PERM: AD - IT Audit Manager - Vice President

Section 1 - Details

Job Title / Corporate Title

Audit Manager 

Department / Group

Audit Department/Internal Audit Group

Responsible to / Line Manager

Executive Director

Direct Reports

None

Location

London

Date Prepared

October 2019, updated July 2021, updated June 2022, updated July 2023

Certification regime

Out of scope

Section 2 – Purpose of Job

This role exists to deliver an independent view and assurance over the IT control environment in operation in EMEA business entities (SMBC Bank International plc (SMBC BI), SMBC Branches, and other subsidiaries in EMEA Region). It undertakes and manages audits across a range of IT Infrastructure and applications and supports teams of auditors to deliver in depth testing and review to support audit opinions. It contributes part of the Audit opinion provided the EMEA Region Management and SMBC Group Audit Committee in Tokyo.

Section 3 – Background

• Internal Audit are asked for an independent opinion on the changes and controls implemented by the organisations within EMEA Region, this role aims to provide insight and opinion on the key IT controls in operation in the business areas under review and therefore must have the expertise to provide advice and consultancy services as required.
• This role is responsible for managing the delivery of the planning, fieldwork and reporting for audit assignments as Auditor in Charge (AIC), under direction from the IT Executive Director. This will include highlighting key areas of risk, assessing established and new controls in operation over a range of activities in any business in EMEA Region, and IT functions outsourced to JRIA New York.
• With a particular area of expertise or experience the Audit Manager should be able to undertake detailed testing and oversee the work of others providing coaching to members of the team, including Internal Audit Department New York when joining reviews of IT functions outsourced to JRIA New York.
• This role will promote an effective IT control environment throughout the organisation through assurance work and being available to management for advice and guidance on risk and control issues.

Section 4 – Facts / Scale

ADIA is responsible for the delivery of around 100 internal audit reports per year across the EMEA region. Due to the nature of each business and the three-year audit cycle, the number of audits each Audit Manager is responsible for can vary from year to year. On average an Audit Manager would be responsible for the delivery of around four to six audits per year and contribute to other audit assignments through delivery of fieldwork for other Audit Managers. This may include technically complex and highly regulated areas, large assignments, including theme audits across more than one jurisdiction/ business. These are scheduled so that some will overlap so that two assignments may be open at the same time, closing one and planning another, an Audit Manager will be able to manage both successfully.

While the Audit Manager has no direct line reports, they are responsible for the work performed by team members of audits for which they are assigned as AIC, usually between two and six members, occasionally more, these may be located across different areas, or have particular area of expertise for which the team requires particular coaching and/ or guidance.

The Audit Manager can be assigned the role as AIC in any of the business for which ADIA has internal audit responsibility.  This is an EMEA wide role covering: SMBC BI, SMBC Branches, SMBC Nikko CM Ltd, SMBC Aviation Capital, SMBC Bank EU AG and SMBC Leasing (UK) Ltd.

Provide feedback to Line Managers on work performed by the team.

There is no monetary budget, but time budgets for the completion of each audit are established and the Audit Manager is expected to deliver the completed audit within the budgeted timeframe.

The Audit Manager interfaces with AD Management, ADIA team members and line Management up to MD/ED level, although meetings are held with General Managers in other business areas.

Section 5 – Accountabilities & Responsibilities

The Audit Manager is primarily accountable and responsible for the timely delivery of an internal audit assignment. This includes:

• Preparation of planning material to ensure that the internal controls covering the key risks are appropriately tested in order to provide reasonable assurance to the Board, Group Management, Entity Management and other stakeholders, including regulators, that an effective internal control environment exists.
• Overseeing the work performed for the audit assignment by other team members.  Providing guidance and support to team members as necessary.
• Directing testing to cover key areas of risk and determine the scope and focus in agreement with the Audit Partner of the review, and share expertise in their area with other team members.
• Preparing draft Audit Control Recommendations for review by AD Management.  The ACRs musts be factually accurate and clearly communicate the findings and recommendations. The Audit Manager must clearly communicate the issues to AD Management and then to business Management including senior stakeholders.  In doing so, the Audit Manager may experience some significant challenge and must therefore be resilient and articulate in their presentation of the issues.
• Preparing the final internal audit report.  The report must clearly communicate areas of positive assurance as well as areas where improvement in the internal control environment is required. 
• Undertaking follow-up and closure of internal audit recommendations.  This process requires the validation of action taken by line Management for the closure of all High and Moderate Priority recommendations and the provision of assistant and guidance to Management.

The Audit Manager may be also asked to assist the Director/ Executive Director with maintaining relationships with Senior Management (D, ED and MD level) in a nominated area of responsibility, have insight into business activities and be able to comment on key areas of risk for those business areas.

The Audit Manager will also be expected to contribute to Audit Department initiatives and work collaboratively across EMEA.

Section 6 – Knowledge, Skills, Experience & Qualifications

Educated to degree standard and holder of a professional qualification, (Usually CISA, CISSP etc) with strong technology skills and an understanding of applications controls.

The ability to clearly communicate to senior Management both verbally and in writing audit issues and to gain the confidence and trust of Management in their relationship management role.

The role holder needs to have a good operational knowledge in some aspects of the Bank to enable them to identify control weaknesses and advice on best practice/ process improvements. Have technical expertise and demonstratable knowledge of Cyber Risks. And a clear understanding of the risk and internal control environment relevant to the information technology being audited which may include:

• Firewalls (Check Point, Palo Alto, Cisco)
• Networks (Cisco)
• Windows including Azure
• Office 365
• Unix/Linux
• Database Management Systems (Oracle, SQL Server)
• IBM Websphere

Attention to detail. The confirmation of factual accuracy and a clear understanding of how the facts should be interpreted is essential.

Be able to apply knowledge and skills to other areas and interpret these in the wider context. Be a trusted advisor to the business and undertake problem solving in own role. Advising on possible control solutions and, being able to balance competing demands.

Previous internal audit experience is required to demonstrate a track record in effective internal audit delivery and management.

Section 7 – Challenges (This section is optional)

The main challenges the role will face are:

• The broad range of business areas subject to internal audit.
• Tight timelines for the delivery of internal audit assignments, and managing conflicting priorities.
• Challenge from AD Management and line Management and the ability to successfully articulate issues identified.
• The need to manage different groups of ADIA staff assigned to each audit assignment.