Specialist IT, Operations & Information Security Audit

Job Description

Job Purpose:

Outputs are represented by review work papers, detailing tests performed, results and conclusions in relation to adequacy and effectiveness of controls of specific areas under examination. Audit findings will have to be evidenced by audit points and summaries.

Reports directly to:

Head of IT, Operations & Information Security Audit

Duties and Responsibilities:

Audit Planning:

• Assists the Head of IT, Operations, and Information Security Audit in preparing the annual audit plan for the year.
• Participate in the annual risk assessment covering the identification and assessment of IT, Operations and Information Security risks and associated controls.

• Conducts Information Technology, Operational and Information Security audit assignments as per Internal Audit plan.
• Evaluates IT, IS and operational risks and internal control processes to ensure divisions mandate and business goals are met and that professional standards are always maintained.
• Plans individual IT, Operations and IS audit assignments in coordination with and under supervision of the team leaders to ensure that professional standards are maintained.
• Assess that audit plan sufficiently covers the scope, addresses key risks and considers expectations of Senior Management.
• Discuss the Audit scope and Audit Plan with Head of IT, Operations, and Information Security Audit to ensure that the approved audit objectives are met, and adequate coverage is achieved.
• Meeting with divisions management to form an understanding of the divisions goals and objectives, main business activities, IT controls & risks identified by the division, any changes in internal controls / or business environment etc.
• Provides input for the revision of audit programs/review approach to achieve specific objectives in more effective/efficient manner.

Audit Planning:

• Assists the Head of IT, Operations, and Information Security Audit in preparing the annual audit plan for the year.
• Participate in the annual risk assessment covering the identification and assessment of IT, Operations and Information Security risks and associated controls.

• Conducts Information Technology, Operational and Information Security audit assignments as per Internal Audit plan.
• Evaluates IT, IS and operational risks and internal control processes to ensure divisions mandate and business goals are met and that professional standards are always maintained.
• Plans individual IT, Operations and IS audit assignments in coordination with and under supervision of the team leaders to ensure that professional standards are maintained.
• Assess that audit plan sufficiently covers the scope, addresses key risks and considers expectations of Senior Management.
• Discuss the Audit scope and Audit Plan with Head of IT, Operations, and Information Security Audit to ensure that the approved audit objectives are met, and adequate coverage is achieved.
• Meeting with divisions management to form an understanding of the divisions goals and objectives, main business activities, IT controls & risks identified by the division, any changes in internal controls / or business environment etc.
• Provides input for the revision of audit programs/review approach to achieve specific objectives in more effective/efficient manner.
• Performs analytical review by identifying the purpose of the test, identify the source of data and ensure its accuracy and completeness, inquire about any anomalies or unusual trends found while preforming the analysis, provide a conclusion whether the IT, IS and operational controls are effective or whether further review is required in certain areas.
• Sample size and method to be clearly defined based on the risks identified and controls assessed and documented for each audit test.
• Perform audit testing procedures to assess the adequacy and effectiveness of internal controls.
• Audit testing working papers to be prepared in a very comprehensive and clear manners, where the objectives, source of data, population and sample size, audit procedures and all findings / observations are identified and documented.
• Audit findings to be communicated in a clear and comprehensive manner where the root-cause of the issues and possible implication on the operations.
• Recommend appropriate corrective actions and improvements to address the root-cause and ensure it remedies the current issues and ideally future issues.
• Ensures full confidentiality of information remains intact and data / information are not being shared or discussed with unrelated / unconcerned staff in the bank.
• Ensure constant feedback is being provided to Audit Management regarding the progress of audit assignment, any hiccups / obstacles that may delay the assignment or any major issues / concerns arises during the audit that requires managements intervention.

• Ensure timely completion and prompt reporting of audit assignments to the Head of IT, Operations & Information Security Audit
• Audit observations are clearly presented in a draft Audit Report, with proper root-cause analysis, clear identification of the actual and potential risks, logical recommendations which should mitigate the risks identified.
• Shares draft audit report with the division and discuss with management the individual observations and agree on action plan to be implemented with reasonable target dates.
• Discuss the draft report with the Team Leaders and Head of IT, Operations & Information Security Audit prior to preparing the final draft to be shared with HIA.
• Continuously follow up with each division on the agreed audit action plans and ensure they are constantly reminded and working on resolving the audit observations on time.
• Participates in the review of user related procedure/policies for improvement and provide feedback to ensure they provide for adequate and efficient internal controls.

• Build relationships with leaders across the bank to understand issues and identify areas for improvement for the bank as a whole.
• Keep abreast of developments in Corporate Governance practices and advise the business accordingly.
• Keeps up to date with improvements and current developments in banking environment, and in IT and IS frameworks & risk management standards, procedures, and techniques, CBUAE rules and regulation as well as other governing bodies (e.g. Basel).
• Review technological trends and emerging risks and assess the level of impact on the organization and the disruption to the industry. Manage and recommend adjustment to the audit plan based on the changing IT controls, risk posture and/or business priority.

• Assists in the implementation of the departments Quality Assurance and Improvement Program (QAIP) to ensure that the department is functioning at a high level of efficiency and effectiveness.
• Maintains positive and professional relationship with auditee, line management, colleagues, Head of Internal Audit as well as other staff in the bank to complete audit works and objectives effectively and efficiently.
• Assists less experienced and new staff of the department with becoming familiar with the IT Audit environment.
• Perform other special assignments, investigations, policies and standard operation procedures review, and other administrative assignments as and when requested by Audit Management.
• Completes work assignments independently as part of a team project within time budgets and schedules.
• Perform any other duties or responsibilities consistent with the role as assigned by management.

Education:

• Bachelors Degree in relevant fields (i.e., Computer Science, Information Systems Engineering, Cyber Security etc.) from a recognized institution.

Professional / Technical Qualifications / Diplomas:

• CISA certification is mandatory.
• Other certifications such as CIA, CISSP, CDPSE, CRISC, CCAK, etc. are preferred.

Experience:

• At least five years experience in external audit or internal audit or related activities in that minimum of three years banking audit experience in technology, digital banking, cloud architecture, cybersecurity etc.

Other Skills Required for the Job:

• In depth Knowledge of current technological developments/trends in area of expertise in particular digitalization in the banking industry.
• Specialized knowledge in Enterprise Infrastructure, Cybersecurity, Software Development tools/models, Digital Banking, Cloud Architecture, and auditing banking business applications.
• Knowledge of UAE banking regulatory requirements with regards to Information Technology, Information Security and Cyber Security.
• Reasonable understanding of best practices such as COBIT, ITIL, NIST, ISO27001, PCIDSS and NESA.
• High degree of analytical, reasoning/judgmental skills.
• Excellent communication (writing & verbal) and time-management skills.
• Good knowledge of Information Technology and Information Security frameworks, controls, and standards (international and national)
• Good knowledge of Accounting, Business Operations, Information Technology Operations, and processes.