IT Auditor, Toronto
OANDA’s Internal Audit function is responsible for providing risk based internal audit and advisory services and provide assurance on effective risk management and control over OANDA’s operations, Technology, regulatory compliance, assets, reputation and financial management.
The Senior IT (Information Security) Auditor performs effective planning and execution of ongoing internal controls assessments and periodic audits of various complexity, ensuring OANDA’s information security management activities are consistent with recognized international standards and comply with relevant regulatory requirements and internal policies. While the primary focus of the job is Information Security audit, the incumbent will be called upon to support other audits on technology general controls as required.
Reporting to the Director of Risk and Assurance.
- Independently plan and execute Information Security audits and review of internal controls covering a broad range of security activities including operating systems, applications, infrastructure, access management, SIEM and incident management according to the annual Audit Plan and audit methodology.
- Review security threat and vulnerability risk assessments completed by Information Security.
- Perform audits in compliance with internal auditing standards, best practices, and relevant frameworks such as: COBIT, ISO, NIST, OWASP
- Draft formal audit/review reports concerning audit findings and recommendations and present the findings to Senior Management during the engagement closing meetings.
- Maintain audit issues log and perform regular follow-up with responsible individuals to ensure that departments have completed remediation actions timely.
- Work closely with management on findings closure to actively identify challenges and gaps.
- Liaise with external auditors to facilitate the external auditing process.
Qualifications and knowledge expected include
- University Degree in Computer Science/Management Information Systems or equivalent enhanced with a CISSP, CISA or equivalent security designation.
- Six or more years' experience in IT security principles, practices, technologies, programs and procedures, accompanied by an understanding of risk management methodologies and frameworks.
- Experience in IT Operations, development, network administration audits would be beneficial
Experience requirements include
- Developing and working with security architecture, security standards such as ISO27001, ISO27002, and IT management frameworks such as ITIL and CoBIT.
- Strong understanding and ability to interpret and communicate risk management concepts.
- Working knowledge of Threat Risk Assessment (TRA) methodologies and other risk assessment methodologies and tools, and familiarity with related security tests and test methodologies
- Knowledge of a wide variety of information systems and security technologies including Operating Systems security, LAN and WAN, Internet protocols and applications, secure communications, firewalls, IDS/IPS, PKI, identity management, identification and authentication techniques, role-based access control, malware defenses, etc.
- Understanding of typical security threats, vulnerabilities and safeguards relevant to application development, test and QA environments, and IT (data centre) operations.
- Strong data analytics and experience with the use of data analysis tools (e.g., ACL) is required.
Other Competencies expected
- Strong business acumen and common sense
- High degree of professionalism, integrity and respect for confidentiality
- Demonstrate ability to take a consulting approach and work cohesively with Senior Management across the business while being “cost-benefit & value-added” conscious
- Good interpersonal skills and ability to cultivate strong working relationships in a team environment
- Exceptional planning, prioritizing, multi-tasking and project management skills to complete assignments in an efficient and effective manner
- Ability to present complex information clearly and influence the outcome through effective verbal and written communications.
- Highly proficient with Microsoft Office and Google suite of applications, and advanced Microsoft Excel skills.
Travel requirements are minimal, but some international travel may be required.