Senior Security Engineer, GRC

About Poshmark

Poshmark is the leading fashion marketplace where style comes alive through discovery, self-expression, and human connection. Powered by a vibrant community of 165 million members, Poshmark brings real people and taste to shopping through a social experience shaped by shared discovery.

Buying and selling fashion feels simple, joyful, and personal, while every item tells its own story. Poshmark empowers sellers to grow meaningful businesses, keeps fashion in circulation longer, and gives shoppers access to unique and trusted finds, from everyday pieces to one-of-a-kind vintage and luxury.

About the Role

The Senior Security Engineer, GRC will support the company's Korea-specific Sarbanes-Oxley (K-SOX) compliance program, ensuring effective internal controls over financial reporting (ICFR).

In addition to SOX responsibilities, this role will contribute to broader Cybersecurity Governance, Risk, and Compliance (GRC) initiatives and support other compliance and security-related activities as bandwidth allows.

This role requires strong hands-on experience in IT General Controls, NIST CSF, audit execution, and control testing, combined with an engineering mindset to improve processes, reporting, and automation.

Key Responsibilities

K-SOX Compliance & Internal Controls

• Support the annual K-SOX compliance lifecycle, including scoping, risk assessment, testing, remediation, and reporting.

• Perform Design Effectiveness (DE) and Operating Effectiveness (OE) testing for IT Application Controls and IT General Controls (User Access, Change Management, IT Operations).

• Maintain and update K-SOX documentation, including Process Narratives, Risk & Control Matrices (RCMs), and Flowcharts.

• Identify control deficiencies and support severity assessment (deficiency, significant deficiency, material weakness).

• Track and validate remediation activities in coordination with control owners.

Audit & Stakeholder Coordination

• Act as a key liaison between business/control owners, Internal Audit, and External Auditors.

• Coordinate walkthroughs, testing schedules, and audit evidence requests.

• Respond to audit inquiries and support PBC (Provided by Client) requests.

• Assist with closure of audit findings and validation of remediation effectiveness.

GRC & Compliance Responsibilities

• Support additional compliance and risk initiatives beyond SOX, including PCI-DSS compliance activities and data privacy/regulatory support (CCPA, PIPEDA, local privacy requirements).

• Assist with control mapping across multiple frameworks as required.

• Support internal policy, standards, and technical risk assessment activities.

• Take on non-SOX GRC or compliance work during non-peak SOX cycles.

• Create executive summaries, presentations, and reports as needed.

Engineering, Reporting & Process Improvement

• Participate in process improvement initiatives to enhance control efficiency and reduce audit effort.

• Identify opportunities to automate, standardize, or rationalize controls and evidence collection.

• Build and maintain compliance trackers, dashboards, metrics, and audit-ready reports.

• Prepare clear written documentation and presentations for management, auditors, and stakeholders.

• Leverage scripting, data analysis, or tooling where appropriate to improve reporting quality and efficiency.

Required Qualifications

Experience

• 4–7 years of experience in SOX/K-SOX compliance, Internal Audit, GRC, or External Audit (Big 4 preferred).

• Hands-on experience with ICFR, SOX 404 controls, ITGCs, and IT Application Controls.

• Experience supporting public or listed companies.

• Ability to operate independently with minimal supervision.

Technical Skills

• Strong understanding of COSO Internal Control Framework and SOX/K-SOX compliance requirements.

• Experience with Oracle NetSuite, OKTA, JIRA, AWS, and similar enterprise platforms.

• Strong proficiency in Excel, including trackers, pivots, and evidence analysis.

• Experience creating reports, dashboards, and presentations.

• Exposure to scripting, automation, or data analysis is a plus.

Soft Skills

• Strong analytical and problem-solving skills.

• Excellent written and verbal communication.

• Ability to manage multiple priorities in a deadline-driven environment.

• Comfortable working cross-functionally with Technology, Finance, Security, and Operations teams.

• High attention to detail, ownership mindset, and professional skepticism.

Preferred Qualifications

• Prior Big 4 or large public company experience.

• Experience with SOX automation or continuous controls monitoring.

• Exposure to global or multi-entity compliance environments.

• Cybersecurity or security assurance exposure is a plus.

Success Metrics

• Timely completion of K-SOX testing cycles.

• Reduction in repeat audit findings.

• Quality, clarity, and accuracy of testing documentation.

• Effective coordination with auditors and control owners.

• Successful and timely remediation of identified control deficiencies.

• Ability to contribute meaningfully to non-SOX GRC initiatives.