1. Tell me about yourself.

➢ Thank you for this opportunity, my name Dursa

➢ I have built a solid academic foundation, with both a Bachelor's and a

Master's degree in Computer Science from Hawassa and Gondar
Universities

➢ Four skills I am hardworking, diligent, self-disciplined and Result Driven

and proactive team player with the skills to meet the roles demands. I
pride myself on high standards, strong work ethics and supporting
coworkers. I possess strong skills in database design, optimization, and
security, ensuring data integrity and performance for enterprise-level
applications.

➢ Three experience My experience of working on teams collaborating on time

sensitive project and My career is highlighted by a consistent record of
successfully leading large-scale, mission-critical projects from conception
to deployment.

➢ This mindset is proven in my practical experience. I have significant

experience working within teams to deliver time-sensitive projects. I
understand that in an IS context, meeting deadlines is critical for business
continuity and achieving strategic goals.

➢ I spearheaded the development of Ramis Bank's Core Banking and Digital

software, modernizing their financial operations. I also led the teams that
delivered comprehensive Enterprise Resource Planning (ERP) systems for
both Dire Dawa University and the Dire Dawa Police Commission,
significantly improving their operational efficiency and data management
capabilities.

➢ Two achievement iam a high achiever

➢ In terms of achievements, my background as a high achiever is

demonstrated through my academic success and my ability to contribute
to project goals. For example, during my master's program, I led a team
project to , e.g., 'develop a database system that improved data retrieval times by
20%' or 'analyze and streamline a business process for Dire Dawa University
ICT Department and Data Center and also for Rammis Bank.
 ➢ I have worked on as a Leader and Invloved in i completed several projects
at Rammis Bank, including:

• Rammis Bank Shareholder Management System

• Rammis Bank Server Specification (Up to Linux Server Configuration)

• Rammis Bank Website Development

• Network Installation for Expanding for 18+ Rammis Bank Branches

• Rammis Bank Bulk SMS Sender Implementation

• Rammis Bank Hajji System Implementation

• Rammis Bank AGM (Annual General Meeting) System (Worked with a

Team)

• As a Rammis Bank USSD Team Leader (Collaborated with Onetaps

Company)

• Rammis Bank ATM, POS, and Card Design (Collaborated with Azentio
and Ethio Switch)

• As a Digital Team Leader for IMAL Project (Digital Phase – Led Until
Completion)

➢ One thing I will do in the role to make a positive difference

➢ The one thing I am committed to doing in this role is making a positive

difference by ensuring that the information systems auditors I work on are
reliable, efficient, and directly support your company's strategic objectives. I
am confident that my technical background and results-oriented approach
will allow me to contribute effectively from the start."

➢ I am a strategic senior professional ready to protect and add value to a

financial institution.

1. Why do you want to work for this bank?

I want this job because I am passionate about this work and also, I’m impressed by your
Resourceful bank's digital transformation, you have great reputation, stability and you will
always find smart and clever ways to overcome difficult problems and support your staff to
reach their full potential. I want to apply my skills in a leading institution where strong
security is a top priority.

2. Why should we hire you?

I believe you should hire me for four reasons
a. I already have necessary experience there is a much for the job description
b. I have the necessary skills, the quality and the attribute of IS audit I offer a
unique combination of three elements that are critical for an IS Auditor in a bank.
c. I offer the right mix of technical auditing skills and specific banking regulatory
knowledge. I can immediately help protect the bank from financial and
regulatory risks
d. You should hire me because I am an innovative employee who will bring creative
ideas to the team to help protect the bank from financial and regulatory risks."
e. I will always take the responsibility for my own ongoing professional
development

3. Why you want to leave the current job?

Simply because I am seeking a fresh challenge with a new forward-thinking employee

like yours that has ambitious plan in this bank industry

4. What are your career goals?

To become a subject matter expert in banking IT risk. I aim to grow into a director
general information system auditor or team lead role, contributing to the bank's long-
term security strategy.

5. What are your strengths?

One of my great strengths is I am very Receptive. I will always listen to feedback from my
supervisors and I will support the company in new initiatives Analytical thinking and clear
communication. I can dissect complex systems and explain the risks to both technical
teams and management clearly."

6. What are your weaknesses?

my biggest weakness is struggling to say No to people which means I sometimes

overcommit.

