Associate, Information Security Audit

Job Summary

The incumbent will support audits covering the Information Security Audit portfolio as a member of the Group Internal Audit Function. The role provides independent assurance on the effectiveness of controls over technology risks, cybersecurity threats, data governance, and digital transformation initiatives across the enterprise. It also supports the strategic implementation and integration of advanced data analytics tools and continuous auditing techniques across the audit function to enhance efficiency and real-time risk monitoring. This role requires full compliance with the GIAD Group Audit Manual, IIA standards, and all relevant local regulations and industry IT audit standards. As a member of the Group Internal Audit Function, this role ensures technology risks are effectively integrated into the overall audit strategy and contributes to strengthening the organization's resilience against evolving cyber threats.

Main Responsibilities

Essential Duties & Responsibilities by Dimensions:

• Shareholder & Financial:

• Contribute to the execution of the risk-based annual plan that aligns with the Group Internal Audit strategy and helps safeguard critical IT assets, data, and systems that underpin the organization's financial operations and shareholder value.
• Assist in identifying significant IT and cybersecurity risks that could lead to financial loss, operational disruption, or reputational damage, providing actionable recommendations to mitigate these risks.
• Assess the efficiency and effectiveness of IT investments and technology-related processes.
• Implements KPIs and best practices for the Global IT and Information Security audit function.
• Promote cost consciousness and efficiency and enhance productivity, to minimise cost, avoid waste, and optimise benefits for the bank.
• Act within the limits of the powers delegated to the incumbent
• Demonstrate clear understanding of the drivers behind the bank's financial & non-financial performance.

• Customer (Internal & External):

• Build and maintain strong, independent, and collaborative relationships with relevant business and support function staff and stakeholders across the Group.
• Communicate complex technical audit findings, cyber risk assessments, and recommendations to the SVP, EVP, GCAE and other senior stakeholders as directed, translating technical jargon into clear business implications.
• Provide advisory services to IT and business leaders as directed by the SVP and EVP on matters of IT governance, information security, and technology risk management.
• To assist (internal) customers in all their queries on Bank’s product and seek solution to their requests.
• Maintain activities in accordance with Service Level Agreements (SLAs) with internal departments/units to achieve improvements in turn-around time.
• Build and maintain strong/effective relationships with related departments/units to achieve the Group’s objectives.

• 
  Internal (Processes, Products, Regulatory):

• Act as a team member on audit engagements for the Information Security Audit portfolio, including infrastructure, applications, data management, network security, access controls, incident response, and business continuity across all Group entities. All audit activities must be conducted in full compliance with the GIAD Group Audit Manual, the IIA's International Professional Practices Framework (IPPF), and relevant ISACA IT audit standards.
• Engagements: support the team leader in executing the audit engagements and ensuring own work is performed efficiently and effectively and meets GIAD quality standards.
• Planning phase: support the team leader in conducting detailed risk assessments and interviews with auditees to define and document the precise audit scope and work program in the required deliverables (APM, RCM and ToR) addressing the most significant risks.
• Fieldwork phase: conduct testing of assigned scope areas and support the team leader to prepare progress updates and interim meetings with the auditees.
• Reporting phase: draft clear and concise audit issues and recommendations supported by solid evidence, present audit findings to the auditees to obtain management actions.
• Issue Follow up Phase: Perform issue closure validation in accordance with the latest audit methodology and timely escalate potential delays to management, as needed.
• Timely conduct audit file closure procedures in accordance with the latest audit methodology and standards.
• Collaborate with peers to achieve full coverage of domestic subsidiaries, support, control and risk functions in the organization.
• Support the delivery of Information Security audits, assessing the design and operating effectiveness of technology controls against industry best practices and regulatory requirements.
• Assess the adequacy and effectiveness of the organization's information security frameworks (e.g., ISO 27001, NIST, COBIT), IT governance structures, and disaster recovery capabilities.
• Identify and report on IT control weaknesses, cybersecurity vulnerabilities, and operational inefficiencies within technology environments, providing technically sound and actionable recommendations.
• Ensure the consistent application of IT audit methodologies, tools, and best practices across all IT and Information Security audit engagements.
• Support the strategic integration of data analytics (tools) into the audit practice to enhance risk identification, efficiency, and depth of analysis. Drive the implementation and maturation of continuous auditing capabilities to provide real-time assurance and insights.

