The Audit and Investigations department provides an audit assurance and fraud investigation service to the Group. They support the overall control environment and focus on internal and external fraud and theft, and critical business controls.
With the authority of the CEO and the endorsement of the Audit and Risk Committee, the Audit and Investigations department are responsible for delivering an independent and objective risk-based Internal Audit service designed to evaluate and improve risk management, and control and governance processes across all key business areas.
In addition, the department provide assurance to the Audit and Risk Committee regarding the effectiveness of internal controls throughout the business. The IT Auditor will be responsible for the evaluation of risk and control processes specifically relating to Technology.
The IT Auditor is also key to providing the wider Internal Audit and Investigations team with IT expertise and as a source for the development of analytics within the department.
The IT Auditor will work jointly with business stakeholders to determine the IT risk universe in order to support the Senior Audit Manager in the development of the risk based audit plan which is presented quarterly to the Audit and Risk Committee along with updates of key Audit activity.
The IT Auditor will deliver a broad range of IT audit and risk engagements developing close working relationships with the operational Internal Audit team, Group Risk and third-party providers. Assignments will be performed through the application of recognised audit and control methodologies such as COBIT.
The IT Auditor will develop audit programs and complete IT audits in areas selected according to business risk. These will include the review of controls and processes in the following areas:
- Computer operations and support
- Business transformation/change projects and other systems under development
- Application, database and infrastructure controls of key business systems
- Data security (primarily compliance with regulatory requirements)
- IT business policy compliance
- Business continuity and incident escalation
The evaluation of each area will take into account the potential for loss through security and service control failure, regulatory compliance (for example data protection, computer misuse) and vulnerability to fraud, intrusion or other emerging threats.
The IT Auditor will work with stakeholders to identify cost effective and efficient solutions to any business exposures identified. Reports of findings and required actions for all assignments undertaken will be distributed to stakeholders and summaries presented quarterly to the Audit and Risk Committee.
A further key element of the role is championing the use of data analytics across the Internal Audit team to identify control weaknesses and to support the wider Investigations team to identify fraudulent activity.
- Possess a high level of technical knowledge gained from 5+ years of experience in an IT Audit role (preferably in Retail).
- Possess a relevant IT Audit qualification (CISA) or general internal audit qualification (CIA) and a tech degree.
- Detailed knowledge of recognised IT standards (ISO27001, COBIT, ITIL, SOX), and regulatory compliance requirements (PCIDSS, GDPR).
- Experience of security testing methodologies applicable to applications, networks and systems under development.
- Experience of procurement of external security testing services and consultancy.
- Knowledge of networking and OS technologies (e.g. Windows, iSeries, Unix) and controls.
- Knowledge of system development methodologies (Agile, Waterfall) and project management standards (PRINCE) and related control frameworks.
- Experience of auditing large scale enterprise systems from initial stages of development to mature production environments.
- Excellent communication (written/verbal/presentation)
- Strong leadership skills, tenacious, has the ability to influence at all levels ensuring actions resulting from audit findings are communicated and dealt with appropriately.
- Ability to apply commercial awareness to all business decisions.