GM Internal Audit IT & Cyber Security
Date: 8 Apr 2024
Location: Karachi
Company: KE
Purpose
To lead, plan, develop, implement, manage the KE Enterprise Information Technology Group (ITG) IT/ IS & Infrastructure and IT & Operational Technology (OT) Cybersecurity (CS) for risk-based audits and or advisory / consulting engagements to service
- The IT Architecture, the IT Assets, Services, Applications running the Enterprise & Back-end Support Systems & the Communication and Facility Infrastructure controls for ITG On-Premise & Public/Private/Hybrid Cloud space.
- The IT Service Management, Application Development, System-Integrations, the ISO/IEC Service & Security Management Systems, Governance Frameworks, Risk management, and the Project Management Office (PMO)
- And the Cybersecurity Governance including Application Security, Vulnerability Management, Penetration-testing & Cybersecurity Operations, Threat Intelligence, Incident Management, Infrastructure hardening, & Patch Management
Prepare & review draft audit assurance & advisory report and assessment of the IT/IS and CS internal control environment; Engage Head IT/IS, OT, Cybersecurity & Power Generations Audits (Immediate Supervisor) on significant audit findings and service ready assistance to finalize reporting of significant findings, quarterly to the board-audit-committee (BAC). Engage with the auditee on the Audit follow-ups & the progress on relevant BAC action-points. These responsibilities are carried out WITH the objective to implement the processes for the Audit Universe WITHIN the limitations of IIA methodology, the Internal Audit Department Manual, the IIA Quality Management Requirements, the ISACA (information system audit control association), the CS/NIST framework, the applying ISO/IEC standards, Technology Governance framework and under guidelines from the Immediate Supervisor and or the Line management.
Education
BS/BE/BCS/MS/MCS in Computer Science/Computer Engineering, CISA|CISM preferred
Knowledge
- Enterprise IT/IS Business & Back-end Support Systems & Solutions
- Public/Private/Hybrid Cloud Infrastructure
- ISO/IEC Service & CS Management Standards, Technology & Cyber Governance
- Technology & CS Business Processes
- Total Quality & Process documentation
- The IIA Controls, The IPPF & Global Technology Audit Guidelines (GTAG), ISACA
Experience
12 - 15 years of experience in Utility / Corporate sector with at least 4-5 years in Senior Management
Area of Responsibilities
Planning and Risk Assessment 20%
- Develop IT/IS & Cybersecurity Annual Audit plan; determine direction and order of the different planned and ad-hoc audit assurance and advisory/ consulting engagements. Ensure that the IT/IS and the CS audit universe is rightfully developed, is subject to timely review, is improved /updated in semblance to the different organizational Technology & CS changes (incl. Rescale, Upgrade, Replacement, Expansion)
- Ensure that the audit universe risk is assessed per the IA risk assessment framework; and to ensure correctness of the qualitative assessment, connect with the auditee/ line management for improved comprehension of the IT/IS and CS risks, leveraging the ERM risk register and future/ strategic ITG and the CS plans;
- Prepare draft Annual IT/IS & CS audit plan with justification for immediate supervisor review, deliberation & finalization before it is moved to the Head IA (or CIA) and then to the BAC for approval
- Ensure maintenance of IT/IS & CS audit service edict, and the audit taxonomy; participate in IA leadership discussions on audit operations, direction, impact & value creation, digitalization, training, quality management and any other matter of significance
Supervision and Review of Audit Execution 35%
- Determine scope of audit and review the adequacy of audit objectives. Ensure coverage of all key business processes associated to the entity being audited; Finalize initial and final risk assessment of business processes and ensure that it is in line with business understanding
- Review the appropriateness of audit procedures in audit program and ensure complete population is captured; and the audit execution, objectives & the audit program are continually recorded in the Audit Management Solution; ensure CAAT implementation and use of audit / data analytic tools & services
- Coordinate with the auditee line and or management to attend delays especially in areas including but not limited to facilitating access to the audited IT and the CS systems/solutions, the process documentation, the policy, and the SOPs
- Review the risk ratings of audit observations based on the Risk Rating Methodology; provide insight on new standards, guidelines, technologies and tools to better manage audit, consulting engagements & presentations
Area of Responsibility Continued
Reporting & Follow Up 25%
- Review the draft audit report with observations, findings (& evidence) and recommendations by the line submitted and carryout internal review to ensure completeness & direction of the content, relevance of risk exposure, practicality of the recommendations etc. and improve it as appropriate, in preparation for the immediate supervisor review & discussion
- Share the audit report with the line to form concurrence on the reported findings, and make necessary corrections, if required, followed by circulation of draft report (observation + implication + recommendations) to the line section head / department head for management comments & the action plans to address the control gaps identified
- Prepare interactive / engaging/ impactful presentation for the BAC on the significant IA findings in coordination with the immediate supervisor and take update from the auditee, progress on BAC action-item
- Engage with immediate supervisor on the draft IA report; and carryout (as deem appropriate) data validation and verification, engage & coordinate with the line on the relevancy, & completeness of submitted management comments, the action execution responsibility & the implementation timeline
Consulting Activities 10%
- Review a hand-picked business process and or a policy or a request for the same moved either by the auditee, the BAC/Board, the CIA/IA leadership and or the immediate supervisor
- Deliver as deem fit to the ITG, the user and or CS department, IA advisory /consulting services on IT/IS and or CS controls, planning, digitalization, regulatory, scalability, etc. in due purview to the IIA-IPPF and or ISACA framework / practices
Administrative Activities 10%
- Assists in calculating annual cost allocation for department positions, IT/IS system trainings and budget IT systems/licenses; and manage system requirements for the different CAATT, audit management & business intelligence application/ solution
- Ensure ITG is engaged on planning, sizing of infrastructure and procurement of the IA digitalization interventions and the content is put to back-up & recovery as a part of ITG disaster recovery plan
- Prepare the IT software & hardware related budgetary requirement for IA Department;