professional fluency required).

• Portuguese is a strong plus (or required if your client base is PT-centric).

Nice-to-Haves (Highly Valued in Our Context)

• Certifications:

• CISA, ISO 27001 Lead Auditor, CISSP, CRISC, CCSP, GIAC (e.g., GSEC)

• Experience with:

• Cloud posture reviews (Azure/AWS/GCP), Kubernetes security

• Microsoft security stack (Defender, Sentinel, Purview)

• DevSecOps / CI/CD auditing and secure SDLC

• Third-party risk management programs

• Exposure to AI governance frameworks, model risk, or security aspects of AI systems.

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.

Privacy Notice: By applying, you consent to the processing of your personal data for recruitment purposes in line with our Privacy Policy: https://roboyo.global/data-privacy/