• 
  Learning & Knowledge:

• Stay abreast of global IT trends, evolving cyber threats, and new technologies to proactively identify emerging risks and adapt audit strategies. This includes actively fostering practical skills in data analytics and continuous auditing techniques within the audit division.
• Identify areas for professional development of self and undertake development activities.
• Remain current with all developments in professional field.
• Escalate unresolved grievances or conflicts with team members to the SVP and EVP for resolution.

• Legal, Regulatory, and Risk Framework Responsibilities:

• Ensure compliance with all applicable legal, regulatory and internal compliance requirements including, but not limited to, Group Compliance Policies and Procedures (AML & CTF, Sanctions Policy, Data Protection Policy, Fraud Control Policy, Whistle Blowing Policy, Conflict of Interest and Insider Dealing Policy).
• Understand and effectively perform your role under the Three Lines of Defence principle to identify measure, monitor, manage and report risks.
• Ensure systematic good outcomes for clients in accordance with Conduct Risk policy.
• Support the framework of RCSA, KRI, Incident reporting and remediation, as appropriate, in accordance with the Operational Risk Management requirements.
• Maintain appropriate knowledge to ensure full qualification to undertake the role.
• Complete all mandatory training provided by the Bank, attain, and maintain the required levels of competence.
• Attend mandatory (internal and external) seminars as instructed by the Bank.
• Ensure the Information Security Audit function operates in full compliance with all applicable global IT regulations, data privacy laws (e.g., GDPR, CCPA), cybersecurity frameworks, and industry standards relevant to the organization's technology operations.
• This includes strict adherence to the GIAD Group Audit Manual, the IIA Standards, and specific local regulatory requirements.
• Provide insights from audit findings to the EVP to contribute to the enhancement of the organization's enterprise-wide risk management framework.
• Ensure IT audit engagements incorporate relevant regulatory compliance requirements and address inherent technology-related compliance risks.
• Contribute to strengthening the organization's overall cybersecurity posture, data governance, and IT risk management culture.

• Other:

• Ensure high standards of data protection and confidentiality to safeguard commercially sensitive information.
• Maintaining utmost confidentiality concerning customer and internal bank information obtained during the course of business and provide such information on a need-to-know basis only to Senior Management of QNB, Audit and Compliance functions, and relevant Regulators.
• Maintain high professional standards to uphold QNB's reputation and to strengthen its market leadership position
• All other ad hoc duties/activities related to QNB that management might request from time to time.

Education and Experience Requirements

• University graduate preferably with a Major in Information Technology, Computer Science, Cybersecurity, Business Administration, or a related field. Master’s is preferred.
• Certifications: Certified Information Systems Auditor (CISA) and/or Certified Internal Auditor (CIA) is preferred. Additional certifications such as CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control), or relevant cloud certifications are highly desirable.
• Technical Skills: Solid understanding of IT audit methodologies, information security principles, and cybersecurity frameworks; proven expertise in auditing complex IT environments, including network infrastructure, operating systems, databases, applications, cloud platforms (AWS, Azure, GCP), and emerging technologies; strong knowledge of data privacy regulations, incident response, and business continuity planning; proficiency in IT audit tools, data analytics, and penetration testing concepts; familiarity with various ERP systems and core banking systems.
• Soft Skills: Good analytical, critical thinking, and problem-solving abilities with a strong technical aptitude; superior verbal and written communication skills, with the ability to translate complex technical issues into understandable business risks for diverse audiences; high level of integrity, objectivity, and professional skepticism; excellent interpersonal and influencing skills, with the ability to effectively challenge IT and business leaders; demonstrated ability to work independently and collaboratively as part of the Internal Audit Management Team.
• Excellent oral and written communication skills (including report writing) in English and Arabic (preferred).
• Good interpersonal and presentation skills.
• Understanding of the relevant laws, regulations, and practices.
• Ability to make decisions and follow through with initiatives.
• Personal integrity and self-management.
• Planning, organising, and analytical ability.
• Results oriented.
• Strong analytical skills and the ability to communicate both verbally and in writing with all levels of management.

Note: you will be required to attach the following: