An experienced controls testing analyst who can validation test a prioritized set of IT and IS controls through an enquiry with a control owner/representative. The control testing analyst will arrange Microsoft Teams-based walk-through meetings with control representatives to undertake the test, asking probing questions to determine if the control activity is being performed satisfactorily and can be evidenced. The control testing analyst will:
- Schedule walk through meetings
- Prompt for and read supporting process/activity documents/websites beforehand
- Perform testing – enquiry method
- Teams-based meeting
- Ask the control representative to explain the control activities, processes and operational evidence, along with supporting documentation / websites
- Take notes and screenprints in evidence
- Make the assessment – document the test result
- Determine if the control is adequately designed, effectively operated (risk is managed)
- Write up finding in a templated Word document, plus evidence (screenshots, URLs, …)
- Update the Excel test plan tracker with results
- Notify management and the control representative of the test outcome
Controls to be tested - The following control domains are to be tested
- Perimeter - Secure Networks and Devices; Threat monitoring and response; Malware protection; Physical security.
- IBS/Critical apps - Change management; Secure Development; User Access Management.
- Resilience/Preparedness - Service Continuity & Recovery Planning; Crisis Response; Vulnerability Management; Physical operational resilience.
- Data - Rest and Transit Protection, Loss Prevention, Access, Accuracy and Completeness, Retention and Disposal.
- Financial Control Framework (FCF) - User Access Management (non-IBS apps); other ITGC areas covered by bullets above e.g., change management.
Fifty-five (55) prioritized key controls are to be tested in H2 2025, across scoped-in Functions and Divisions across L&G. Individual control tests will be allocated by the IT Controls Testing Team (ITCT) Manager to testing analysts. All testing will be tracked through existing governance meetings and committees. The Covered Period is from 30 June to 19-Dec.
Desired qualifications, knowledge, and skills
- Qualifications: CISA
- Knowledge: COBIT, ISO27001, CISM, CISSP; ITIL (mandatory)
- Experience: Good practical experience of controls testing delivery in a relevant technology/technology risk function, including knowledge of key control areas, such as security, IT resilience, change management etc.
