Internal Audit Manager, Privacy Risk Management

McKesson is an impact-driven, Fortune 10 company that touches virtually every aspect of healthcare. We are known for delivering insights, products, and services that make quality care more accessible and affordable. Here, we focus on the health, happiness, and well-being of you and those we serve – we care. What you do at McKesson matters. We foster a culture where you can grow, make an impact, and are empowered to bring new ideas. Together, we thrive as we shape the future of health for patients, our communities, and our people. If you want to be part of tomorrow’s health today, we want to hear from you. Position Description The Audit Manager, Privacy Risk Management, leads regulatory and compliance audits and special projects, with a focus on enterprise-wide privacy risk management. This role serves as Internal Audit’s privacy compliance expert and collaborates closely with Global Privacy Office, Regulatory Affairs, IT Security, Compliance, and Legal to proactively identify, assess, test, and report regulatory and privacy risks for effective mitigation. Key Responsibilities Privacy Risk Audit Leadership: Lead the development and execution of audits for privacy risk management, a Tier 1 McKesson enterprise risk. Champion the integration of Privacy by Design principles into audit planning, execution, and reporting. Actively participate in business unit risk assessments and stakeholder meetings to identify emerging regulatory and compliance exposures, and contribute to internal audit’s risk assessment and audit planning processes. Privacy Impact Assessment (PIA) Testing: Audit Privacy Impact Assessments across business units and third-party relationships. Collaborate with stakeholders to identify, test, and remediate privacy risks before they materialize. Third-Party/Vendor Privacy Reviews: Audit vendor compliance with privacy and security requirements, including contractual obligations, operational practices, and incident response capabilities. Ensure robust third-party risk management frameworks are in place and regularly reviewed against compliance requirements. Regulatory Change Monitoring: Monitor evolving privacy regulations—including HIPAA, GDPR, CCPA, and other global, federal, and state laws—for application within the business and audit function. Ensure audit programs (RACMs) and the regulatory and compliance risk universe are continuously updated to reflect emerging privacy obligations and other compliance requirements. Collaboration & Communication: Collaborate with audit leadership, IT Security, Legal, Privacy, and Compliance teams to support integrated risk management under a combined assurance model. Communicate regulatory and compliance risk findings, recommendations, and best practices to key stakeholders and executives. Mentor internal audit staff on privacy risk management and provide updates on emerging privacy and regulatory trends. Other Audit Engagements: Manage regulatory and compliance-scoped audits in engagement planning, execution, reporting, and issue monitoring. Stay abreast of risk areas subject to FDA, DEA, State Boards of Pharmacy, CMS, OIG, OCR and DOJ requirements pertinent to McKesson business units. Review and approve final work papers to ensure adherence to department audit Quality Assessment Review standards. Minimum Requirements Degree or equivalent and typically requires 7+ years of relevant experience in regulatory and compliance experience, with 5+ years of demonstrated expertise in privacy risk management, preferably in healthcare, law, or Fortune 100 environments. Critical Skills Advanced knowledge of data privacy regulations (HIPAA, GDPR, CCPA, etc.), Privacy by Design, and Privacy Impact Assessments. Experience auditing third-party/vendor privacy compliance and monitoring regulatory changes. Specific knowledge of healthcare laws and regulations. Proficiency with digital privacy assessment tools (e.g., OneTrust) and use of artificial intelligence to gain efficiencies. Excellent written and verbal communication, negotiation, and collaboration skills. Excellent critical thinking and time management skills are a must. Strong project and staff management capabilities. Additional Desired Knowledge & Skills Prior knowledge of Canadian, and U.S. state privacy laws highly desirable. Experience developing privacy training and communications for staff and vendors preferred. Advanced degree as Juris Doctor, preferred. One of the following: Certified in Healthcare Compliance (CHC), Certified Compliance and Ethics Professional (CCEP) required; Certified in Healthcare Privacy Compliance (CHPC), or Certified Information Privacy Professional (CIPP), Certified Internal Auditor (CIA), or CPA, is highly desired. Physical Requirements General office demands; willingness to travel up to 5% of the time. We are proud to offer a competitive compensation package at McKesson as part of our Total Rewards. This is determined by several factors, including performance, experience and skills, eq

Apply tot his job

Apply To this Job