Senior Internal Auditor – Information System and Cyber Security

Job Purpose -

Operations, Financial and Support Audit unit within the Internal Audit is an independent specialized 3rd line of defence and provides independent, objective and reliable assurance to the Board, Senior Management and to the regulators over the effectiveness and adequacy of Internal Controls, Risk Management, Governance and Compliance with bank's policies, procedures and applicable regulations/ standards.

The Senior Internal Auditor Information System and Cyber Security will be responsible for executing complex IT , Information security and Cyber security related audit projects and providing assurance on the effectiveness of IT controls within the bank. This role involves evaluating the design and operational effectiveness of IT controls, information security & cybersecurity risks ensuring compliance with regulatory requirements, internal policies and identifying opportunities for process improvement. The Senior Auditor will collaborate with various departments to support risk management and ensure the integrity of the bank's IT systems and data.

The Scope includes information system and IT audit universe across the Bank including Finance, Operations, Support Departments (including Credit and 2nd line of defense) and especially Digital Banking Platform of the bank.

The Senior Auditor will also assist the Manager and Head in finalizing the risk based internal audit plan for the Information System Audit Universe as well as execution of audit assignment as per audit plan.

Job Accountabilities -

• Assisting Manager in developing IT audit Universe and annual IT audit Plan.
• Assess the bank's information system & cybersecurity audit program to ensure the bank's IT systems are secured and information security risk and exposure to vulnerabilities is minimised.
• Assess to manage, develop, implement a dynamic multi-year risk-based assurance plan for the bank's IT systems and cybersecurity program
• Assess that all IT services are compliant with agreed quality, performance and customer experience standards; or have realistic plans in place to address areas requiring remediation.
• Performs general and application control audit for simple to complex computer information systems.
• Performs information control reviews to include system development standards, operating procedures, system security, programming controls, communication controls, backup and disaster recovery, and system maintenance.
• Performs reviews of internal control procedures and security for systems under development and/or enhancements to current systems.
• Effectively working with Internal Audit co-sourcing partner(s) as required to ensure that we execute as one team.
• Prepares audit finding memoranda and working papers to ensure that adequate documentation exists to support audits and conclusions.
• Prepares reports and other technical information in a pertinent, concise, and accurate manner for review of Manager and Chief Audit Officer.
• Consults with internal and external stakeholders on various operational issues related to computerized information systems, and on general business operations as needed.
• Collect and understand legal and regulatory compliance standards to be used for business or services.
• Follows up on audit findings to ensure that management has taken timely corrective action(s).
• Assists and trains other audit staff in the use of computerized audit techniques, and in developing methods for review and analysis of computerized information systems.
• Assist the fraud investigators in collecting and documenting IT and digital related evidence.
• Keep himself updating with respect to relevant technology, equipment, cybersecurity, digital, systems, IT and Internal Audit standards & tools.
• Develop and maintain productive working relationship with all relevant stakeholders, continuously engaging stakeholders to minimize disputes while maintaining independence and objectivity.
• Ensure the timely completion of internal audit engagements.
• Ensuring that Internal Audit Reports are prepared objectively in a timely manner and in accordance with Internal Audit and other applicable standards.
• Prepare special reports based on approved audit planning memorandum as requested by Chief Audit Officer / Board Audit Committee to support the decision-making process.
• Issue periodic reports to the Manager Information System Audit highlighting unresolved issue and other significant matters which need to be brought to the knowledge and attention of the Head -Operations, Financial and Support Audit, Chief Audit Officer, Senior Management and the Board.
• Undertake any audit tasks/investigation assignments assigned by the Chief Audit Officer / Head of Operation Audit and/or the BAC.
• Actively participate to Implement new technology (teammate) to enhance the efficiency and effectiveness of audit processes and overall interaction with the management.

Qualifications Experience & Skills -

Qualifications

• Must have a degree in Computer Engineer or Computer Science from a reputable and accredited University, ideally with a focus on Cyber / Information Security;
• Must have at least one certificate CISA/CISSP
• Must have at least one of the relevant Cloud Computing Certification i.e. Certificate of Cloud Security Knowledge (CCSK), Certified Cloud Security Professional (CCSP), Certificate of Cloud Auditing Knowledge (CCAK).

Experience

• A minimum of 10+ yrs. experience of Information System and Cyber security Audits in a reputable local or Regional Bank including audit of (infrastructure, network, internal/external threats, Banking Application controls, cloud computing audit, Core banking System.
• Have an in-depth understanding of IT controls around technical environments and evaluation of risk-based controls across functional IT areas including networks, firewalls, vulnerability management, systems development, information security, database management and project management.

Job Specific Skills

• In depth Knowledge of and expert in complete cycle of Information Technology audit process and related IT audit /assurance standards and guidelines.
• In depth Knowledge and expert in Local and global Information Security Standards like NESA, ISO related publications, SWIFT Internal Control requirements, PCI -DSS, cloud computing etc.
• Knowledge of local laws, regulations, and standards governing all aspects of the utilization of computer systems including information system security requirements -example NESA requirements.
• In depth Knowledge of current technological developments/trends in area of expertise in particular digitalization in banking industry.
• Good analytical skills and critical thinking to understand processes, controls and risks of areas covered, identify root causes of issues, and recommend practical solutions.

• Security/network architecture: He must have mastered this category of skills, which include:
• Practices and methods of security and enterprise architecture and IT strategy
• Security architecture definition and development
• Security concepts related to routing, DNS, VPN, authentication, DDOS mitigation technologies/tools and proxy services
• Firewall/other security tools/technologies
• Intrusion prevention and detection protocols
• Networking concepts related to TCP/IP, switching and routing
• Security infrastructure and network configuration.
• Ability to evaluate and review a range of mainframe, PC, and distributed production and applications computer systems.
• Ability to gather data, compile information, and prepare reports.
• Ability to perform control reviews on systems development, operations, programming, control, and security procedures and standards.
• Ability to review system backup, disaster recovery and maintenance procedures.
• Knowledge of software requirements for auditing of computing systems and procedures.
• Knowledge of computer systems development and programming.
• Preferred Certification/Training

Generic Skills Requirements

• Team player and ability to work within diverse teams in diverse cultural environments.
• Collaborate with others to remove organisational barriers.
• Strong interpersonal, negotiating, and problem-solving skills.
• Ability to clearly articulate value we bring as an Internal Audit team and explain complicated technical jargon to a non-technical audience.
• Ability to create, compose and edit written materials.
• Ability to persuade and influence others.

Competencies

• (Department will coordinate with HRD to develop competencies framework for the function. As example, some core competencies related to role are stated)
• Ethics:Foster the ethical climate of the organization
• Internal Audit Management: Advocate Internal Audit and its Value organization wide.
• Develops People:Contribute to develop competence and potential of team.
• Recognizes the importance of developing all organizational stakeholders through fostering collaborative work relationships and establishing mutual trust and respect.