Purpose:

This role is responsible to manage and carry out complex IT & Technical internal audit assignments, investigations, forensics and advisory activities ensuring the work is carried out with professional care and in accordance with the appropriate standards. These different activities involve leading or conducting projects in the internal audit compliance audit, investigations and advisor on IT, Information Security and telecommunications technical domain. In addition, the role provides significant input the preparation of annual internal audit plan and contributes significantly in the follow up with management.

Context: Ooredoo owns and operates various telecom infrastructures. This role carries out and/or supervises technical audit across the entire organization to ensure efficiency and effectiveness in the use of such infrastructures, to safeguard Ooredoo’s interest, and to ensure compliance with laws, regulations and recognized IT and Information Security/Technical/Engineering standards.

ROLE ACCOUNTABILITIES & RESPONSIBILITIES

A.Audit

• Identify and evaluate Ooredoo’s audit risk areas relating to Information Technology and Technical areas (telecommunication network, data centers and other applications, systems & infrastructure) through a risk-based audit methodology and provides significant input to the development of a risk-based annual internal audit plan.

• Gather the requirements for the audit plan through different meetings with the management, consultation with reference to Regulatory and Compliance requirements, and external audit.

• Perform IT and Technical audits and review the work performed to ensure the adequacy of audit scope, the adequacy of testing performed & evidences collected, and the accuracy of conclusions reached.

• Evaluate information on general computing controls and provide value added feedback. Test compliance with these controls.

• Perform various other reviews of IT/Technical management policies and procedures to ensure that controls surrounding these processes are adequate.

• Monitor the audit assignments progress and escalate any show stoppers to the Manager for the intervention.

• Ensure that audit procedures are strictly adhered to, including identifying and defining issues, developing criteria, reviewing and analyzing evidence, and documenting technical processes and procedures.

• Prepare/develop the audit programs with appropriate testing mechanisms, execute the audit program, identify control weaknesses, assess the impact of these weaknesses, and relate them back to the scope and objectives of the audit.

• Conduct interviews, review of documents, develop and administer audit surveys, composing summary memos, and prepare working papers.

• Identification, development, and documentation of audit issues and recommendations for improvement.

• Communicate the results, findings and recommendations of audit projects via written reports and face-to-face presentations on a timely basis to the management and to the manager.

• Follow up the implementation of audit recommendations in a timely manner.

• Interact with staff, section heads, department directors and managers and when necessary, with executive management in order to obtain and/or communicate relevant information to achieve the objective/s of the IT and Technical audits.

• Maintain a working knowledge and practical application of industry standards and guidance such as ISACA (Information Systems Audit and Control Association) Information System standards and guidelines, Information Security Frameworks issued by the Ministry of Transport and Communications, ISO 27001, 27011, NIST, SANS, PCI DSS and. other relevant organizational and professional ethical standards.

• Ensure internal audit activities are carried out in compliance with International Standards for the Professional Practice of Internal Auditing (Standards), IIA Code of Ethics.

• Plan and execute audits of IT platforms (e.g. Windows, UNIX, MPLS networks) and Telecom & Network platforms (Core, Radio, Fixed Access and Transport) and evaluate IT/Technical internal controls and works collaboratively with management to identify actions needed.

• Plan and execute audits of various applications and databases used by different BUs in Ooredoo like CRM, Billing, Data Warehouse … etc. and review their configuration, change management and other relevant controls for ensuring the data integrity, efficiency and effectiveness.

• Perform review of the business continuity plans and disaster recovery, assessment of Recovery Point Objective (RPO) and Recovery Time Objective (RTO), vulnerability assessments and penetration testing, preparedness against cyber threats.

• Assess and test communications network security arrangements and their effectiveness and review technology control elements to mitigate technology risks regarding the confidentiality, integrity, and availability of the network.

• Develop strong stakeholder relationships with both IT and Corporate Information Security Teams and senior management functions to assist with the effective delivery of audits and development of audit methodology.

