Title:  Senior Audit Manager, IT and Cyber Security Audit (Cloud)

Requisition ID: 257618 

Join a purpose driven winning team, committed to results, in an inclusive and high-performing culture.

As the 3rd Line of Defense, Internal Audit provides enterprise-wide, independent, and objective assurance over the design and operations of the Bank’s internal controls, risk management and governance processes. We are professionals who thrive in a challenging environment and work with management to find solutions to address control weaknesses.

The Senior Audit Manager is responsible for leading and conducting IT and Cyber Security risk-based audit assessments, of medium to high complexity, following the Bank’s Audit Methodology. This supports the Audit Department’s global mandate by providing independent assurance that business strategies, plans, initiatives, and audit activities are conducted in accordance with applicable regulations, internal policies, and procedures.

The Senior Audit Manager is a dynamic, innovative, and trusted advisor who uses data to deliver industry leading assurance and insights to keep the Bank and our customers safe.

As a Senior Audit Manager, you will support the Director, IT & Cyber Security Audit, by planning and executing risk-based technical audits across Cyber Security, Technology Infrastructure, Applications, Cloud and Digital Banking, to provide opinions on the effectiveness of controls to meet business objectives. In addition, the subject matter expert is expected to be knowledgeable in risks associated with systems development methodologies (Waterfall and Agile), project management, automation and orchestration, data protection, and outsourced IT services.

Key Accountabilities:

• Acts primarily as Officer in Charge (OIC) for assigned audits. May act as Audit Principal (AP) for low to medium complexity audits.
• Works with other audit teams as required and carries out specific IT and Cyber Security projects.
• As OIC/AP, oversees the execution, planning, and reporting. Obtains a thorough understanding of the end-to-end business/unit/process and associated risks, develops an appropriate risk-based audit approach and schedules timing and resources.
• Ensures audit results are gathered and determines the root cause of the problem. Prepares and/or reviews audit results and findings for presentation to management. Follows-up for corrective action/progress against any reported issues. Ensures relevant information that impacts other audit function areas is shared.
• Supports a client focused culture throughout their team to deepen client relationships and leverage broader Bank relationships, systems, and knowledge.
• Understands how the Bank’s risk appetite and risk culture should be considered in day-to-day activities and decisions.
• Plans, documents, and seeks agreement in advance to the project approach and confirms conclusions upon completion in writing.
• Ensures Scotiabank standards and the Institute of Internal Auditors (IIA) Code of Ethics are maintained in completion of all assignments.
• Builds and maintains strong relationships with internal and external stakeholders and regulators as required.
• Interacts and coordinates with other groups involved. Completes timely review of workpapers, ensuring internal control weaknesses are clearly documented with recommendations addressing the root cause and are communicated timely to management.

Focus Area (Cloud):

• Acts as a leader and subject matter expert in auditing cloud governance and security controls, covering areas such as risk management, shared responsibility models, identity and access management, secure configuration standards, encryption and key handling, secrets management, network segmentation, monitoring and logging, vulnerability management, and practices that enhance cloud resilience.
• Brings specialized subject matter expertise in DevSecOps and secure SDLC controls, including CI/CD pipeline governance, build and release integrity, segregation of duties, change and release management, code review practices, security testing automation (SAST/DAST/dependency scanning), container and image security, infrastructure-as-code controls, and developer tooling risk. Utilizes in-depth knowledge to assess technical environments, identify security gaps, and deliver expert guidance to audit teams and stakeholders for effective risk mitigation.
• Evaluates API-related risks and controls as they intersect with cloud and DevSecOps, including API authentication and authorization, gateway policy enforcement, rate limiting and abuse controls, schema/input validation, monitoring and alerting, third-party integrations, and operational resilience of critical services.

Leadership:

• Supports ongoing monitoring activities to stay abreast of changes (business/industry/regulatory), emerging risks, and themes or systemic issues that may impact the risk assessment of the audit universe and the audit plan.

• Supports a high-performance environment and implements a people strategy that attracts, retains, develops, and motivates their team by fostering an inclusive work environment and using a coaching mindset and behaviours; communicating vison/values/business strategy; and managing succession and development planning for the team.
• Meets Department training requirements.
• Maintain information security competency through ongoing professional development and staying abreast of emerging technologies, risks and controls in information and cyber security.
• Provide direction, guidance and expert advice to audit teams globally to allow definition of effective assessments on information and cyber security risk management.
• When required, prepare and deliver effective presentations on various audit and information security related matters to Audit senior management and relevant stakeholder across the Bank to demonstrate expertise.
• Identify and advise Audit teams on the use of data analytics and other advanced techniques and tools to improve efficiency and effectiveness of audit assessments.
• Establish and maintain solid relationship with audit clients to serve as a catalyst of positive change and improvement of information and cyber security risk management.

Functional Competencies

• At least 5+ years of information technology and cyber security experience.
• Highly developed interpersonal and communication skills (verbal and written).
• Ability to work independently and as part of a team of professionals.
• Curiosity mindset.
• Working knowledge of the operations and regulatory environments for each unit as applicable.
• Knowledgeable in cyber security processes areas such as web application security, secure network security architecture, penetration testing, Red Team testing, vulnerability assessments, encryption, data loss prevention, coding assessment, cloud security, DDoS protection, and malware protection.

• Strong technical knowledge of cloud computing and modern engineering practices, including cloud-native security and operational controls, DevSecOps and CI/CD risk, and API security fundamentals relevant to cloud-based and distributed architectures.
• Experience in the assessment of threats and risks over IT processes and assets.

• Excellent analytical skills and proficiency with Microsoft Word, excel, and PowerPoint.
• Proven ability to work at high levels of ambiguity and in a rapidly changing environment.
• Knowledge and experience with security assessment tools (exploit tools, vulnerability assessment) and Security Operations Centre software (IDS, IPS, SIEM, etc.).

Education

• Bachelor’s degree in information technology, Computer Science or equivalent required.
• One or more of the following certifications: CISA, CISM, CISSP, CCSP, GCIA, CEH is required.
• Cloud engineering or architecture designation would be an asset.

Working Conditions

• Work in a standard office-based environment; non-standard hours are a common occurrence, especially at quarter end.
• Moderate travel to participate on audit assignments.
• Deadlines and schedule changes are frequent due to unforeseen events.

Dimensions

• Accountable for specific audit work in assigned audits.
• Audit projects vary in complexity, involvement, and number.

Location(s):  Canada : Ontario : Toronto 

Scotiabank is a leading bank in the Americas. Guided by our purpose: "for every future", we help our customers, their families and their communities achieve success through a broad range of advice, products and services, including personal and commercial banking, wealth management and private banking, corporate and investment banking, and capital markets.  

At Scotiabank, we value the unique skills and experiences each individual brings to the Bank, and are committed to creating and maintaining an inclusive and accessible environment for everyone. If you require accommodation (including, but not limited to, an accessible interview site, alternate format documents, ASL Interpreter, or Assistive Technology) during the recruitment and selection process, please let our  Recruitment team know. If you require technical assistance, please click here. Candidates must apply directly online to be considered for this role. We thank all applicants for their interest in a career at Scotiabank; however, only those candidates who are selected for an interview will be contacted.