Director, Internal Audit - Technology, Information Security and AI POST NUMBER: 480324
The Director, Internal Audit – Technology, Information Security, and AI leads the planning and delivery of risk-based audits and advisory work across the Bank’s technology and digital risk domains. This role provides independence assurance over technology risks across ITGCs, cybersecurity governance, cloud governance, data management, AI, and technology operations. The Director is expected to exercise independent authority and credible challenge with senior technology leaders including the Chief Technology Officer (CTO) and their leadership team ensuring that technology risks, control gaps, and remediation commitments are appropriately identified, debated, and addressed.
The role requires sufficient technical knowledge and professional competence to engage in difficult, sometimes adversarial conversations with technology leadership, while maintaining a constructive, respected, and independent relationship. Co-sourced SMEs may support deep technical assessments; however, the Director must independently interpret results, synthesize risk implications, and challenge management where standards or practices are insufficient.
About the Opportunity
Risk Assessment & Strategy Planning (20%)
- Own and maintain the technology audit universe for core domains: Technology Strategy, Data, and AI, Technology Integration, Software Engineering, Digital Services, Technical Services & Performance, Technology Operations, and Information & Cyber Security.
- Maintain awareness of technological changes in both external and internal environments including trends in risk management practices and regulatory expectations, and changes in business activities to perform quarterly risk assessments for the technology audit entities within the Internal Audit Universe.
- Lead the annual technology risk assessment, identify appropriate audits to be included in the annual audit plan and help develop the Plan for the Audit Committee approval.
- Identify emerging risks within the Technology audit portfolio (e.g., cyber threats, cloud adoption, data privacy), monitor these risks to determine their impact, and assess changes needed for the annual audit plan or planned audits. Incorporate changes as appropriate.
- Oversee execution and end-to-end delivery of all audit projects within the Technology audit universe, ensuring all documentation and audit reports are complete, and projects are appropriately and effectively staffed. Coordinate use of co-sourced technical experts for deep cyber/cloud/AI testing where needed.
- Lead opening and closing meetings, ensuring audit project planning is appropriately completed, reviewing audit working papers, and preparing/reviewing draft internal audit report for each project. Review control design and effectiveness using industry frameworks (NIST CSF, ISO 27001, COBIT).
- Deliver balanced and insightful reporting to the Chief Internal Auditor and Audit Committee on technology risk posture, themes, and systemic gaps.
- Oversee remediation/closure of IT audit findings, OSFI findings including tracking closure to due dates, the validation of findings with management, ensuring appropriate responses are received, and appropriate quality assurance practices are followed.
- Provide independent advice during major technology initiatives (policy& standards enhancements, modernization, cloud migration, data platform enhancements) from governance and risk lens and collaborate with stakeholders to embed controls early.
- Develop and maintain independent and influential relationships with senior technology stakeholders, including the CTO, CISO, Data & Privacy leadership, and enterprise risk partners (i.e., ERM, ORM, Compliance).
- Develop and maintain working relationships with the Bank’s external auditors to support their direct assistance and or audit reliance model.
- Demonstrate the authority, credibility, and technical understanding necessary to challenge technology decisions, risk acceptances, and control deficiencies especially in areas where management believes risks are mitigated.
- Facilitate difficult discussions with technology leadership by articulating risk impacts, regulatory expectations, and control considerations in a clear and authoritative manner.
- Lead a team of IT audit professionals with a mix of internal capabilities and co-sourced specialists.
- Mentor team members to deepen expertise in ITGCs, cyber governance, and foundational cloud/data risks.
- Ensure all technology audit work adheres to the Global Internal Audit Standards (GIAS) and Internal Audit methodology. Contribute to annual review of audit practices and methodology against relevant benchmarks.
- Map controls to recognized frameworks as appropriate: NIST CSF/800-53, ISO 27001/27701, COBIT, CIS Controls, CSA CCM, PCI DSS (if applicable), and applicable privacy regulations. Recommend changes to audit processes, methodology and reporting to improve effectiveness.
- Champion continuous improvement, agile auditing methods, and data-driven audit techniques (CAATs, automation, scripts, and continuous monitoring).
- Promote tooling: GRC, ticketing/ITSM (e.g., ServiceNow), CI/CD, CSP native security tooling, CSPM/CWPP, SIEM/SOAR, data lineage/governance tools, and model monitoring platforms.
- University degree in information systems, Computer Science, Engineering, Accounting, or related field.
- Certified Information Security Audit designation.
- Certifications in the following are preferred:
- Audit: CIA, Risk: CRISC, CGEIT, Security: CISSP, CISM, CCSP, ISO 27001
- Cloud: AWS/Azure/GCP security or architecture certifications
- Data/Privacy: CDMP, CIPT/CIPM/CIPP, ISO 27701
- 10 years of progressive experience within the Financial Services Industry.
- Solid Information Technology (IT)/Information Security (IS) audit and/or similar management experience in a regulated financial institution.
- Strong experience leading audits of information technology, information security, data management, and project management, in conformance with IIA Standards.
- Excellent understanding of risk management and related governance concepts, tools, techniques and best practices gained from practical financial services experience.
