IT Audit Manager at Avon HMO

Role Scope

• The IT Auditor will be responsible for supporting the development and implementation of a risk-based audit plan to evaluate, report on, and recommend improvements to the Company’s key operational and internal controls related to information technology, processes, and people. The role also involves conducting both ongoing and planned assessments of the organisation’s risk management, internal control systems, and governance processes as they relate to IT risks across the business.
• IT audits will cover, but are not limited to, the following areas: IT and cybersecurity reviews, IT security, IT service provider assessments, business continuity management and disaster recovery, project management, pre- and post-implementation reviews of IT projects, change management, logical access management, IT governance, data backup, cloud computing, IT operations, and compliance with industry and regulatory requirements.

Key Responsibilities

IT Audit & Assurance

• Develop and execute an annual risk-based IT audit plan.
• Conduct audits across:
  • Hospital Information Systems (HIS) and Electronic Medical Records (EMR)
  • HMO claims platforms and core business systems
  • Cloud infrastructure, data backups, and disaster recovery environments
  • Logical access controls, change management, IT general controls (ITGC)
• Perform pre- and post-implementation reviews for major IT initiatives.
• Ensure audit findings are reported clearly and tracked to closure.

Policy Compliance & Regulatory Adherence

• Monitor compliance with internal IT and cybersecurity policies.
• Ensure adherence to NDPA and NHIS digital health regulatory frameworks.
• Collaborate with the Data Privacy Officer and Policy Management team to:
  • Monitor policy updates and staff attestations
  • Identify and escalate non-compliance or exceptions

IT Governance & Risk Management

• Maintain and update the IT risk register for Avon HMO and Avon Medical.
• Track mitigation plans and closure of risk and audit items.
• Participate in business continuity and disaster recovery assurance exercises.
• Serve as a risk advisor on governance and technology steering forums.

Cybersecurity Oversight

• Review access logs, firewall configurations, and threat alerts.
• Support vulnerability scans, phishing simulations, and awareness sessions.
• Audit privileged access, dormant accounts, and administrative controls.
• Participate in incident response post-mortems and impact assessments.

Operational Process Assurance

• Review patient claims and billing processes for control gaps.
• Support digitisation of workflows with assurance on data integrity and configuration controls.
• Identify manual overrides, mismatches, and workflow inconsistencies affecting service delivery.

Data Integrity & Reporting Validation

• Validate NHIS reporting data, HMO dashboards, and sector KPIs.
• Investigate data discrepancies across interconnected systems (e.g., EMR vs. Claims).
• Recommend safeguards for data flows, report automation, and audit trails.

Project & Change Assurance

• Evaluate IT projects and change requests for control compliance.
• Track high-risk digital initiatives, vendor-led implementations, and critical upgrades.
• Embed assurance requirements during system design, UAT, go-live, and post go-live phases.
• Support internal awareness sessions, cross-team working groups, and governance workshops.

Technology Skills & Tools Required

IT Audit & Control Evaluation

• Experience with ITGCs, application control audits, and process walkthroughs.
• Ability to audit EMR/HIS, HMO platforms, and ERP environments.
• Knowledge of COBIT, ISACA, NIST, and healthcare IT standards.

Access & Identity Management

• Proficiency in reviewing Active Directory, RBAC, MFA, and access logs.
• Ability to conduct SoD reviews and privileged access audits.

Network & Infrastructure Audit

• Basic knowledge of firewalls, patch management, antivirus tools, and DR environments.
• Familiarity with Azure/AWS cloud configurations and security layers.

Audit & Monitoring Tools

• Exposure to GRC tools (e.g., Audit Board, MetricStream), SIEM (e.g., Sentinel, QRadar), and vulnerability scanners (e.g., Nessus, Qualys).
• Strong Excel and report scripting capability for audit documentation.

Data & System Integrity Reviews

• Experience with data reconciliation, SQL-based queries, and log file analysis.
• Knowledge of ETL audits, transformation logic validation, and output accuracy testing.

Key Skills and Competencies

Technical Expertise

• In-depth knowledge of IT audit, cybersecurity controls, and regulatory frameworks.

Governance & Oversight

• Proficiency in risk registers, mitigation planning, and assurance in IT projects.
• Ability to audit vendor controls and manage SLA compliance oversight.

Communication & Influence

• Strong report writing and communication skills for both technical and non-technical audiences.
• Confidence in leading discussions with cross-functional teams and management.

Behavioural Attributes

• High integrity, objectivity, and discretion in managing confidential and sensitive matters.
• Meticulous attention to detail, with strong investigative and analytical instincts.
• Proactive and organised approach to multi-entity responsibility and reporting.

Requirements

• Bachelor’s degree in information technology, Computer Science, or a related discipline.
• Minimum of 8 years’ relevant experience in IT audit, risk management, or compliance.
• Prior work in healthcare, insurance, or other regulated sectors preferred.
• CISA certification.
• Additional certifications (CRISC, ISO 27001, CISSP, CDPSE) are highly desirable.
• Familiarity with Nigerian data protection and health sector compliance frameworks.