I can be overly detailed. I've learned to prioritize findings by risk level to ensure major
issues are addressed first in my reports."
 7. How you deal with a conflict with a coworker?

I make sure causing the conflict before sitting down in private with my coworker to find an
amicable solution to the conflict

II. Technical Knowledge Questions

1. Name key banking regulations.

"SOX (financial controls), GLBA (data privacy), FFIEC guidelines (IT examination), and
Basel II/III (operational risk)."

2. What is the FFIEC CAT?

*The FFIEC Cybersecurity Assessment Tool. It's a framework to help banks measure their
cybersecurity maturity and preparedness."

3. What are risks in Online/Mobile Banking?

"Account takeover, insecure APIs, transaction fraud, and SQL injection attacks."

4. Explain Segregation of Duties (SoD).

No one person should control a full process. Example: The person who initiates a
payment cannot also approve it."

5. Preventive vs. Detective Controls?

Preventive:** Stops an incident (Firewall). **Detective:** Finds an incident (SIEM alert).

**Corrective:** Fixes after an incident (Data restore from backup)."

6. What is SDLC? Why audit it?

Software Development Lifecycle. We audit it to ensure proper controls (like code review
and testing) are built-in from the start, preventing security flaws in new applications."

III. Behavioral Questions (Use STAR Method)

**S**ituation -> **T**ask -> **A**ction -> **R**esult

1. **Describe a time you found a significant security flaw.

* **S:** Auditing the wire transfer system.

* **T:** Ensure no one could approve their own transactions.

* **A:** Found a config error allowing this. Documented and escalated it immediately.
 * **R:** The flaw was fixed in 48 hours, preventing potential financial loss.

2. **Tell me about a time you had a tight deadline. **

* **S:** A regulatory exam was moved up.

* **T:** Complete the audit fieldwork in half the time.

* **A:** Prioritized high-risk areas, used automated scripts for data analysis, and
coordinated daily with the team.

* **R:** We delivered a quality report on time, and the bank was well-prepared for the
exam.

3. **Describe a difficult conversation with an auditee.**

* **S:** A manager wasn't performing required access reviews.

* **T:** Report the failure without damaging the relationship.

* **A:** Met privately, explained the risk (ex-employees could still have access), and
understood his process was manual.

* **R:** He completed the reviews, and we automated the process, fixing it

permanently.

4. **Give an example of a complex audit you led.**

* **S:** Audit of a new core banking system implementation.

* **T:** Ensure controls were effective before go-live.

* **A:** Reviewed change management, tested user acceptance, and verified access
controls and disaster recovery plans.

* **R:** Identified key gaps in data migration testing, which were fixed, ensuring a
smooth and secure launch.

IV. Scenario-Based & Situational Questions

1. **If you found fraud, what would you do?

* "Immediately document the evidence. Escalate directly to my Audit Director as per the
policy, maintaining strict confidentiality. I would not confront the individual."
2. How would you audit our cloud environment?

* "I'd focus on: 1) Identity and Access Management (who has admin rights), 2) Data
encryption, 3) Cloud provider contracts (SLAs, data ownership), and 4) Compliance with
shared responsibility model."

3. **A system owner disagrees with your finding. What do you do?**

* "I would listen to their perspective. I'd clearly restate the evidence, the risk, and the
relevant policy. If we still disagree, I'd escalate the issue to both our managers for
resolution, ensuring the audit opinion is objective and factual."

4. **The board asks you to explain a technical risk. How do you present it?**

* "I avoid technical jargon. I'd say, 'This weakness in our online system could allow
attackers to steal customer credentials, leading to direct financial loss and regulatory
fines, damaging our reputation.' I focus on the business impact: financial, operational, and
reputational."

V. Questions About Your Audit Experience & Methodology**

1. What audit frameworks are you familiar with? **

"COBIT, ITIL, and the NIST Cybersecurity Framework. I use them to structure my audits
and assessments."

2. What tools do you use for auditing?

*ACL or IDEA for data analysis, Nessus for vulnerability scanning, and manual testing
with tools like Wireshark or Burp Suite. I'm also proficient with GRC platforms like
AuditBoard."

3. How do you stay updated?

*I follow ISACA, read FFIEC updates, follow security news (Krebs, SANS), and participate
in relevant training/webinars."

