COMMERCIAL BANK OF AFRICA

JOB DESCRIPTION

Job Title Information Systems Auditor Reports To: Audit Manager Operational Risk
Department Internal Audit Division Internal Audit
Grade MG4 Date August 2013

JOB PURPOSE STATEMENT

The purpose of this role is to conduct internal audits related to information technology functions/ processes and the
technology applications that support business functions. The internal audit activities involve analysing risks and
controls, recommending process and control improvements, and providing reports summarizing audit activity to
relevant stakeholders. The Information Systems Auditor must effectively interface with all levels of management, as
well as participate in Group Audit initiatives and activities.

KEY RESPONSIBILITIES & PERCENTAGE (%) TIME SPENT

Manage information systems audit engagements including planning, development of audit testing and
evaluation programs, quality assurance, and reporting of audit results under the direction of the Audit Manager
Operational Risk. (35%)

Conduct continuous risk assessment of the information technology environment including general system
controls, infrastructure controls, and application controls. (25%)

Support the financial and operational auditors in identifying high level information system risks, as well as
designing and building automation tools for use by the audit department. (20%)

Contribute ideas that strengthen internal audit practices and other risk/control efforts. (10%)

Participate in projects related to the implementation of new technologies and business applications by offering
risk and control consulting and advice to Bank management. (10%)

MAIN ACTIVITIES

Conduct continuous risk assessment of the information technology environment including operating
systems, network infrastructure, the main banking application and all peripheral/ interfaced applications in
the bank with a view to determine the main areas of focus and priority and hence draw an appropriate audit
program.

Plan and conduct audits of specific target areas identified from the overall risk assessment above in
consultation with the Audit Manager and partnering with external consultants in certain areas as approved
by the Head of Audit to ensure quality audit approach, achievement of set audit objectives and completion
within agreed schedule.

Recommend and negotiate appropriate technical solutions to manage identified risks.

Prepare reports and analyses that communicate audit results for the relevant business conditions and
business risks/controls.

Provide support to the audited business and operational support functions on implementation of
recommended technical solutions to manage identified risks over the application systems and compliance
with information system security best practices.
Continuously review and monitor information security implementation at the agreed frequencies. The
 Information Systems Auditor should therefore keep abreast of the fast changing information systems
exposures/ threats and ensure that adequate and up to date information systems security measures are in
place for the maximum protection of Bank information assets.
Work in partnership with audit management, business management and other risk/control functions to
ensure that processes, business activities, and internal controls are effective in managing technological
risks.
In consultation with other bank officers promptly and thoroughly investigate reported cases of theft or losses
arising from error or fraud affecting information systems, also for any security violations identified to warrant
such investigations, to facilitate availability of enough evidence to assist in recovery of bank property and
prompt action to stop possible further loss or appropriate disciplinary measures.

Core Value Behaviors (Performance Drivers)

Confident (Self Mastery). Describes people who are self-assured, in control, Bold, and deliver to the highest
standards of expectations with ease while exhibiting the sort of presence that builds confidence in others.

Comfortable (Connecting with people). Describes people who are cool and resilient under pressure, honest in
every dealing, open to constructive criticism, can be relied on to deliver.

Elegant (Effortless delivery). Describes people who demonstrate effortless simplicity and are able to do mundane
things with grace and flair. They connect easily with different audiences, exhibit finesse in all interactions and have a
high sense of values that they uphold at every turn.

Prestige (Pride and ownership of our work). Describes people who believe in themselves, are respected and treat
others with respect and occupy a significant place in peoples minds.

COMPETENCE REQUIREMENTS

Technical skills to effectively perform IS audit activities/tasks in a manner that consistently achieves established
quality standards or benchmarks.

A firm understanding of internal auditing standards (as issued by the IIA, ISACA) in respect of audit, internal
control, risk and governance principles.

Able to integrate understanding of industry trends and vulnerabilities to identify future possibilities, opportunities
and risks.

Knowledge and application of modern IS security management practices in financial services industry to
proactively review and recommend security quality improvements in line with technological and product
changes.
Ability to understand and document workflows and business processes.
Knowledge and effective application of all relevant banking policies, processes, procedures and guidelines to
consistently achieve required compliance standards or benchmarks.

Performance management to optimize personal productivity.

Organized; able to work both independently or in a team setting.

Ability to identify solutions that effectively address business and control needs.

Interpersonal skills to effectively communicate audit results to functional heads and other stakeholders.

Self-empowerment to enable development of open communication, teamwork and trust that are needed to
support true performance.
QUALIFICATION AND EXPERIENCE REQUIREMENTS
Bachelors degree preferably in Information Systems Management (Computer Science), Business
Administration or related fields.
Be a qualified Certified Information Systems Auditor. Certified Internal Auditor designation is a plus.
2 to 4 years of information system audit experience. Some exposure to information systems audits in a financial
institution would be highly desirable.