IT Audit Manager
Undertakes and leads complex IT Infrastructure and Cyber Security audits within the group (or its suppliers) and reports findings of Internal Audits using structured tools, methodology, and techniques to support the audit process.
Supports other audits through the completion of IT Audit work and discussing results/impacts with Audit Lead and IT/business stakeholders.
Provides audit expertise, advice and guidance (specially in application of IT to manage risk) and promotes an awareness of risk management and control practices with BAT management.
- Participates in or leads internal audits in order to form an independent and objective view on risk management practices and the internal control environment by:
- Identifying significant risks in IT processes, projects and services, particularly over IT Infrastructure and Cyber Security.
- Assessing the design, effectiveness and efficiency of IT internal controls to determine appropriate testing approach for the controls identified.
- Agreeing action plans with management to bring about the necessary improvements for issues identified through the testing of controls.
- Writing reports for Management and Audit Committees that clearly and accurately explain the audit findings, their cause and impact on the defined business process objectives.
- Providing recommendations to improve the quality of the overall risk management and internal control practices.
- Ensuring all audit work is fully documented within the Audit Management System in line with IIA Standards and the BAT Business Audit Methodology.
- Assisting in the delivery of a best practice audit and business risk service with a focus on IT.
- Promoting an awareness of risk management and control practices with BAT management
- Coordinating or participating in the delivery of IT related training to Internal Audit staff to support the global delivery of audit services.
- Ownership of line management responsibility for Senior Auditors and Audit Project Team management responsibility for individual assignments. This includes timely and clear feedback on their performance and development needs.
Knowledge, Skills and Experience
- Degree educated with relevant professional qualification
- Strong experience in audit risk and controls experience with significant accounting firm and/or corporate industry experience.
- Experience dealing with external auditors and SOx.
- Experience in a global FMCG or similar dynamic operating environment •
- Experience in reviewing core IT processes and assessing the adequacy of controls, including design and operating effectiveness over the following:
- Security within the software development lifecycle and in-depth understanding of industry security standards, best practices and frameworks, such as but not limited to NIST, ISO, ITIL, COBIT, PCI, SOx and Data Privacy standards
- Internet infrastructure design and installation and support of network devices and firewalls
- Cloud computing concepts, technologies, risks and mitigating controls
- Systems and security administration and configuration of servers and desktops (UNIX, Windows, Oracle and SQL etc.)
- Security risks related to web, mobile, web services, and client/server architectures
- Encryption schemes (symmetric, asymmetric, and hashing) and how they may be applied in an application architecture
- Vulnerability assessment and penetration testing methodologies and processes for web, thick client and mobile applications
- Experience in reviewing outsourced IT Operations and assessing various forms of Third Party Assurance reports, e.g. SOC reports, for adequacy and impact on the services provided
- Experience in SAP BASIS and describing technical SAP system situations into non-technical business scenarios and risks for senior management.
- Experience of one or more of BAT’s core business functions, including operations, marketing, finance and IT.
- Strong IT risk and controls experience with significant accounting firm or a global FMCG or similar dynamic operating corporate environment.
- Good knowledge of internal audit practices, principles and procedures and corporate governance requirements for a group operating globally including working with external auditors and in a SOx environment.
- Degree educated with relevant professional qualification e.g. CISA and CISM or CISSP
- Effective verbal and written communication skills with the ability to describe technical IT scenarios to senior executives to enable understanding of risks and the impact of controls over those risks and processes.
- The ability to summarise significant amounts of management information into the key messages including impact assessments and recommendations.
- Strong interpersonal skills and the ability to influence key decision makers in order to ensure risks and control scenarios are fully understood.
- Active listening skills and high levels of self-awareness to support effective negotiation discussions around internal controls evaluations, for design, operation and change.
- Experience in managing diverse teams as part of both business as usual and one-off project work.