IT & GRC Auditor

Location: Karachi, Sindh, Pakistan

Department: Audit

Workplace: on_site

Description

The IT & GRC Auditor will be responsible for strengthening the Bank’s technology risk management, cybersecurity, and governance framework. The role includes conducting risk-based IT audits, reviewing internal controls, and assessing compliance with regulatory, data protection, and information security requirements across digital banking systems, cloud environments, IT operations, and GRC processes.

Essential Duties and Responsibilities

• Develop, maintain, and periodically update the IT & Information Security audit universe, ensuring comprehensive coverage of technology risks across the Bank.
• Perform periodic risk assessments and prepare risk-based audit plans, ensuring high-risk and regulatory-critical areas are prioritized.
• Lead and execute end-to-end IT and GRC audits, including cybersecurity, digital banking platforms, application controls, IT infrastructure, cloud environments, and third-party/vendor risk management, in accordance with approved audit methodology and Internal Auditing Standards.
• Evaluate the effectiveness of IT governance, policies, processes, and internal control frameworks; identify control gaps and provide practical, risk-based recommendations.
• Assess compliance with Central Bank regulations, applicable laws, industry standards, and internal governance frameworks related to technology and information security.
• Prepare high-quality audit working papers and reports that are clear, concise, objective, and timely, ensuring audit engagements are delivered within agreed timelines and resource budgets.
• Monitor and report on the status of audit findings and management action plans, including tracking overdue items and performing follow-up reviews to validate remediation effectiveness.
• Undertake special reviews, investigations, advisory and assurance assignments as directed by the Chief Audit Executive.

Requirements

• Bachelor’s in Computer science or a related field. Master’s degree preferred.
• Professional Certifications such as CISA, CRISC, CISSP, CISM or CCSP.
• 6–8 years of experience in IT Audit, Technology Risk, or Information Security within a bank, financial institution, fintech, or other regulated environment, with exposure to digital systems and technology-driven operations.
• Hands-on experience in conducting risk-based IT audits covering cybersecurity, IT general and application controls, cloud environments, third-party risk, and regulatory compliance, including audit planning, documentation, reporting, and follow-up in line with professional auditing standards.