Internal Audit & Certifications Analyst

Posted on 26/06/2026

Apply

Bristol, Peterborough, Sheffield, Home based

Not Specified

Permanent

Home
Vacancies
Internal Audit & Certifications Analyst

About the role

The Internal Audit & Certifications Analyst supports the delivery of the Group’s internal security audit programme and the maintenance of its security certifications and attestations across Zellis Group, which comprises Zellis, Moorepay, Benifex and Hastee. The role provides independent, evidence-based assurance that security controls are well designed, operating as intended, and meeting the requirements of the standards the Group is certified against – including ISO 27001:2022, SOC 2 and Cyber Essentials Plus, alongside other frameworks adopted across the Group.

Reporting to the Internal Audit & Certifications Manager, this is a hands-on, delivery-focused role spanning internal audit planning and execution, control testing, evidence collection, non-conformity and corrective-action tracking, and the coordination of external certification and surveillance audits. The analyst works across all of the Group’s brands and business units, helping to maintain a consistent, audit-ready posture and supporting the customer assurance, tender and due-diligence activity that relies on the Group’s certifications.

The role takes a strong “AI first” approach, using approved AI tooling (such as Microsoft Copilot and Claude) to automate evidence gathering, accelerate audit preparation and reporting, and help shift assurance from periodic, point-in-time audits towards continuous control monitoring and always-on certification readiness.

Key responsibilities

Internal Security Audit Programme

Support the planning, scheduling, and delivery of the Group’s risk-based internal security audit programme across all business units.
Conduct internal control reviews and audit fieldwork, testing the design and operating effectiveness of security controls against defined criteria.
Gather, examine and retain audit evidence in line with a consistent, repeatable methodology (e.g. ISO 19011).
Maintain objectivity and independence, reporting findings factually and without bias.

Certification & Audit Coordination

Coordinate and support external certification, surveillance and recertification audits, including ISO 27001:2022, SOC 1 and SOC 2 examinations and Cyber Essentials Plus assessments.
Maintain certification schedules, audit calendars and evidence repositories, so the Group remains audit-ready throughout the year.
Act as a point of contact for external auditors, certification bodies and assessors, preparing evidence and coordinating timely responses.
Manage pre-audit preparation, evidence collection and auditor liaison across certification and surveillance audits.
Support the transition of SOC 1 activities into the central compliance function.
Support the introduction of new certifications or attestations required by customers or to enter new markets, working to agreed timelines.

Findings, Non-Conformities & Remediation

Document findings, non-conformities and improvement opportunities clearly, with practical, risk-based recommendations.
Track corrective and preventive actions through to closure, escalating where timelines or risk thresholds are breached.
Verify remediation and re-test controls to confirm that issues have been effectively resolved.
Provide clear status reporting on audit outcomes and open actions to the Internal Audit & Certifications Manager and stakeholders.

Controls, Evidence & Continuous Assurance

Map and harmonise overlapping controls across frameworks (ISO 27001, SOC 2, Cyber Essentials Plus and NIST CSF) to create a single set of evidence and reduce duplication.
Maintain audit trails, control registers and evidence libraries that stand up to internal and external scrutiny.
Help shift the programme from point-in-time audits towards continuous control monitoring; surfacing control drift before it becomes an audit finding.
Participate in technical access reviews, control testing and assurance checks across the Group.
Track completion of mandatory security training and awareness activities across the Group.

Customer & Commercial Assurance Support

Support customer assurance activity, supplying accurate certification evidence and audit information in response to security questionnaires, tenders, and due-diligence requests.
Maintain a reusable library of approved evidence and assurance collateral to speed up sales, renewal and contract-assurance cycles.
Support M&A compliance integration, helping bring newly acquired entities into the Group’s audit and certification scope.

AI, Automation & Reporting

Take a strong “AI first” approach, using approved AI tooling (such as Microsoft Copilot and Claude) to automate evidence collection and accelerate audit preparation and reporting.
Help build and maintain audit and certification dashboards, giving leadership continuous visibility of certification status and open actions.
Recommend improvements to enhance the consistency, efficiency, and auditability of the assurance programme.

