Senior Manager of IT Regulatory Compliance

A.O. Smith is a global leader applying innovative technologies and energy-efficient solutions to products manufactured and marketed worldwide. The company is one of the world's leading manufacturers of residential and commercial water heating equipment and boilers, as well as a manufacturer of water treatment products for residential and light commercial applications. A. O. Smith is headquartered in Milwaukee, Wisconsin, with approximately 12,000 employees at operations in the United States, Canada, China, India, Mexico, the Netherlands, and the United Kingdom.

Please Note: At this time, we are unable to provide visa sponsorship for this role. Candidates must be authorized to work in the United States without sponsorship now or in the future.

As a Senior Manager, IT Regulatory Compliance, you will be a member of the Business Technology Solutions (IT) leadership team, reporting directly to the CISO. The team is responsible for proactively planning and executing focused strategies to establish and maintain operational, financial, and regulatory controls globally.

TheSenior Manager, IT Regulatory Compliance leads the company's second-line oversight of technology risk, controls, and regulatory compliance. This role has primary accountability forSOX IT compliance(ITGCs/ITACs/SoD), global IT control standardization/governance, and enterprise alignment with industry cybersecurity frameworks (e.g., NIST, COSO). In addition, this position helps shape and drive the technology and security aspects of global privacy and data protection compliance programs (e.g., GDPR, India's DPDP Act, China's PIPL, CCPA/CPRA, and other applicable regional regulations), partnering closely with Legal/Privacy, Information Security, IT, Finance/Controllership, Internal Audit, and global business leaders.

Success in the role means ensuring technology and data risks are appropriately identified, controlled, and monitored across the enterprise-covering ERP platforms (SAP), supporting financial applications, infrastructure, hosted/cloud environments, third parties, and new system implementations-while enabling compliant handling of personal data. As Senior Manager, you will set the vision and roadmap for scalable controls and governance, drive audit and regulatory readiness, and act as a thought leader who influences stakeholders and delivers measurable program outcomes.

SPECIFIC DUTIES/ACCOUNTABILITIES

• Thought Leadership and Executive Influence - Serve as a visible thought leader for technology risk and regulatory compliance, translating evolving requirements into practical strategy, roadmaps, and decisions. Communicate risk posture, control health, key issues, and program outcomes to the CISO and senior leadership with clear, business-focused insights.
• Program Governance, Metrics, and Continuous Improvement - Promote a culture of accountability, transparency, and continuous improvement. Define and monitor program KPIs/KRIs (e.g., control effectiveness, remediation aging, regulatory obligations tracking), identify trends and emerging risks, and drive control optimization and automation initiatives.
• Lead 2nd-Line SOX IT Compliance Oversight - Own governance and oversight of SOX, ensuring compliance with ICFR requirements and consistent execution across ERPs and supporting technologies (e.g., ITGCs, ITACs, SoD), including control design standards, evidence quality, and remediation governance.
• Establish and Maintain Global Technology and Privacy Control Standards - Design, standardize, and maintain global control frameworks and evidence standards spanning IT controls (SOX/ICFR) and technology-enabled privacy requirements (e.g., access, logging, encryption, retention/deletion, third-party controls) to drive consistency, scalability, and audit/regulatory readiness across regions and systems.
• Align Controls with Leading Frameworks and Regulatory Requirements - Partner closely with Information Security and Legal/Privacy leadership to ensure alignment with applicable frameworks and regulations (e.g., NIST, COSO, ISO 27001/27701 as applicable, GDPR, India DPDP, China PIPL, CCPA/CPRA), and translate obligations into clear, testable control requirements.
• Security-by-Design Oversight across SDLC and Implementations - Provide 2ndline oversight across SDLC phases and major system implementations ensuring controls are designed and executed to appropriately mitigate risk, procedures are executed in alignment with internal policies, and security and privacy requirements are appropriately embedded.
• Serve as Primary Audit and Regulatory Liaison (Technology Controls) - Serve as a key technology risk and compliance contact for Internal Audit, external auditors, and (as applicable) regulatory inquiries related to technology controls and technology-enabled privacy requirements. Partner with Internal Audit to ensure audits and SOX procedures are planned, performed, and executed timely. Support consistent effective control execution and provide ongoing training to foster an effective environment and enhance efficiency.
• Drive Issue Management and Remediation - Assess control deficiencies and compliance findings, govern and drive the identification, root cause analysis, risk acceptance/escalation, and remediation action plan development by partnering with control owners and operations teams.
• Global Regulatory Compliance Enablement (Privacy and Technology) - Partner with Legal/Privacy, PMOs, IT Infrastructure, Security and IT leadership to drive compliance with internal policies, technology standards, and applicable privacy regulations. Enable consistent operational execution of privacy requirements through governance mechanisms (e.g., records of processing support, data retention/deletion controls, DSAR enablement inputs, vendor/third-party privacy risk oversight, and incident/breach response coordination inputs), and develop assurance procedures to validate ongoing compliance.

