Manager - IT Audits (UAEN Talent)

About Emirates Global Aluminium

Emirates Global Aluminium is the world’s biggest ‘premium aluminium’ producer and the largest industrial company in the United Arab Emirates outside the oil and gas industry.  EGA is an integrated aluminium producer, with operations on four continents from bauxite mining to the production of cast primary aluminium and recycling. EGA employs over 7,000 of these people including more than 1,200 UAE Nationals. EGA operates aluminium smelters in Jebel Ali and Al Taweelah in the United Arab Emirates, an alumina refinery in Al Taweelah, a bauxite mine and associated export facilities in the Republic of Guinea, a speciality foundry in high strength recycled aluminium in Germany, and a recycling plant in the United States.

JOB PURPOSE:

An Associate IT Audit Manager plays a crucial role in ensuring that an organization’s information technology systems and processes align with its objectives while meeting regulatory compliance and safeguarding against risks. The key responsibilities include:

• Planning and Designing Audits: Develop comprehensive audit plans that outline the scope, objectives, and methodologies for evaluating the effectiveness, efficiency, and security of IT systems and processes.

• Risk Assessment: Conduct risk assessments to identify vulnerabilities in the IT infrastructure, including cybersecurity threats, data integrity issues, and system availability risks. Based on these assessments, prioritize areas for auditing.

• Performing Audits: Execute audits according to the planned scope, including reviewing and testing IT controls, systems, and processes to assess their effectiveness. This often involves evaluating IT governance practices, security policies, access controls, disaster recovery planning, and operational procedures.

• Reporting Findings: Document audit results, including identified weaknesses or non-compliance issues. Provide clear, actionable recommendations for addressing these issues.

• Follow-up and Verification: Follow up on audit findings to ensure that corrective actions have been implemented effectively. Verify that recommendations are carried out and that the desired outcomes are achieved.

• Advisory Role: Act as an advisor to management on IT risk management, control, and governance processes. Offer guidance on enhancing IT frameworks, policies, and procedures.

• Regulatory Compliance: Evaluate the organization’s compliance with relevant industry standards and regulatory requirements related to IT, such as GDPR, ISO27001, ISR, SOX, HIPAA.

• Collaboration and Communication: Work closely with IT teams, external auditors, and other stakeholders. Effectively communicating audit findings, risks, and recommendations to both technical and non-technical audiences.

The above is to be carried out across all EGA sites (JA, AT, GAC, ATA and EGA Subsidiaries) in the following IT functions: 

• Industrial IT Systems (including SCADA systems).
• EGA SAP and other Corporate & Mobile Applications.
• IT Governance.
• IT Infrastructure (network, telecom, Data Centres etc.)
• Information Security (including cyber security).
• GRC Access and Process Control systems.
• Industry 4.0.

KEY ACCOUNTABILITIES:

       Mandatory ethical and audit standards prescribed by the IIA

• Embeds the ethical standards and the mandatory standards prescribed by The Institute of Internal Auditors (IIA) in the day-to-day operations.  To that effect, he/she shall instruct/supervise/coach his team members about the aforesaid requirement
• For deviations brought to his/her attention, the job holder would take steps to resolve the issue.  It shall be the responsibility of the position holder to keep the Senior Manager of Corporate & IT and Chief Internal Auditor (CIA) informed of the deviations reported and the steps undertaken to resolve the issue.  Should it not be possible for the job holder to resolve the issue, he/she shall seek the guidance of the Senior Manager of Corporate and IT and CIA in this regard.

  Departmental Policies, Processes & Procedures

  Responsible for implementing departmental policies, processes, and procedures in all audits/risk assessments / day-to-day work conducted.  To that effect, he/she shall instruct/supervise/coach his/her team members with regard to requirements of the departmental policies and procedures as well as monitor adherence to such policy/procedure.  Deviations if any shall be brought to the attention of the Senior Manager of Corporate and IT and Chief Internal Audit (CIA) for corrective action.  Develop and maintain effective working relationships with management of the assigned domain and act as the key point of contact.  The Associate Manager shall ensure that he/she is aware of all changes in key personnel/processes/systems as well as emerging risks relevant to his/her domain arising out of changes in industry/market / legislation etc. 

          Risk Assessment and Audit Plans

• Develop and maintain effective working relationships with management of the assigned domain and act as the key point of contact.  The Associate Manager shall ensure that he/she is aware of all changes in key personnel/processes/systems as well as emerging risks relevant to his/her domain arising out of changes in industry/market / legislation etc. 
• Upon identifying such risk/changes, the Associate Manager shall inform the Senior Manager of Corporate and IT and assist in assessing the emerging risks and their potential impact on the audit plan and propose changes to the plan if required in order to prioritize the high-risk audit units.
• Lead the annual risk assessment process relating to the domain and assist the Senior Manager of Corporate and IT in prioritizing the high-risk audit units while preparing the audit plan.  

