Internal Audit Manager at Discovery Limited

Job Purpose 

• Lead risk-based IT audits across infrastructure, cloud, cybersecurity, data, payments, and digital channels to provide independent assurance over technology risks and controls. Strengthen the bank’s control environment, meet local regulatory expectations, and enable secure innovation at speed.

Areas of responsibility may include but are not limited to:

Audit Planning & Governance

• Develop and maintain the risk-based IT audit plan aligned to the bank’s strategic objectives, risk appetite, and Three Lines Model.
• Perform technology risk assessments covering cloud (IaaS/PaaS/SaaS), cybersecurity, data & AI/ML, DevSecOps, third party risk, payments, open banking/APIs, and resilience.
• Ensure conformance with the International Standards for the Professional Practice of Internal Auditing (IIA Standards / IPPF) and alignment to King IV™ principles on governance.
• Prepare Audit Committee packs for IT audit coverage, opinions, key themes, and trend analyses.

Execution of IT Audits - Lead end to end audits (scoping, fieldwork, issue validation, reporting) over:

• IT General Controls (ITGCs) and application controls across core banking, digital channels, and enablement platforms.
• Cybersecurity (governance, identity & access, SOC, vulnerability/patch, incident response, endpoint, network & cloud security).
• Cloud & platform engineering (architecture, configuration, CSP shared responsibility, IaC controls, container/Kubernetes security).
• Data governance & privacy (POPIA, data lineage/quality, access, ISO/IEC 27701 alignment).
• Payments & cards (EFT, RTGS, card acquiring/issuing, PCI DSS scope and interfaces).
• Business continuity & operational resilience (BCP/DR, RTO/RPO, scenario testing).
• Third party & fintech partnerships (onboarding due diligence, contracting, ongoing monitoring, exit plans).
• Change, SDLC & DevSecOps (agile ceremonies, CI/CD, testing, segregation of duties, release management).
• AI/ML & model risk (data sourcing, bias, explainability, monitoring, access, change control—coordinating with Model Risk/Internal Audit specialists).

Issue Management & Stakeholder Engagement

• Produce clear, prioritized reports with root     cause, business impact, and actionable remediation:
• Track and validate remediation; escalate overdue/high risk issues.
• Build strong relationships with CIO/CTO/CISO, Data, Engineering, Product, Risk, and Compliance while maintaining independence.

Data Led Assurance & Continuous Auditing

• Drive data analytics in audits (e.g., log analysis, user access analytics, config drift, control health dashboards).
• Pilot continuous monitoring and controls automation where feasible; mentor the team on Python/SQL/Power BI usage.

Regulatory and Standards Alignment

• Align assurance to Banks Act requirements and Prudential Authority (SARB) expectations, POPIA, FICA, NCA, and Payment System rules where applicable.
• Reference and benchmark against COBIT, NIST CSF/800 53, ISO/IEC 27001/2, PCI DSS, CIS Controls, and internal policies/standards.

People, Quality & Vendor Management

• Manage, coach, and upskill the audit team; curate an annual training plan (CISA/CISM/CISSP, cloud security, data analytics).
• Oversee co-sourced audit partners; set scope, quality criteria, and deliverable timelines.
• Perform engagement quality reviews and maintain a robust internal audit Methodology & QAIP (Quality Assurance and Improvement Program).

Personal Attributes and Skills 

• Risk based, outcome oriented thinker with strong professional skepticism and independence.
• Executive presence & communication: able to distill complex tech risks into concise messages for EXCO/Audit Committee.
• Collaboration & influence: builds trust with Technology and Product while holding firm on control requirements.
• Learning agility: keeps pace with cloud native architectures, platform engineering, AI/ML, and evolving threats.
• Structured problem solver with strong root cause and issue prioritisation skills.
• Ethical judgement and confidentiality aligned to IIA Code of Ethics.
• Resilience under pressure; comfortable challenging senior stakeholders.
• Excellent writing (findings, opinions, and board level reporting).
• Banks Act and SARB Prudential Authority supervisory expectations (incl. IT/cyber risk, outsourcing, operational resilience).
• POPIA, FICA, NCA, Payments Association of SA rules, and relevant PCI DSS obligations.
• Corporate governance via King V™ and alignment to the IIA Standards (IPPF).

Education and Experience 

• Bachelor’s degree in Information Systems, Computer Science, Engineering, Risk/Audit, or related field (required).
• Professional certifications (one or more required): CISA (preferred), CIA (advantage), CISM/CRISC/CISSP, ISO 27001 Lead Auditor/Implementer (advantage).
• Cloud security certifications (e.g., CCSP, AWS/Azure security specialty) advantageous.
• Data & analytics: demonstrable SQL and/or Python skills; data privacy certification (e.g., CIPT) advantageous.
• 8–10+ years total experience in IT audit, technology risk, cybersecurity, or related assurance
• 3–5+ years in a managerial/lead role. 
• Banking/fintech background essential; digital retail bank experience strongly preferred. 
• Led multiple audits across cloud, cybersecurity, digital channels, payments, core banking, data governance, and third‑party risk. 
• Experience interfacing with Audit Committees, regulators, and external auditors.