Head, System Audit and Control at Nairagram Limited

Job Description

• We are currently sourcing for Head, Systems Audit and Control who will plan, oversee and audit the information security systems used by Nairagram.
• The auditor will provide the audit committee with a detailed report of our information systems, outline whether the system runs efficiently or effectively, and help the company make changes where necessary to improve the integrity of our system.
• Execute a risk-based IS audit strategy in compliance with IS audit standards to ensure that key risk areas are audited.
• Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.
• Conduct audits in accordance with IS audit standards to achieve planned audit objectives.
• Communicate audit results and make recommendations to key stakeholders through meetings and audit reports to promote change when necessary.
• Conduct audit follow-ups to determine whether appropriate actions have been taken by management in a timely manner.
• Evaluate the IT strategy, including IT direction, and the processes for the strategy’s development, approval, implementation, and maintenance for alignment with the organization’s strategies and objectives.
• Evaluate the effectiveness of the IT governance structure to determine whether IT decisions, directions and performance support the organization’s strategies and objectives.
• Evaluate IT organizational structure and human resources (personnel) management to determine whether they support the organization’s strategies and objectives.
• Evaluate the organization’s IT policies, standards and procedures, and the processes for their development, approval, release/publishing, implementation and maintenance to determine whether they support the IT strategy and comply with regulatory and legal requirements.
• Evaluate risk management practices to determine whether the organization’s IT-related risk is identified, assessed, monitored, reported and managed.
• Evaluate monitoring and reporting of IT key performance indicators (KPIs) to determine whether management receives sufficient and timely information.
• Evaluate the organization’s business continuity plan (BCP), including alignment of the IT disaster recovery plan (DRP) with the BCP, to determine the organization’s ability to continue essential business operations during the period of an IT disruption.
• Develop a risk-based technology infrastructure, security, and general IT audit plan.
• Plan and execute audits, consulting engagements, and other influencing activities of infrastructure technologies, security, supporting operations, and processes.
• Examine internal IT controls, evaluate the design and operational effectiveness, determine exposure to risk, and develop remediation strategies.
• Plan, implement, monitor, and upgrade security measures for the protection of the organization’s data, systems, and networks.
• Test and identify network and system vulnerabilities and create counteractive strategies to protect the network.
• Evaluate the information security and privacy policies, standards and procedures for completeness, alignment with generally accepted practices and compliance with applicable external requirements.
• Evaluate the design, implementation, maintenance, monitoring, and reporting of physical and environmental controls to determine whether information assets are adequately safeguarded.
• Evaluate the design, implementation, maintenance, monitoring and reporting of system and logical security controls to verify the confidentiality, integrity, and availability of information.
• Evaluate the processes and procedures used to store, retrieve, transport and dispose of assets to determine whether information assets are adequately safeguarded.
• Evaluate the information security program to determine its effectiveness and alignment with the organization’s strategies and objectives.

Requirements

• Bachelor's Degree in fields such as Accounting, Computer Science, Information Technology, Finance, or other related.
• ACA and Certified Information Systems Auditor (CISA) (Highly Important).
• 5 years’ experience as an IT Auditor preferred from a financial institution.
• Financial and IT application experience (SAP, QAD, MFGPro, Peoplesoft, and Hyperion).
• Expert in Firewalls, VPN, Data Loss Prevention, IDS/IPS, Web-Proxy, and Security Audits.

Job Competencies and Capabilities:
Essential Competencies:

• The Process of Auditing Information Systems– Provide audit services in accordance with IS audit standards to assist the organization in protecting and controlling information systems.
• Governance and Management of IT– Provide assurance that the necessary leadership and organizational structures and processes are in place to achieve objectives and to support the organization's strategy.
• Information Systems Acquisition, Development, and Implementation– Provide assurance that the practices for the acquisition, development, testing, and implementation of information systems meet the organization’s strategies and objectives.
• Information Systems Operations, Maintenance and Service Management– Provide assurance that the processes for information systems operations, maintenance, and service management meet the organization’s strategies and objectives.
• Protection of Information Assets - Provide assurance that the organization’s policies, standards, procedures and, controls ensure the confidentiality, integrity, and availability of information assets.

Experience and Knowledge:

• Knowledge of IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards.
• Knowledge of the risk assessment concepts and tools and techniques used in planning, examination, reporting and follow-up.
• Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) and the role of IS in these processes,
• Knowledge of the control principles related to controls in information systems.
• Knowledge of risk-based audit planning and audit project management techniques, including follow-up.
• Knowledge of the applicable laws and regulations that affect the scope, evidence collection and preservation, and frequency of audits.
• Knowledge of the risk and controls associated with data leakage
• Knowledge of the security risk and controls related to end-user computing
• Knowledge of methods for implementing a security awareness program
• Knowledge of information system attack methods and techniques
• Knowledge of prevention and detection tools and control techniques
• Knowledge of security testing techniques (e.g., penetration testing, vulnerability scanning)
• Knowledge of the processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team)
• Knowledge of the processes followed in forensics investigation and procedures in collection and preservation of the data and evidence (i.e., chain of custody).
• Knowledge of the fraud risk factors related to the protection of information assets.