Posted on 2022-07-15

Manager, Information Risk Management, IT Audit – Cyber Security



  • Lead IT Security audits based on industry security standards and practices (such as HKMA C-RAF, ISO/IEC 27001, SOC2 TSC, PCI-DSS, US NIST SP 800-53, CIS Critical Controls).
  • Review IT Security audit findings, providing observations and recommendations to improve audit client’s IT Security practices and procedures.
  • Communicate IT Security audit findings with senior executives of the audit client. 
  • Evaluate audit client’s IT Security governance and practices and provide recommendations to Senior IT Management to improve IT Security governance and to mitigate IT Security risks impacting our audit.
  • Discuss IT Security audit findings with audit partners and audit teams, ensuring a clear link between IT Security findings and the objective of our financial statement audit.
  • Plan and execute IT Audit day-to-day activities as part of a broader audit team, while focusing on IT Security specific aspects of our audit.
  • Work with the IRM Leadership to build and develop a strong IT Security Audit team in support of our IT Audit practice.
  • Complete task and deliverables to a high-quality standard as part of the audit engagements 2
  • Keep senior IRM members informed of significant developments and progress on the engagement 
  • Coach junior staff on engagements and provide proper feedback
  • Assist with scoping, financial management, delivery risk management and the initial review of deliverables
  • Identify and communicate IT audit findings to senior management and clients
  • Help identify performance improvement opportunities for assigned clients
  • Conduct fieldwork and manage small project teams to deliver value-added assurance services to clients
  • Develop internal networks and maintain excellent relationships with colleagues across KPMG, in particular in the wider Consulting, Audit and Advisory areas
  • Promote a collaborative culture encouraging constructive working relationships with the audit team and others



  • University degree in the field of computer science/technology management and 6+ years related work experience
  • Certifications in Cyber Security and/or Technology fields required
  • In-depth knowledge across different domains including data security, cybersecurity, risk & control, operational risk management, third party risk, cloud, IT service management
  • Excellent understanding with security audit and/or standard audit practices
  • Conduct technical security audits for complex information systems effectively
  • Analyse information systems and technical specifications against defined security control standards and identify deficiencies and remediation strategies effectively
  • Solid experience with network security, vulnerability management, incident response
  • Extensive knowledge of emerging cyber security trends and threats (DOS/DDOS, phishing, ransomware, Malware, SQL injections, zero-day exploit, cross-site scripting, zero-day exploit, and others)
  • In-depth knowledge of network and security system functionality (firewall, ACL, VLAN, TCP/IP, PKI, VPN Tunnelling, proxies, DNS, CDN)
  • Familiarity with latest security software, encryption and related solution such as WAF, MFA, SOC, NDR, NAC, MDM, SIEM, DLP, etc
  • Familiarity with industry security standards such as HKMA C-RAF, ISO/IEC 27001, SOC2 TSC, PCI-DSS, US NIST SP 800-53, CIS Critical Controls, etc a plus
  • Strong understanding of audit and documentation requirements