- Strong command of at least three of the following: ITGCs, cybersecurity operations, cloud security/ governance, data governance/quality/privacy, SDLC/DevSecOps, AI/ML governance/model risk.
- Strong understanding of the Bank’s risk tolerance, risk management, & risk assessment activities.
- Technical auditing proficiency in a regulated financial services environment, including strong analytical risk assessment and problem-solving skills.
- Ability to counsel and advise on complex risk situations affecting the organization, within the context of audit assignments, including recommendations on related risk management.
- Excellent communication, decision making, time management, negotiation, and influencing skills.
- Leads and demonstrates knowledge, teamwork, cross-unit cooperation and information and consistently demonstrates and reinforces organizational values.
- Solution-focused and takes initiative ensuring self and team work effectively and efficiently within established guidelines.
- Ability to lead a strategic and progressive approach to provide value-added recommendations to leaders across the Bank.
Pay Rate:
$80/Hour
How to Apply
Click the “Apply Now” button and follow the instructions to submit your resume. Please note that we only accept documents in MS Word or Rich Text formats. When referencing this job, quote #480324.
This position for employment is for a current vacancy with Vaco/Highspring’s client. You must currently reside within the Greater Toronto Area and be permitted to work in Canada to be considered for this opportunity. A recruiter will be in touch with you if your profile meets our client’s requirements for this role
Determining compensation for this role (and others) at Vaco/Highspring depends upon a wide array of factors including but not limited to the individual’s skill sets, experience and training, licensure and certifications, office location and other geographic considerations, as well as other business and organizational needs. With that said, as required by local law in geographies that require salary range disclosure, Vaco/Highspring notes the salary range for the role is noted in this job posting. The individual may also be eligible for discretionary bonuses, and can participate in medical, dental, and vision benefits as well as the company’s 401(k) retirement plan. Additional disclaimer: Unless otherwise noted in the job description, the position Vaco/Highspring is filing for is occupied. Please note, however, that Vaco/Highspring is regularly asked to provide talent to other organizations. By submitting to this position, you are agreeing to be included in our talent pool for future hiring for similarly qualified positions. Submissions to this position are subject to the use of AI to perform preliminary candidate screenings, focused on ensuring minimum job requirements noted in the position are satisfied. Further assessment of candidates beyond this initial phase within Vaco/Highspring will be otherwise assessed by recruiters and hiring managers. Vaco/Highspring does not have knowledge of the tools used by its clients in making final hiring decisions and cannot opine on their use of AI products.
Vaco by Highspring values a diverse workplace and strongly encourages women, people of color, LGBTQ+ individuals, people with disabilities, members of ethnic minorities, foreign-born residents, and veterans to apply.
EEO Notice
Vaco by Highspring is an Equal Opportunity Employer and does not discriminate against any employee or applicant for employment because of race (including but not limited to traits historically associated with race such as hair texture and hair style), color, sex (includes pregnancy or related conditions), religion or creed, national origin, citizenship, age, disability, status as a veteran, union membership, ethnicity, gender, gender identity, gender expression, sexual orientation, marital status, political affiliation, or any other protected characteristics as required by federal, state or local law.
Vaco by Highspring and its parents, affiliates, and subsidiaries are committed to the full inclusion of all qualified individuals. As part of this commitment, Vaco by Highspring and its parents, affiliates, and subsidiaries will ensure that persons with disabilities are provided reasonable accommodations. If reasonable accommodation is needed to participate in the job application or interview process, to perform essential job functions, and/or to receive other benefits and privileges of employment, please contact HR@vaco.com .
Vaco by Highspring also wants all applicants to know their rights that workplace discrimination is illegal.
By submitting to this position, you agree that you will be giving Vaco by Highspring the exclusive right to present your as a candidate for the foregoing employment opportunity. You further agree that you have represented information about yourself accurately and have not affirmatively misrepresented your qualifications. You also agree to maintain as confidential, to the fullest extent permitted by law, any information you learn from Vaco by Highspring about the position and you will limit disclosure of information about the position only to the extent necessary to perform any obligations in furtherance of your application. In exchange, Vaco by Highspring agrees to exercise reasonable efforts to represent you through all solicitation, job screening and resume dispersal.
Privacy Notice
Vaco by Highspring and its parents, affiliates, and subsidiaries (“we,” “our,” or “Vaco by Highspring”) respects your privacy and are committed to providing transparent notice of our policies.
- California residents may access Vaco by Highspring HR Notice at Collection for California Applicants and Employees here.
- Virginia residents may access our state specific policies here.
- Residents of all other states may access our policies here.
- Canadian residents may access our policies in English here and in French here.
- Residents of countries governed by GDPR may access our policies here.
Pay Transparency Notice
Determining compensation for this role (and others) at Vaco by Highspring depends upon a wide array of factors including but not limited to:
- the individual’s skill sets, experience and training;
- licensure and certification requirements;
- office location and other geographic considerations;
- other business and organizational needs.
With that said, as required by local law, Vaco by Highspring believes that the following salary range referenced above reasonably estimates the base compensation for an individual hired into this position in geographies that require salary range disclosure. The individual may also be eligible for discretionary bonuses.