Jobs in the automotive industry: Head of IT Audit & Compliance Assurance
The "IT Audit & Compliance Assurance" department at ZF is responsible for ensuring that IT work complies with international laws and standards.
(Image: ZF)
- Clemens Gleich
The automotive industry and its suppliers are in the midst of a disruptive change. The switch from combustion engines to electric motors alone will fundamentally change one of the key industries, especially in the world of work. Numerous jobs will be lost, while new ones will be created and many will change. In a thematic focus, we want to shed light on jobs in the automotive industry and its suppliers that did not exist in this form a few years ago, but will become increasingly important over the next ten years. Companies will be looking for suitably trained employees even more than they are at present. Their chances on the job market are likely to be excellent.
The supplier ZF must reduce its debt. A large part of this debt, amounting to around eleven billion euros, resulted from the acquisition of the US supplier TRW and the commercial vehicle supplier Wabco. As a result, the company has financing costs of almost half a billion euros per year. The management is therefore realigning the company to reduce debt and at the same time continue to invest. ZF is reviewing its technology portfolio and prioritizing projects that promise sustainable returns. However, this process should not obscure the fact that ZF still needs a highly specialized workforce to develop hardware, software and integrated platforms in the rapidly changing automotive industry. In addition to the technical requirements, however, standards and laws are now also setting high standards that a supplier must not break.
Sandrina Rath works at ZF in Friedrichshafen as Head of IT Audit & Compliance Assurance. This department is responsible for ensuring that IT work at ZF complies with international laws and standards. To this end, she develops guidelines according to which IT can then work securely. Legally compliant, standard-compliant IT is part of the basic equipment of any international company, and both the technology and the laws are becoming increasingly complex.
In one simple sentence, as if you were telling grandma: What is the core of the job?
We ensure that the global IT organization is compliant with relevant laws, norms and standards, that risks are identified and remedied at an early stage and that audits and certifications are carried out successfully.
What are the typical tasks involved?
In the IT Audit & Compliance Assurance department, we translate regulatory requirements into technical measures. In doing so, we pay particular attention to potential risks. Risk management and the internal control system roughly consist of two components: preventive and detective. First of all, risks should, of course, be kept as low as possible, preferably not arise at all. This is achieved through suitable structures and IT systems, both automatically and manually. And if risks or problems arise, they must be identified. This is done, for example, through spot checks.
(Image: ZF)
At ZF, we advise all IT functions and projects regarding IT risks and appropriate responses. We negotiate with partners, suppliers and committees. And finally, we keep track of legislation and case law. Legal practice often only arises from typical rulings on a previously new law. We also constantly monitor the development of relevant standards. So we have our finger on the pulse of the times.
What is special about the job?
The job is characterized by a fast-moving, varied environment. There are more and more rules and laws. At the same time, technology is changing quickly and often leads legislators to create entirely new rules. Just think of AI: a technology suddenly becomes so relevant that new laws are created.
As the regulatory framework for technical innovations changes so frequently and constantly, there is a constant need for adaptation. We have to be creative and find solutions so that everyday IT runs smoothly and within the framework of the regulations. If we create the right framework conditions, it becomes easier for everyone because, for example, you can only create things in such a way that they comply with the specifications. We also define milestones and monitor compliance with them. And we make sure that section 87 of the Works Constitution Act, which regulates the co-determination rights of the works' council, is complied with.
A little-noticed factor in all of this: if we reliably comply with laws and work according to international standards, this creates a guarantee of sustainability for employees, customers and business partners, a sign of trust for long-term cooperation.
What does the position in the Group mean?
IT is an enabler for the Group, so our work has an impact on the Group as a whole and provides insights into the Group's strategic direction. We advise on every IT project, and IT is everywhere. This means that we are also interwoven throughout the Group, with all IT areas and projects globally. We work particularly closely with IT security, auditing, compliance, the finance department and the international network for GRC (Governance, Risk, Compliance). We report to the Management Board and the Audit Committee on our findings from IT audits, the internal control system (ICS) and our risk exposure. Furthermore, we also coordinate all internal and external audits. External audits and certifications serve as proof of the quality of our processes about the requirements of standards, norms and regulations: The external view has also confirmed this. Thinking about subsequent external audits often helps during the planning stage.
(Image: ZF)
How did you get into this job?
I moved internally at ZF, from what was then called the "Regulatory Security Compliance & Data Protection" governance department. There I was responsible for "privacy by design" in accordance with the GDPR. So I worked closely with IT from day one at ZF. There was already a lot of overlap with my current department. The change seemed like the next sensible step to broaden my spectrum.
What training do people who are interested in the job need?
Interested parties should have expertise in the areas of law and finance, and at the same time be very technically minded. It also works the other way round, for example as a (business) computer scientist with strong legal affinities and relevant certifications in IT auditing and IT risk management (e.g. CISA, CISSP).
What interests should you have to be motivated to do the job?
You should be interested in technical innovation, IT, IT organization and governance, digitalization, regulation and financial standards, corporate strategy and leadership and empowerment of staff.
Complete the sentence for those interested in this job: "To find a place here, you need ..."
A lot of curiosity and problem-solving skills, as well as enjoyment of international teamwork. And you need to be equally well versed in standards, laws and technology.
(cgl)