IT & Cybersecurity Consultant – Internal Audit

Purpose of the Role

To provide independent assurance and advisory services in the areas of information technology and cybersecurity in support of the Internal Audit function within government entities, by assessing the effectiveness of technical controls, managing cyber risks, and ensuring compliance with national regulations and international standards, thereby strengthening the protection of information assets and the continuity of government services.

Qualifications: CISA – Certified Information Systems Auditor

Years Of Experience: 10 Years

Key Roles & Responsibilities

1. IT & Cybersecurity Audit Planning

• Contribute to the development of risk-based audit plans covering IT and cybersecurity domains.
• Perform technology risk assessments across infrastructure, applications, data, cloud environments, and third parties.
• Identify priority areas such as SOC operations, identity and access management, data protection, and business continuity.

2. Audit Execution & Fieldwork

• Conduct IT systems and cybersecurity audits in line with approved methodologies and best practices.
• Evaluate the effectiveness of IT General Controls (ITGC) and application controls.
• Review cybersecurity controls including access management, encryption, monitoring, vulnerability management, and incident response.
• Assess cloud environments, managed services, and outsourced SOC arrangements.

3. Regulatory & Standards Compliance

• Verify compliance with national regulations and government policies
• Assess alignment with international standards such as ISO/IEC 27001, ISO/IEC 27035, and ISO 22301.
• Review organizational readiness for external audits and certifications.

4. Third-Party & Service Provider Assurance

• Audit outsourcing arrangements including SOC-as-a-Service, data centers, and cloud providers.
• Review SLAs, confidentiality obligations, and independent assurance reports (SOC 1/2).
• Validate service providers’ compliance with contractual and regulatory requirements.

5. Incident Management & Business Continuity

• Review cybersecurity incident management, response, and investigation processes.
• Evaluate integration between incident response, business continuity, and disaster recovery plans.
• Participate in or assess readiness through tabletop exercises and simulations.

6. Reporting & Communication

• Prepare clear and actionable IT audit reports with technical observations, root cause analysis, risk ratings, and recommendations.
• Discuss findings with IT, cybersecurity teams, and senior management.
• Escalate critical issues to Internal Audit management and Audit Committees as required.

7. Follow-up & Control Improvement

• Track remediation actions and validate the effectiveness of corrective measures.

Provide practical recommendations to enhance cybersecurity maturity and IT governance.

• Support continuous improvement of control environments.

8. Advisory Services

• Provide advisory input for digital transformation initiatives, cloud adoption, and smart government systems.
• Review risks and controls during design and implementation phases of major IT projects.
• Support data governance and AI governance initiatives from an assurance perspective.

9. Professionalism & Independence

• Adhere to approved professional conduct and government ethics requirements.
• Maintain confidentiality, independence, and objectivity in all engagements.
• Keep abreast of evolving cyber threats, technologies, and regulatory developments.