Casey’s is seeking a Governance, Risk & Compliance (GRC) Analyst to help design, implement, and operate our enterprise compliance programs across PCI DSS and SOX IT General Controls. You’ll execute risk assessments, streamline evidence collection, automate recurring compliance tasks, and coordinate third-party risk assurance activities. If you enjoy turning policy requirements into auditable controls, and using automation to reduce manual work, this role is for you.

This role may be filled at the Associate GRC Analyst or GRC Analyst level based on experience, skills, and demonstrated capability.

What You’ll Do

• Risk Assessments: Assist with or lead risk assessments discussions (e.g Cyber, Compliance, AI), maintain IT risk register, define treatment plans, and report status, trends, and residual risk.
• Operate PCI DSS v4.0.1 controls across CDE environments, maintain scope/evidence, and support QSA interviews and artifact packaging for ROC/AOC submissions.
• Support SOX ITGC readiness across access, change, computer operations by validating control design, coordinating evidence, supporting audit walkthroughs.
• Automate compliance tasks using either enterprise or custom GRC solution to generate tickets, reminders, evidence collection, and review workflows for key control activities.
• Manage third party risk (TPRM): conduct vendor onboarding questionnaires, review security documentation (SOC reports, AOCs etc.), track reassessments, and document decisions in TPRM Platform.
• Maintain policies & SOPs: Update technology policies and standards, manage acknowledgments/exceptions, and ensure ‘policy à control à evidence’ linkage for auditability.
• Automation, Reporting, and Process Improvement: Improve recurring compliance process workflows through automation, build and maintain dashboards for risk & controls posture, KRIs, remediation SLAs, and trends (e.g., Power BI/Power Automate), and identify control gaps/ process inefficiencies for practical improvements.

This role does not allow for 100% remote work. Qualified candidates must live within a daily commutable distance of Casey's Store Support Center in Ankeny, IA and be willing to work onsite 5 days per week.  

Compensation:

Starting pay range:‏‏‎ ‎$72,000 ‎-‏‏‎ ‎$94,500.‏‏‎ ‎ Actual pay may vary based on Casey’s assessment of the candidate's knowledge, skills, abilities (KSAs), related experience, education, and qualifications. Other factors impacting pay include local prevailing wages and internal equity. This position is eligible for an annual cash bonus based on company performance. Our full salary range for this role does extend beyond the hiring range listed, allowing team members the opportunity to continue to grow within the company. 

• This position requires authorization to work in the U.S. without the need for employment-based immigration sponsorship now or in the future. Casey’s will not provide sponsorship or employer support for applications or petitions for F-1 OPT, F-1 CPT, H-1B, L-1, TN, O-1, E-3, H-1B1, J-1, or any other employment-based visa.
• Bachelor’s degree in Information Security, Computer Science, MIS/Accounting/Finance, or a related field,  or equivalent experience.
• Minimum 3 years in IT risk, compliance, audit, IAM, or security operations with hands on security policy, control execution, research, and evidence management.
• You independently perform GRC tasks with minimal supervision and communicate effectively across IT, Security, Legal, Finance, Operations, and external partners, demonstrating strong collaboration and written and verbal skills.
• Working knowledge of PCI DSS v4.01 and SOX ITGC; familiarity with risk management and assessment.
• Support cyber and technology risk assessments by evaluating likelihood, exploitability, and business impact.
• Experience with GRC/TPRM platforms (e.g. OneTrust, AuditBoard, SAFE TPRM) and automation/reporting tools (e.g., Power BI, Excel, Power Automate).

Nice to Have

• Multi-site retail, convenience or hospitality industry experience.
• Scripting exposure (PowerShell, Python, APIs).
• Identity access governance (AD, Entra, privileged access).
• Certifications: CISA, CRISC, CISSP, PCIP, Security + (or in progress).