Overview
Governance, Risk & Compliance (GRC) Analyst (AFFIAR):
Bowhead seeks a Governance, Risk & Compliance (GRC) Analyst to support the AF FIAR contract located at Joint Base Andrews, MD. AF FIAR provides audit and audit system remediation services for beginning-to-end support as it relates to audit remediation, sustainment, and financial statements reporting and analysis. The GRC Analyst will be experienced with risk management and internal controls (RMIC) with deep experience implementing OMB Circular A-123, GAO Green Book/FAM, and DoD internal control guidance, leveraging eGRC/ServiceNow to produce audit-ready process and control documentation and deliver executive-level briefings. As well as being skilled in driving DAF-wide RMIC progress through organizational change management and cross-stakeholder coordination, while consuming and consolidating large datasets to support enterprise reporting and third-party/IT control monitoring.
Responsibilities
Sustain the current A-123 and RMIC programs by incorporating the control environment to manage risk and shall advance and achieve goals surrounding the financial statement audit as it evolves
Develop a schedule for the full cycle of A-123, to include timelines and deliverables.
Conduct annual scoping and planning activities that include a documented risk-based assessment of business areas
Perform Test of Design (TOD) and Test of Operating Effectiveness (TOE), perform gap analysis, and conduct process improvement.
Develop and/or update existing internal control documentation based on business process cycles
Draft Self-Identified Deficiencies (SIDs)
Report testing results to AU process owners
Populate the Enterprise Governance Risk and Compliance (eGRC) system with deliverables
Process Cycle Memorandums (PCM), Control Evaluation Matrix (CEM), Control Testing Documentation, Self-Identified Deficiency Documentation, Test Result Briefing
Develop and maintain a framework for the management of DAF's third-party risk as it impacts DSCA FIAR business processes.
Complete the Service Provider Assessment Workbooks
Submit CUEC Assessment Summary Survey
Monitor remediation of deficiencies and gaps identified during review of third-party control environments and track progress on corrective actions through follow-up reviews and testing
Contribute to the ongoing assessment of needs for Audit Support MOUs
Track and facilitate metrics reporting for monitoring and oversight;
Support the development of meeting agendas, briefing materials, and meeting minutes
Create desk procedures/standard operating procedures for continuity purposes
The identify knowledge gaps, and develop and provide training to personnel
Other duties as assigned
Qualifications
BA/S in a relevant technical field preferred. An additional four (4) years of relevant work experience may be substituted for education requirementTwo (2+) years of experience with financial/business process transformation, strategic or transformational change, automation, or other relevant field
Technical Skills:
Internal control framework execution: design and perform A-123/GAO Green Book/FAM/DoD PCN-aligned control work, including process/control documentation and audit-ready deliverables
Walkthroughs & gap assessment: plan, conduct, and document walkthroughs; perform Process Control Matrix (PCM) analysis to identify and document control gaps and remediation needs
Stakeholder quality & change enablement: provide technical review/standardization feedback across DAF-wide stakeholders; apply change management practices and strong technical writing to mature RMIC artifacts (policies, SOPs, agreements)
Communication & Interpersonal Skills:
Executive communication: develop and deliver senior-leader briefings on walkthrough results, findings, recommendations, and RMIC status
Cross-stakeholder facilitation: lead discussions and align requirements across functional/financial teams and DAF-wide/external stakeholders (e.g., IPA, service auditors, AUs, system owners, service providers)
Technical writing:
Produce clear, concise, audit-ready documentation (e.g., process control matrices (PCMs)) with strong attention to detail and accuracy
Expertise with Regulations and Guidance:
Office of Management and Budget (OMB) Circular No. A-123: Management's Responsibility for Enterprise Risk Management and Internal Control
Government Accountability Office (GAO) Green Book (GAO-14-704G): Standards for Internal Control in the Federal Government
Department of Defense Instruction (DoDI) 5010.40: DoD Enterprise Risk Management and Risk Management and Internal Control (RMIC) Program
Additional desired skillsets (nice to haves but not necessarily required):
