Internal Audit Manager, Privacy Risk Management

Position Description The Audit Manager, Privacy Risk Management, leads regulatory and compliance audits and special projects, with a focus on enterprise-wide privacy risk management. This role serves as Internal Audit’s privacy compliance expert and collaborates closely with Global Privacy Office, Regulatory Affairs, IT Security, Compliance, and Legal to proactively identify, assess, test, and report regulatory and privacy risks for effective mitigation.Key ResponsibilitiesPrivacy Risk Audit Leadership:Lead the development and execution of audits for privacy risk management, a Tier 1 McKesson enterprise risk. Champion the integration of Privacy by Design principles into audit planning, execution, and reporting. Actively participate in business unit risk assessments and stakeholder meetings to identify emerging regulatory and compliance exposures, and contribute to internal audit’s risk assessment and audit planning processes.Privacy Impact Assessment (PIA) Testing:Audit Privacy Impact Assessments across business units and third-party relationships. Collaborate with stakeholders to identify, test, and remediate privacy risks before they materialize.Third-Party/Vendor Privacy Reviews:Audit vendor compliance with privacy and security requirements, including contractual obligations, operational practices, and incident response capabilities. Ensure robust third-party risk management frameworks are in place and regularly reviewed against compliance requirements.Regulatory Change Monitoring:Monitor evolving privacy regulations—including HIPAA, GDPR, CCPA, and other global, federal, and state laws—for application within the business and audit function. Ensure audit programs (RACMs) and the regulatory and compliance risk universe are continuously updated to reflect emerging privacy obligations and other compliance requirements.Collaboration & Communication:Collaborate with audit leadership, IT Security, Legal, Privacy, and Compliance teams to support integrated risk management under a combined assurance model. Communicate regulatory and compliance risk findings, recommendations, and best practices to key stakeholders and executives. Mentor internal audit staff on privacy risk management and provide updates on emerging privacy and regulatory trends.Other Audit Engagements:Manage regulatory and compliance-scoped audits in engagement planning, execution, reporting, and issue monitoring. Stay abreast of risk areas subject to FDA, DEA, State Boards of Pharmacy, CMS, OIG, OCR and DOJ requirements pertinent to McKesson business units. Review and approve final work papers to ensure adherence to department audit Quality Assessment Review standards.Minimum RequirementsDegree or equivalent and typically requires 7+ years of relevant experience in regulatory and compliance experience, with 5+ years of demonstrated expertise in privacy risk management, preferably in healthcare, law, or Fortune 100 environments.Critical SkillsAdvanced knowledge of data privacy regulations (HIPAA, GDPR, CCPA, etc.), Privacy by Design, and Privacy Impact Assessments.Experience auditing third-party/vendor privacy compliance and monitoring regulatory changes.Specific knowledge of healthcare laws and regulations.Proficiency with digital privacy assessment tools (e.g., OneTrust) and use of artificial intelligence to gain efficiencies.Excellent written and verbal communication, negotiation, and collaboration skills.Excellent critical thinking and time management skills are a must.Strong project and staff management capabilities.Additional Desired Knowledge & SkillsPrior knowledge of Canadian, and U.S. state privacy laws highly desirable.Experience developing privacy training and communications for staff and vendors preferred.Advanced degree as Juris Doctor, preferred.One of the following: Certified in Healthcare Compliance (CHC), Certified Compliance and Ethics Professional (CCEP) required; Certified in Healthcare Privacy Compliance (CHPC), or Certified Information Privacy Professional (CIPP), Certified Internal Auditor (CIA), or CPA, is highly desired.Physical RequirementsGeneral office demands; willingness to travel up to 5% of the time.We are proud to offer a competitive compensation package at McKesson as part of our Total Rewards. This is determined by several factors, including performance, experience and skills, equity, regular job market evaluations, and geographical markets. The pay range shown below is aligned with McKesson's pay philosophy, and pay will always be compliant with any applicable regulations. In addition to base pay, other compensation, such as an annual bonus or long-term incentive opportunities may be offered. For more information regarding benefits at McKesson, please Our Base Pay Range for this position$100,800 - $168,000