• Bachelor's degree in Business Administration, ManagementInformation Systems, Computer Science, Cybersecurity, Accounting or a related field; MS or MBA is preferred.
• CISA or the ability to obtain within a year is required; additional professional certifications are preferred, such as CISM, CISSP, CIA, CPA, and privacy certifications (e.g., IAPP CIPP/E, CIPP/US, CIPM)
• 8-12+ years of progressive experience in technology risk, IT audit, IT compliance, technology controls, and/or privacy risk and regulatory compliance within complex, global organizations (public accounting and/or global manufacturing preferred)
• Deep expertise in COSO and NIST frameworks (and familiarity with privacy/security standards such as ISO 27001/27701 and common privacy control concepts), including performing audit procedures against standards or assessing and implementing controls
• Strong knowledge of IT general and automated controls, ICFR concepts, and control design/testing, plus the ability to translate privacy regulatory obligations (e.g., GDPR, DPDP, PIPL, CCPA/CPRA) into practical, testable technology and process controls
• Prior experience with SAP (ECC, BW, GRC, ECP, S/4HANA) and understanding configuration and best practices
• Demonstrated experience supporting or overseeing SDLC activities and system implementations
• Experience evaluating third-party service providers SOC reports
• Experience with control automation, continuous controls monitoring, and continuous improvement
• Proven ability to operate effectively in a global, matrixed organization
• Effective and impactful executive-level communication and presentation skills; able to influence outcomes and drive decisions across IT, Security, Legal/Privacy, Finance, and the business
• Strong judgment and risk prioritization capabilities
• Ability to influence without authority
• Pragmatic, business-oriented approach to compliance
• Continuous improvement mindset

ADDITIONAL QUALIFICIATIONS:

• Exposure to hosted environments, cloud platforms, and experience assessing cloud migration risks (including privacy, residency, and third-party data processing considerations) is a plus
• Exposure to GRC applications, IAM solutions and Audit tools is preferred
• Experience building or operating elements of a privacy compliance program (e.g., privacy risk assessments/DPIAs, records of processing, vendor/third-party risk, data retention/deletion governance, and support for DSAR processes) is a plus
• Proven management experience leading high-performing teams with global responsibilities
• Experience presenting to executive leadership and audit committees is a plus

Competitive compensation package and comprehensive benefits plans which include medical and dental insurance, company-sponsored life insurance, retirement security savings plan, short- and long-term disability programs and tuition assistance.

#LI-AO
#LI-Hybrid
#Appcast

In developing this job description care was taken to include all competencies needed to successfully perform in this position. However, for Americans with Disabilities Act (ADA) purposes, the essential functions of the job may or may not have been described for purposes of ADA reasonable accommodation. All reasonable accommodation requests will be reviewed and evaluated on a case-by-case basis.

We consider all applicants for employment without regard to race, color, religion, gender, sexual orientation, national origin, age, disability, gender identity and expression, marital or military status. We also provide reasonable accommodations to qualified individuals with disabilities in accordance with the Americans with Disabilities Act and applicable state and local law.