VI. Questions for You to Ask the Interviewer

3. Technical & Role-Specific Questions

Q: What are key risks for a bank's online banking?

**A:** Account takeover, data breaches via insecure APIs, transaction fraud, and
application attacks like SQL injection.
Q: How do you approach auditing a new system?

A: I check controls at each phase: development (change management), testing (user

acceptance tests), and go-live (access controls and disaster recovery).

Q: What is Segregation of Duties (SoD)?

A: Ensuring one person can't control a full process. Example: The employee who initiates a
wire transfer should not be the one to approve it.

Q: What's the difference between a preventive and detective control?

A: Preventive stops a problem (e.g., a firewall). Detective finds a problem after it happens
(e.g., a fraud alert).

4. Behavioral Questions (Use the STAR Method)

**S**ituation, **T**ask, **A**ction, **R**esult

**Q: Describe a time you found a major flaw.**

**A:**

* **Situation:** Auditing the wire transfer system.

* **Task:** Ensure no one could approve their own transactions.

* **Action:** Found a configuration error allowing exactly that. Documented and

escalated it immediately.

* **Result:** The flaw was fixed within 48 hours, preventing potential financial loss.

**Q: Describe a difficult conversation with an auditee.**

**A:**

* **Situation:** A manager was not performing required user access reviews.

* **Task:** Report the failure without damaging the relationship.

* **Action:** Met with him privately. Explained the risk (ex-terminated employees could
still have access) and helped find the root cause.

* **Result:** He completed the reviews, and we automated the process, fixing it for good.

---
I. Advanced Technical & Regulatory Questions

1. How does Basel III impact IT auditing?

It emphasizes operational risk. IT audits must show that systems supporting capital
calculation and liquidity risk management are accurate, secure, and reliable to prevent
misreporting."

2. What is the role of an IS Auditor in a bank's cloud migration?

To ensure security and compliance are built-in. I'd audit the shared responsibility model,
data encryption, IAM policies, and ensure the cloud provider's certifications (SOC 2) are
reviewed."

3. What is SWIFT CSP, and why is it critical?

The SWIFT Customer Security Programme is a mandatory controls framework. Auditing for
CSP compliance is critical because it protects the global payment network from attacks
that could lead to massive financial fraud."

4. How would you audit the security of APIs?

I'd check for proper authentication (OAuth, API keys), rate limiting to prevent abuse, input
validation to stop injection attacks, and encryption of data in transit (TLS)."

5. What is the difference between IT General Controls (ITGC) and Application

Controls?

ITGCs are broad (e.g., access control for the entire OS, change management process).
Application Controls are specific to a system (e.g., a loan system automatically calculating
interest correctly)."

II. Behavioral & Situational Questions (Round 2)

1. Describe a time you had to audit an area you knew little about.

* **S:** Asked to audit a new AI-based fraud detection system.

* **T:** Provide assurance on its controls with no prior AI experience.

* **A:** I quickly researched the technology, focused on universal controls (data

integrity, model governance, input validation), and consulted a subject matter expert.

* **R:** Delivered a valuable audit that identified gaps in how the model's decisions
were logged and reviewed.
2. Tell me about a time you failed. What did you learn?

* **S:** I missed a key control in a network security audit.

* **T:** To provide comprehensive coverage of network devices.

* **A:** My sampling method was flawed. I only checked core switches, not edge
devices.

* **R:** I learned to refine my scoping and sampling techniques. Now, I always validate
my audit program with a senior colleague before starting fieldwork.

3. **How do you handle pressure before a major regulatory exam?

* **S:** The team was stressed before an OCC review.

* **T:** Ensure all our audit workpapers were flawless and ready for examiner scrutiny.

* **A:** I created a checklist, prioritized high-risk areas for a final review, and
maintained open communication with the team to avoid duplication of work.

* **R:** Our documentation was highly rated by the examiners, and the audit process
was commended.

4. **Describe a time you improved the audit process.

* **S:** Our user access review audit was manual and time-consuming.

* **T:** Make the process more efficient and effective.

* **A:** I learned scripting and developed a tool to automatically compare user lists with
HR records, flagging discrepancies.

* **R:** Reduced the time spent on this task by 70%, allowing us to focus on analyzing
higher-risk exceptions.