• Work independently under general direction with extensive latitude for initiative and independent judgment.

• Proactively add value to the IT and Technical Audit function through developing and refining audit approach consistent with emerging technologies, sector standards and methodologies

b. Consulting

• Conduct any fraud investigations assignment or any special audit assignments relating to IT/Technical areas.

• Communicate the results of consulting projects via written reports and oral presentations on a timely basis to the management, CAE, and if necessary to the Board of Directors as instructed by the CAE.

• Review of Technology and Security related policies and procedures and any IT/Technical aspect of the Company operations for submission to the CAE before being raised for Chief Executive Officer and Board of Directors approval.

c. Special Assignments and Fraud Investigations

• Conduct any fraud investigations or any special audit assignments as instructed by superiors.

• Communicate the results, finding and recommendations of special assignment/investigation via written reports and oral presentations on a timely basis to the management and CAE.

d. Development & Improvement Program

• Pursue professional development opportunities, including external and internal training and professional association memberships, and shares information gained with co-workers.

• Proactively take responsibility for self-improvement by staying well-informed of developments, knowledge and innovations in relevant field of expertise.

f. Other

• Represent Internal Audit at Ooredoo project team meetings, management meetings, and meetings with external organizations.

• Other duties as directed by superiors.

• Evaluate the company’s IT/technical/engineering processes and identifies potential problem areas where related controls need further testing.

• Carry out risk analysis and assist in the preparation of the annual audit plan or program covering the IT/Technical/Engineering aspects of operation.

• Perform sufficient tests, including analysis of IT/Technical data, to provide reasonable assurance that internal controls over the design, installation, operation and maintenance of Ooredoo’s infrastructure and related projects are existing and adequate.

• Identify and evaluate possible solutions to identified control issues, recommends them and obtains management agreement or actions on such recommendations.

• Prepare audit report including the weaknesses noted in the systems of internal controls, non-compliance with procedures/instructions and recommendations for improvements.

• Discuss audit issues with concerned managers and obtains comments for reported points.

• Bachelor’s degree in computer science/engineering or Telecom Engineering

• Certification in at least one area (e.g. CISA, CISM, CISS, CCNA and GSNA) Certification in Forensics and Fraud investigation, Post graduation in a related field (eg. IT/Technical auditing, Fraud Auditing, Computer Forensics etc) is preferred.

• Minimum 5 years of experience in IT and Technical auditing, Telecom Engineering, Electronic & Communications Engineering, Telecom analysis is a preference.

• Knowledge of ISACA Information System standards, guidelines, and Code of Ethics.

• Knowledge of COBIT framework and IT security best practices (Such as ISO 27001).

• Knowledge of telecommunication infrastructures and application of related technologies in addition to knowledge in Information Technology and Information Security.

• Project management, quality control review and planning experience.

• Working knowledge of control and risk self-assessment facilitation techniques.

• Knowledge of contemporary risk management (Assessment of risks, evaluation and testing of controls, mitigation plans etc.,) and control techniques and working knowledge of contemporary control frameworks.

• Familiarity with the common indicators of fraud.

• Knowledge of industry best practices policies, procedures, regulations, and laws.

Behavioral

• Managing Business Performance

• Strategic Orientation

• Business Acumen

• Quality and Continuous Improvement

• Promoting Teamwork

• Effective Communication and Interpersonal Skills including report writing and presentation skills for presenting findings and recommendations for improvement.

• Fluent Verbal and Written communication in English.

Technical

• Risk Management

• Audit & Compliance

• Process Management

• Analytical and evaluation skills

• MS Office and other Audit Software (e.g. IDEA, ACL, SQL, Excel)

• Knowledge and use of computer systems and tools

• Knowledge and experience with CAAT (Computer Assisted Applications Testing).

• Knowledge in databases and network management.

• Considerable knowledge of distributed technology (i.e., Windows and Unix/Linux), Web-based technology, and basic infrastructure control issues.