ICT Risk Assurance Senior Specialist (Auditor) (f/m/d)

Your area of work:

The Chief ICT Risk Office (CISO) combines IT & IS Risk Management in the 2nd Line of Defense. The department’s mandate is to set the IT and IS (ICT) risk governance and framework, set the control objectives, control review methodology and risk assessment methodology, conduct independent risk assurance of 1st LoD IT and IS (ICT) controls, and independently monitor and report on the level of ICT risks as well as to drive transformation and collaboration.

In this role, you will be at the heart of our assurance activities, performing continuous monitoring and oversight to confirm that our ICT controls are well-designed, correctly implemented, and operating effectively to protect the firm.

Your responsibilities:

• Assurance (2nd LoD "Audit") Planning and Execution: Develop, implement, and execute comprehensive ICT Assurance plans based on risk and regulatory requirements specific to the financial industry.
• Compliance and Regulatory Adherence: Ensure ICT systems and processes comply with relevant laws, regulations, and standards such as DORA, MaRisk, CSSF, NIST, ISO27k guidelines from regulatory bodies.
• Risk Assessment: Identify and assess ICT risks and controls related to hardware, software, data, and network infrastructure to profile and mitigate potential business impact.
• Process. System and Application Assessments: Conduct assessments of network applications, operating systems, databases, and other technology interfaces to ensure their integrity, security, and efficiency. This includes verifying that new and existing systems meet company standards and compliance requirements, ensuring controls are operated effectively.
• Security and Controls: Evaluate the adequacy of security measures and controls built into the organization's ICT infrastructure, including cybersecurity protocols, access controls, data encryption and other areas.
• Reporting and Communication: Prepare clear and concise assurance (audit) reports detailing findings and actionable recommendations for management. Effectively communicate complex technical issues to both technical and non-technical stakeholders.
• Follow-up and Remediation: Monitor the timely implementation of management's corrective actions to address audit findings.
• Collaboration: Work closely with internal audit teams, IT departments, and business units to provide insights and guidance on control considerations for new and existing systems.
• Continuous improvement: Contribute to the continuous improvement of ICT Risk Assurance ("2nd LoD audit) methodologies, frameworks, and processes to ensure their ongoing effectiveness
• Stay Current: Keep abreast of the latest industry trends, emerging technologies, and changes in the regulatory landscape, including cyber threats and security-related events.

Your profile:

• Education: A university degree (Bachelor/Master) in IT, Information Security, Risk Management, or a related field. A Master's degree is a strong asset.
• Extensive Experience: A minimum of 4+ years of dedicated experience in IT audit, second-line assurance, or a senior IT risk management role. You have a proven track record of leading complex audits and assurance reviews from planning to reporting.
• Expert Industry Knowledge: Deep, practical knowledge of the financial services sector within highly regulated EU environments. You possess an expert understanding of regulations like DORA, BAIT, MaRisk, and CSSF, and can confidently interpret and apply their requirements in an audit context.
• Mastery of Frameworks and Standards: Expert knowledge of IT governance and control frameworks (COBIT, CSA-CCM, ISO/IEC 27000 series, ITIL, BSI Grundschutz). You are skilled not just in testing against these standards, but in assessing the maturity of control environments and providing strategic advice for improvement.
• Professional Certifications: At least one of the following certifications is highly required: CISA, CISM, or CISSP. Additional certifications like CRISC, CEH, or CIA are a significant advantage.
• Advanced Core Skills:
  • Strategic Assurance: You have mastered assurance techniques and can develop sophisticated, risk-based testing strategies and sampling methodologies. You are capable of mentoring junior team members on these techniques.
  • Strategic & Analytical Mindset: You combine exceptional analytical skills with a strategic mindset, enabling you to identify root causes, see the bigger picture across different risk domains, and translate complex technical and regulatory issues into business impact.
  • Stakeholder Influence: You possess outstanding communication, negotiation, and influencing skills. You are experienced and comfortable presenting findings, challenging constructively, and building credibility with senior and executive-level stakeholders.
  • Three Lines of Defense: Strong understanding of the Three Lines of Defense model
  • Deep Technical Expertise: Demonstrated expertise in several of the following domains: Cloud Security (Azure/AWS/Google), Network Architecture and Security, Vulnerability Management, Security Information and Event Management (SIEM), Privileged Access Management (PAM), Threat Intelligence, and Incident Response.

Languages: Excellent command of English (written and spoken) is mandatory. Proficiency in German is a distinct advantage.

You can look forward to our benefit package:

• Hybrid Work and Flexible working hours
• Work from abroad - 12 days of remote work from EU countries per year
• Group Share Plan - discount on company shares
• Pension fund contribution - 3% of your gross salary (5% after 5 years with us)
• Health & Wellbeing - fully covered Multisport card, life & accident insurance, sick days and 100% salary contribution during sick leave (up to 56 days)
• 25 vacation days
• Mobility - fully covered public transport in Prague & free parking
• Flexible Benefit Account (Pluxee) - 1200 per month
• Personal Development - annual budget of €690 ... and way more!