Roshan (Telecom Development Company Afghanistan Ltd) is Afghanistan’s leading telecommunications provider, with coverage in over 230 cities and towns and approximately 3.5 million active subscribers. Roshan directly employs more than 1,100 people and provides indirect employment to more than 25,000 people. Since its inception six years ago, Roshan has invested approximately $430 million in Afghanistan and is the country’s single largest investor and tax payer. Roshan is deeply committed to Afghanistan’s reconstruction and socio-economic development. The Aga Khan Fund for Economic Development (AKFED), part of the Aga Khan Development Network (AKDN), is a major shareholder of Roshan and promotes private initiatives and building economically sound enterprises in the developing world. Also owned in part by Monaco Telecom International (MTI) and TeliaSonera, Roshan brings international expertise to Afghanistan and is committed to the highest standards of network quality and coverage for the people of Afghanistan.

• To provide risk based information technology assurance, and consultancy services.
• To assist the IS Audit Manager with the executions of IS annual risk assessments and the development of the Information Systems annual audit plan.
• Evaluation of the company’s IT risk under four broad categories of IT governance, system infrastructure and life cycle management, IT service delivery and support and protection of information assets, and authoring of draft reports for findings noted during fieldwork.
• To perform ad-hoc reviews to investigate any technology or systems related incidents identified by management or the department itself.
• Safeguarding of financial and reputational risk through detailed reviews of business controls, review of new products, promotions and information technology projects.
• To perform any other tasks assigned by supervisor and/or head of internal audit.

Duties & Responsibilities

1. IT RISK AND ASSURANCE

1.1. Assists supervisor in the implementation of a risk-based IS audit plan for the organization in compliance with IS audit standards, guidelines and best practices.

1.2. Assists supervisor with planning of specific audits to confirm coverage of key risks to IT infrastructure and business systems in audit scope.

1.3. Develops IS audit programs for review by supervisor by assessing the nature, scope, extent and timing of work to be carried out.

1.4. Conducts audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives and compiling of evidence to support audit opinion and preparing audit file for review by supervisor.

1.5. Communicates emerging IT related issues, potential risks, and audit results to key stakeholders.

1.6. Provides independent advice on the implementation of IS risk management and control practices within the organization.

2. IT GOVERNANCE

2.1. Assist supervisor with the evaluation of the effectiveness of IT governance structures to confirm adequate board control over the decisions, directions, and performance of IT so that it supports the organization’s strategies and objectives.

2.2. Evaluates and provides recommends on the organization’s IT policies, standards, and procedures; and the processes for their development, approval, implementation, and maintenance to confirm alignment with business strategy and compliance with applicable regulatory and legal requirements.

2.3. Evaluates and recommends on management practices to confirm compliance with the organization’s IT strategy, policies, standards and procedures.

2.4. Evaluates and recommends on IT contracting strategies and policies, and contract management practices to confirm that they support the organization’s strategies and objectives.

2.5. Evaluates and recommends on IT resource investment, use, and allocation practices to confirm alignment with the organization’s strategies and objectives.

2.6. Evaluates and recommends on risk management practices to confirm that the organization’s IT related risks are properly managed.

2.7. Evaluates and recommends on monitoring and assurance practices to confirm that the board and executive management receive sufficient and timely information about IT performance.

3. SYSTEM INFRASTRUCTURE AND LIFE CYCLE MANAGEMENT

3.1. Evaluates the business case for the proposed system development/acquisition to confirm that it meets the organization’s business goals.

3.2. Evaluates the project management framework and project governance practices to confirm that business objectives are achieved in a cost-effective manner while managing risks to the organization.

3.3. Performs reviews to confirm that IT projects are progressing in accordance with project plans and confirm availability of documentation and accuracy of status reporting.

3.4. Evaluates proposed control mechanisms for systems and/or infrastructure during specification, development/acquisition, and testing to confirm that they will provide safeguards and comply with the organization’s policies and other requirements.

3.5. Evaluates the readiness of the system and/or infrastructure for implementation and migration into production.

3.6. Performs post-implementation review of systems and/or infrastructure to confirm that they meet the organization’s objectives and are subject to effective internal control.

3.7. Evaluates the process by which systems and/or infrastructure are maintained to confirm the continued support of the organization’s objectives and are subject to effective internal control.

3.8. Evaluates the process by which systems and/or infrastructure are disposed of to confirm that they comply with the organization’s policies and procedures.

4. IT SERVICE DELIVERY AND SUPPORT

4.1. Evaluates and recommends on Service Level Management practices to confirm that the level of service from internal and external service providers is defined and managed.

4.2. Evaluates and recommends on operations management to confirm that IT support functions effectively meet business needs.

4.3. Evaluates and recommends on data administration practices to confirm the integrity and optimization of databases.

4.4. Evaluates and recommends on change, configuration, and release management practices to confirm that changes made to the organization’s production environment are adequately controlled and documented.

5. PROTECTION OF INFORMATION ASSETS

5.1. Evaluates and recommends on the design, implementation, and monitoring of logical access controls to confirm the confidentiality, integrity, availability and authorized use of information assets.

5.2. Evaluates and recommends on network infrastructure security to confirm confidentiality, integrity, availability and authorized use of the network and the information transmitted.

5.3. Evaluates and recommends on the design, implementation, and monitoring of environmental controls to prevent or minimize loss.

5.4. Evaluates and recommends on the design, implementation, and monitoring of physical access controls to confirm that information assets are adequately safeguarded.

5.5. Evaluates and recommends on the processes and procedures used to store, retrieve, transport, and dispose of confidential information assets.

6. FOLLOW-UP REVIEWS

6.1. Performs follow-up reviews to confirm implementation of management action according to planned issue resolution dates. KEY

DECISIONS MADE

• Decides whether an anomaly noted is a reportable matter (i.e. whether it impacts revenue, business continuity, key risk areas, ability to meet objectives or contravenes policy and legislature).

• Decides on key technology risk areas in the business for consideration by the Supervisor during annual audit planning and review.

EDUCATION AND EXPERIENCE REQUIRED:

• A minimum of a university degree in computer science/information systems or equivalence from a recognized institution.
• Professional certification in Information Systems auditing like CISA is essential. Candidates without the qualification are expected to attain the qualification within two years of employment.
• Other qualifications like CISM, CISSP, CIA, and CFE are an added advantage.
• Proficient in Microsoft Office (MS Word, Excel, Power Point, etc.).
• Good command of English (written and verbal), Experience in writing audit reports.
• • A minimum of 3 years’ experience in a regulated industry or big 4 firm.

KNOWLEDGE SKILLS AND ABILITIES REQUIRED:

• Knowledge of IS audit procedures, including planning, techniques, test and sampling methods involved in conducting Information Systems audits.
• Strong Attention to detail and analytical skills.
• Highly motivated, flexible, adaptable and eager to learn.
• Ability to follow through audit tasks in a systemic manner to completion.
• Strong communication skills and the ability to interact with all levels of management, particularly in regard to obtaining management agreement for corrective action recommendations.
• Effective presentation skills of audit findings to senior management.
• Ability to train junior internal audit staff in developing use of effective audit techniques

Interested candidates may send their CVs to the following email address:

hr@roshan.af