IT RISK AND ASSURANCE
Assists supervisor in the implementation of a risk-based IS audit plan for the organization in compliance with IS audit standards, guidelines and best practices.
Assists supervisor with planning of specific audits to confirm coverage of key risks to IT infrastructure and business systems in audit scope.
Develops IS audit programs for review by supervisor by assessing the nature, scope, extent and timing of work to be carried out.
Conducts audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives and compiling of evidence to support audit opinion and preparing audit file for review by supervisor.
Communicates emerging IT related issues, potential risks, and audit results to key stakeholders.
Provides independent advice on the implementation of IS risk management and control practices within the organization.
Assist supervisor with the evaluation of the effectiveness of IT governance structures to confirm adequate board control over the decisions, directions, and performance of IT so that it supports the organization’s strategies and objectives.
Evaluates and provides recommends on the organization’s IT policies, standards, and procedures; and the processes for their development, approval, implementation, and maintenance to confirm alignment with business strategy and compliance with applicable regulatory and legal requirements.
Evaluates and recommends on management practices to confirm compliance with the organization’s IT strategy, policies, standards and procedures.
Evaluates and recommends on IT contracting strategies and policies, and contract management practices to confirm that they support the organization’s strategies and objectives.
Evaluates and recommends on IT resource investment, use, and allocation practices to confirm alignment with the organization’s strategies and objectives.
Evaluates and recommends on risk management practices to confirm that the organization’s IT related risks are properly managed.
Evaluates and recommends on monitoring and assurance practices to confirm that the board and executive management receive sufficient and timely information about IT performance.
SYSTEM INFRASTRUCTURE AND LIFE CYCLE MANAGEMENT
Evaluates the business case for the proposed system development/acquisition to confirm that it meets the organization’s business goals.
Evaluates the project management framework and project governance practices to confirm that business objectives are achieved in a cost-effective manner while managing risks to the organization.
Performs reviews to confirm that IT projects are progressing in accordance with project plans and confirm availability of documentation and accuracy of status reporting.
Evaluates proposed control mechanisms for systems and/or infrastructure during specification, development/acquisition, and testing to confirm that they will provide safeguards and comply with the organization’s policies and other requirements.
Evaluates the readiness of the system and/or infrastructure for implementation and migration into production.
Performs post-implementation review of systems and/or infrastructure to confirm that they meet the organization’s objectives and are subject to effective internal control.
Evaluates the process by which systems and/or infrastructure are maintained to confirm the continued support of the organization’s objectives and are subject to effective internal control.
Evaluates the process by which systems and/or infrastructure are disposed of to confirm that they comply with the organization’s policies and procedures.
IT SERVICE DELIVERY AND SUPPORT
Evaluates and recommends on Service Level Management practices to confirm that the level of service from internal and external service providers is defined and managed.
Evaluates and recommends on operations management to confirm that IT support functions effectively meet business needs.
Evaluates and recommends on data administration practices to confirm the integrity and optimization of databases.
Evaluates and recommends on change, configuration, and release management practices to confirm that changes made to the organization’s production environment are adequately controlled and documented.
PROTECTION OF INFORMATION ASSETS
Evaluates and recommends on the design, implementation, and monitoring of logical access controls to confirm the confidentiality, integrity, availability and authorized use of information assets.
Evaluates and recommends on network infrastructure security to confirm confidentiality, integrity, availability and authorized use of the network and the information transmitted.
Evaluates and recommends on the design, implementation, and monitoring of environmental controls to prevent or minimize loss.
Evaluates and recommends on the design, implementation, and monitoring of physical access controls to confirm that information assets are adequately safeguarded.
Evaluates and recommends on the processes and procedures used to store, retrieve, transport, and dispose of confidential information assets.
A Bachelor’s degree in Computer Science/Information Systems or equivalence.
Professional certification in Information Systems auditing like CISA is essential. Candidates without the qualification are expected to attain the qualification within two years of employment.
Other qualifications like CISM, CISSP, CIA, and CFE are an added advantage.
Minimum of 3 year audit experience (Internal or external)
SKILLS AND COMPETENCES
Knowledge of IS audit procedures, including planning, techniques, test and sampling methods involved in conducting Information Systems audits.
Strong Attention to detail and analytical skills.
Highly motivated, flexible, adaptable and eager to learn.
Ability to follow through audit tasks in a systemic manner to completion.
Strong communication skills and the ability to interact with all levels of management, particularly in regard to obtaining management agreement for corrective action recommendations.
Effective presentation skills of audit findings to senior management.
Ability to train junior internal audit staff in developing use of effective audit techniques.
Proficient in Microsoft Office ( MS Word, Excel, Power Point etc)
Good command of English (written and verbal), Experience in writing audit reports.