Leads and conducts IT and cybersecurity audits on technology platforms (enterprise applications, operating, database systems, network infrastructure), IT and cybersecurity operations, project reviews, as well as participates in integrated audits.
Conducts the audit from planning to report finalization and participates in issue follow-up.
Ensure timely completion of audits from planning to report finalization.
Ensure that risks are identified and the work is performed in accordance with Group Audit's methodology.
Supports the development and enhancement of audit work programs.
Supports business audit team in providing technology expertise for integrated audits during project reviews.
The IT Audit Manager may be called upon to assume an advisory role to stakeholders as required to support enterprise IT projects and initiatives
The IT Audit Manager may also be called upon to assist in Group Audit initiatives, investigations and projects as needed.
Audit Planning
In Audit Lead capacity, support the Head of IT Audit and/or Senior IT Audit Manager to set the overall audit objective, scope and approach. Prepares the audit planning memorandum.
Establish risk-based audit work programs to effectively evaluate soundness of the IT process and systems in place, based on industry best practices and regulatory requirements (e.g. MAS Technology Risk Management Guidelines, MAS Cyber Hygiene Notice, MAS Outsourcing Guidelines, CSA Cyber Security Code of Practice etc.)
Identify and evaluate feasibility of applying data analytic tests on audit data
Participates in IT process analysis, and ensure that it is adequately performed and risk review areas are identified
Audit Fieldwork
Lead and supervise the execution of audit fieldwork to ensure proper evaluation of the design and effectiveness of the key controls and assessment of residual risk.
Develop and execute audit tests using data analytic tools.
Monitor the audit progress to ensure that the audit assessments are adequately performed.
Ensure audit files are adequately documented.
Coach junior team members to ensure that control test objectives are adequately performed.
Ensure stakeholders are kept informed of the audit progress and issues arising.
Project manage audits to ensure that audits can be completed within budget.
Audit Reporting
Discuss and seek Management buy-in on audit issues
Provide practical recommendations (based on industry best practices, regulatory requirements/expectations) on mitigating actions on the identified risks.
Responsible to ensure factual accuracy for the identified audit issues
Ensure management action plans adequately address the identified risks
Produce well-written audit issues
Supports the issuance of audit reports in a timely manner
Audit Issue Follow-up
Ensures audit issue follow-up is adequately and timely performed and documented.
Requirements
Degree in Computer Science, Information Systems or equivalent, with relevant professional qualifications (e.g. CISA, CISSP, CISM, CCSP)
Minimum 6 years of internal and/or external audit experience. Prior experience in financial institutions (FIs) would be highly advantageous
Sound practical knowledge of IT and cybersecurity control concepts and auditing techniques.
Good understanding of MAS TRM Notice, TRM Guidelines, Cyber Hygiene Notice as well as CSA Cyber Security Code of Practice. Knowledge in NIST Cyber Security framework or CIS Controls will be desirable.
Prior technical experience in an operational role within IT/Cyber Security or IT Risk/Governance will be highly advantageous (e.g. Network/System administrator, Cloud security engineer, DevSecOps engineer, IT/Tech Risk etc.)
Ability to work independently and in a team environment with strong interpersonal and collaboration skills.
Ability to seek buy-in from Management and stake-holders.
Strong analytical and report writing skills.
Strong critical thinking skills.
Experience with programming language (e.g. Python, SQL), data analytics and visualisation tools (e.g., Power BI, ACL, Tableau) will be an advantage.
Keen interest in emerging/payment technology and its associated risks.