           Assessing Staffing Requirements

     Assess the staffing requirements for planned and Adhoc audit assignments and advise the Senior Manager Corporate and IT on assigning         personnel to audit assignments within the assigned domain.  Should the skillset required to conduct an audit not be available in-house, the Associate   Manager shall assist the Senior Manager Corporate and IT to plan and execute co-sourced / outsourced audit assignments.  

Managing Audit Assignments

• Shall have overall responsibility for independently conducting audits within the domain.  To that effect, the Associate Manager’s responsibility shall include but not be limited to the following:

• Ensure that relevant portion of the audit plan approved by the ARC for the year is achieved and that audits are completed within the defined timeframe.  Assist the Senior Manager Corporate and IT in analysing deviations beyond 10% of the allocated time and initiate corrective actions planned.
• Plan and scope audit assignments ensuring adequate audit coverage of audit units to most effectively utilize the resources in providing reasonable assurance regarding the control environment.
• Develop process flow charts, conduct the process level risk analysis, prepare the risk, and control matrix and assess the design of management’s internal controls.
• Develop the audit programs including procedures / audit approaches / data analysis for auditing new processes or modifying existing approaches to further enhance the audit coverage / effectiveness.
• Execute audit procedures most critical to the audit assignment while conducting the work to ensure that the specified audit objectives are met.
• Assist the other auditors in evaluating the IT system controls for the business audits.
• Identify control weaknesses, process improvement and cost reduction opportunities.

Quality of Documentation

Document the test procedures carried out and review the work done by the team members / co-sourced consultants on an ongoing basis in TeamMate / GRC, to ensure that the quality of audit file documentation meets the standards set in the Internal Audit methodology and the IIA’s standards.

Recommending Corrective Actions

• Recommend to process owners suitable corrective/preventive actions in order to mitigate/remediate the observations made and risks highlighted ensuring that all accepted recommendations are given clear implementation deadlines or clearly identified as not being accepted.
• Leads closing meetings with line and top management to obtain their buy in regarding the recommendations / corrective actions.
• Ensure that area managers and the Senior Manager Corporate and IT are informed in a timely manner regarding critical issues to enable quick correction and mitigation of further occurrences.
• Conduct monthly follow-up of audit recommendations and report on status of their implementation to the Senior Manager Corporate and IT.

Preparing Reports

• Review draft reports drafted by team members / co-sourced consultants to ensure that draft reports meet the quality standards required by IA Methodology.
• Deliver final versions of draft reports to the Senior Manager Corporate and IT after discussing with management and obtaining their buy-ins with regard to the observations and recommendations made.

Peer Review and Quality Certification

• The audits conducted/led and carried out by the Associate Manager IA shall be subject to peer reviews and quality assessments on a periodic basis.  The Associate Manager would be responsible for implementing the recommendations made in the aforesaid assessments.
• The Associate Manager would assist the Senior Manager Corporate and IT and Chief Internal Auditor in achieving the periodic external quality certification.

  Managing Co-sourced / Outsourced Audits

  • Should the CIA in consultation with the Senior Manager Corporate and IT approve that an audit assignment in the Associate Manager’s domain be co-sourced/outsourced either due to unavailability of skillset in-house or resource constraints, the Associate Manager shall have the following responsibilities:
  • Prepare the request for proposal including technical specifications, areas / scope to be covered, deliverables, manpower required etc.
  • Assist the Senior Manager Corporate and IT in carrying out the technical evaluation of the proposals received.
  • Liaison with the external team and monitor the day-to-day progress of the audit assignment;
  • Assess the work done and the deliverables to ensure that the audit objectives are met.
  • Lead the closeout meeting with management to agree on the action plans; and
  • Document the observations in GRC so that these can be followed up later.

Management Requests and Fraud Investigation

• Conducts ad-hoc reviews based on management requests as directed by the CIA.
• Participates in the fraud investigations as and when called upon to do so by the CIA.

Safety, Quality & Environment

• Complies with all relevant safety, quality and environmental management policies, procedures and controls to ensure a healthy and safe work environment.

QUALIFICATIONS & SKILLS:

• University degree in Computer Science.
• Holding relevant professional certifications can be beneficial, such as:

• CISA (Certified Information Systems Auditor)
• CISSP (Certified Information Systems Security Professional)
• CISM (Certified Information Security Manager)

These certifications attest to the manager's knowledge and expertise in IT audit and security domains.

Keep up-to-date with the latest IT trends, risks, and technologies, as well as developments in auditing standards and regulatory requirements.

Minimum 8 years of working experience, of which:

• At least 4 years experience in managing IT audits, and
• At least 5 years experience in Internal Audit.

Exposure to managing/auditing Industrial IT systems in the mining or manufacturing industry would be an added advantage.