Skills & experience

A working knowledge of information security standards and certification frameworks, including ISO 27001:2022, SOC 2 and Cyber Essentials Plus.
Some practical experience of, or a sound understanding of, internal auditing, control testing, evidence collection and remediation tracking.
An understanding of audit methodology and management-system principles (e.g. ISO 19011 and ISO 27001 Annex A controls).
Experience supporting external audits and responding to customer assurance and due-diligence requests.
Familiarity with risk assessment methodologies, control mapping, and security metrics reporting.
Experience using AI tools such as Microsoft Copilot and Claude.
Excellent analytical, organisational and written communication skills.

Essential Functional / Technical Skills

A relevant degree or professional qualification (for example in information security, IT, risk or a related discipline), together with around practical experience in a security, audit, compliance, risk or IT role. Equivalent training combined with hands-on experience will also be considered.
Hands-on experience supporting, or a sound working knowledge of, certification programmes such as ISO 27001, SOC 1, SOC 2 and Cyber Essentials Plus.
Experience maintaining audit trails, control registers, evidence repositories and remediation logs.
Understanding data protection and privacy requirements under UK GDPR.
Working knowledge of cloud platforms (e.g. Microsoft Azure, AWS or Google Cloud) and common security tooling (e.g. SIEM, EDR/XDR, IAM and PAM).
Confident user of AI productivity tools (e.g. Microsoft Copilot, Claude) to accelerate analysis, drafting and evidence handling.
Experience with business and ITSM tooling such as Microsoft Teams, ServiceNow, Azure DevOps and Jira would be advantageous.

Desirable Qualifications & Certifications

A foundation-level certification such as CompTIA Security+, CISMP or ISO 27001 Foundation / Internal Auditor (held or working towards); progress towards ISO 27001 Lead Auditor / Lead Implementer, CISA or CRISC would be an advantage.
Experience in a regulated, data-rich or SaaS environment – ideally payroll, HR, financial services or similar.
Familiarity with operational resilience and continuity expectations (e.g. DORA, NIS2) is an advantage.
Awareness of GRC / compliance automation tooling (e.g. ServiceNow GRC, Vanta, Drata or similar).

Personal Attributes / Competencies

Detail-oriented and disciplined in maintaining documentation and audit evidence.
Independent and objective, able to evaluate controls and report findings without bias.
Proactive and accountable, following through audit and remediation actions.
Strong prioritisation skills, able to manage multiple audits and deadlines at once.
Clear communicator, able to engage effectively with both technical and business stakeholders.
Collaborative team player, promoting consistency and knowledge sharing across business units.
Integrity, reliability, and commitment to high standards of security assurance.
Curious and improvement-minded, keen to adopt new tools and automation to work smarter.
Adaptable and comfortable working in a fast-paced, evolving environment.

Benefits & culture

At Zellis Group (Zellis, Moorepay, Benifex, and Hastee) we power exceptional employee experiences by creating AI-enabled products and services within HR, workforce management, payroll, and benefits. Our vision is to be the clear leader in pay, reward, analytics, and people experiences. With over 3,500 colleagues across the UK, Europe, India and the Philippines, we have a significant ambition for growth (organically and through M&A).

Our vision is to be the clear leader in pay, reward, analytics, and people experiences. We're passionate about creating an environment where people want to join, belong to, and be part of a progressive organisation. Our values, which were defined with input from of our colleagues, we live and breathe every day:

Unstoppable together.
Always learning.
Make it count.
Think scale.

Our people are critical to our ongoing success; we’re proud of our inclusive culture that gives you the platform to grow, challenge the status quo and play a crucial role in further enhancing our market position as the leading provider of HR & Payroll software and services. With Zellis you’ll have the chance to stretch and challenge yourself in an environment that’s varied, flexible and hugely supportive.

We also love to reward and recognise our brilliant colleagues. As part of your benefits package, you’ll receive:

A competitive base salary, cash car allowance and bonus package.
25 days annual leave, plus your birthday off and the opportunity to buy additional holiday.
Private medical insurance.
Life assurance 4x salary.
Enhanced pension scheme with company contributions up to 8.5%.
A huge range of additional flexible benefits across financial & personal wellbeing, lifestyle & leisure.

Apply

Other jobs like this

Similar