Expertise with Regulations and Guidance:
GAO Framework for Managing Fraud Risks (GAO-15-593SP)
GAO Financial Audit Manual (FAM) (GAO-22-105895): Vol. 1 (Jun 2024) and Vol. 2 (Jun 2025)
Technical Skills:
ServiceNow eGRC / Integrated Risk Management (IRM) administration and workflow integration (test & production), including centralized internal controls repository management
Data analytics & reporting: consolidate large, siloed RMIC datasets into enterprise-level reports, executive summaries, visualizations, and annual Statement of Assurance (SoA) deliverables
Third-party/IT controls oversight: assess service-provider controls (including SSAE 18), evaluate materiality, and monitor Complementary User Entity Controls (CUECs) impacting financial reporting
Preferred:
Experience with Air Force policies, systems and procedures for financial management, personnel, acquisition, inventory, property and material management
Physical Demands:
Must be able to lift up to 25 pounds
Must be able to stand and walk for prolonged amounts of time
Must be able to twist, bend and squat periodically
SECURITY CLEARANCE REQUIREMENTS: Must be able to maintain a security clearance at the Secret level. US Citizenship is a requirement for this contract.
LI-JS1
Applicants may be subject to a pre-employment drug & alcohol screening and/or random drug screen, and must follow UIC's Non-DOT Drug & Alcohol Testing Program requirements. If the position requires, an applicant must pass a pre-employment criminal background history check. All post-secondary education listed on the applicant's resume/application may be subject to verification.
Where driving may be required or where a rental car must be obtained for business travel purposes, applicants must have a valid driver license for this position and will be subject to verification. In addition, the applicant must pass an in-house, online, driving course to be authorized to drive for company purposes.
UIC is an equal opportunity employer. We evaluate qualified applicants without regard to race, age, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, and other protected characteristics EOE/D/V. In furtherance, pursuant to The Alaska Native Claims Settlement Act 43 U.S.C. Sec. 1601 et seq., and federal contractual requirements, UIC and its subsidiaries may legally grant certain preference in employment opportunities to UIC Shareholders and their Descendants, based on the provisions contained within The Alaska Native Claims Settlement Act. Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities. Please view Equal Employment Opportunity postershere (https://www.eeoc.gov/sites/default/files/2023-06/22-088\EEOC\KnowYourRights6.12ScreenRdr.pdf) .
All candidates must apply online at www.uicalaska.com , and submit a completed application for all positions they wish to be considered. Once the employment application has been completed and submitted, any changes to the application after submission may not be reviewed. Please contact a UIC HR Recruiter if you have made a significant change to your application. In accordance with the Americans with Disabilities Act of 1990 (ADA), persons unable to complete an online application should contact UIC Human Resources for assistance www.uicalaska.com/careers/recruitment/ .
The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 41 CFR 60-1.35(c)
UIC Government Services (UICGS / Bowhead) provides innovative business solutions to federal and commercial customers in the areas of engineering, maintenance services, information technology, program support, logistics/base support, and procurement. Collectively, the fast-growing Bowhead Family of Companies offers a breadth of services which are performed with a focus on quality results. Headquartered in Springfield, VA, we are a fast-growing, multi-million-dollar company recognized as a top Alaska Native Corporation providing services across the Department of Defense and many federal agencies. Bowhead offers competitive benefits including medical, dental, vision, life insurance, accidental death and dismemberment, short/long-term disability, and 401(k) retirement plans as well as a paid time off programs for eligible full-time employees. Eligible part-time employees are able to participate in the 401(k) retirement plans and state or contract required paid time off programs.
Join our Talent Community!
Join our Talent Community (https://talentconnect.uicalaska.com/government-services/talentcommunity) to receive updates on new opportunities and future events.
ID 2026-24998
Category Information Technology
Location : Location US-MD-Andrews AFB
Min USD $115,000.00/Yr.
Max USD $128,000.00/Yr.
Minimum Clearance Required Secret
Travel Requirement N/A