III. Risk & Judgment Questions

1. How do you prioritize your audit findings?

"I use a risk-based matrix: Likelihood and Impact. A high-impact, high-likelihood finding
(e.g., a flaw in fund transfer) is critical. A low-impact, low-likelihood finding (e.g., a minor
typo in a policy) is minor."
2. If you had limited time, what 3 areas would you audit first in a bank?

1.Online Banking (highest customer-facing risk), 2. Wire Transfer/SWIFT (greatest

financial loss risk), 3. Logical Access Controls (foundational to all systems)."

3. A manager says implementing your control recommendation is too expensive. What

do you do?

I would work with them to find a compensating control that mitigates the same risk at a
lower cost. If none exists, I would clearly document the business's acceptance of the
unresolved risk for the Audit Committee to see."

4. What is the biggest emerging threat to banks, and how should we audit it?

Sophisticated Phishing & Social Engineering, leading to ransomware and fund transfer
fraud. Audits should focus on the effectiveness of security awareness training, multi-factor
authentication (MFA) implementation, and endpoint detection and response (EDR)
capabilities."

IV. Culture Fit & Teamwork Questions

1. What do you expect from an audit manager?

Clear direction, support when facing challenges, and opportunities for professional
development. I believe a good manager fosters a learning environment."

2. How do you contribute to a positive team environment?

By sharing knowledge, helping colleagues who are behind schedule, and maintaining a
constructive, solution-oriented attitude during discussions."

3. Our auditors often present to the Board. How comfortable are you

### **Interview 1: The Technical Screening (With the IT Audit Manager)**

**Manager:** "Welcome. Let's start with a technical scenario. Imagine you are tasked with
auditing the user access controls for our Core Banking System. What would be your key
steps?"

**Candidate:** "Thank you. My approach would be risk-based. First, I would obtain the
complete user list and prioritize accounts with privileged access, like 'admin' or 'superuser'
roles. I would then sample a selection of these accounts and trace them back to the official
HR records to ensure they are active employees. A key test would be checking for
Segregation of Duties conflicts—for example, ensuring no single user can both initiate a
funds transfer and approve it. Finally, I would review the logs for the last user access review
to see if it was performed by line managers as per policy."

**Manager:** "Good. Now, if you found that a branch manager's login was used to approve
a loan from an IP address in a different city late at night, what would that indicate, and what
would be your next steps?"

**Candidate:** "That would be a major red flag for potential compromised credentials or
insider fraud. My immediate steps would be to preserve the log evidence and escalate this
to the CISO and Head of Internal Audit. I would recommend an immediate password reset
for that account and a forensic investigation to determine if it was a stolen password or if
the manager violated policy. This would also trigger a broader review of all after-hours
transactions.

### **Interview 2: The Behavioral Interview (With the Head of Internal Audit)**

**Head of Audit:** "Tell me about a time you had to present a critical audit finding to a
senior IT manager who was resistant to your recommendation."

**Candidate (using STAR):**

* **Situation:** "In my previous role, I found that the disaster recovery plan for a critical
application had not been tested in over two years, which was a high-risk finding."

* **Task:** "My task was to get the IT Director to commit to a test schedule and allocate
the necessary resources, which he was initially against due to cost and downtime
concerns."

* **Action:** "I prepared a brief business impact analysis. Instead of just stating the
control failure, I showed him the potential financial loss per hour if that application failed
during peak business. I also presented a low-cost tabletop exercise as a first step, which
required minimal downtime."

* **Result:** "By focusing on the business risk and offering a pragmatic solution, he
agreed to the tabletop exercise. That exercise successfully revealed several gaps, and he
subsequently approved a full-scale test for the next quarter."

**Head of Audit:** "Excellent. How do you stay current with the evolving IT threats relevant
to a bank like Awash?"
**Candidate:** "I maintain an active CISA certification, which requires continuing
education. I subscribe to threat intelligence feeds from organizations like SANS and follow
advisories from the NBE. I also participate in local ISACA chapter meetings to network with
other professionals and discuss emerging risks in the Ethiopian financial sector, such as
those targeting mobile banking platforms."

### **Interview 3: The Situational & Bank-Specific Interview (With the Chief Risk Officer)**

**CRO:** "Awash Bank is heavily investing in its Awash Mobile Banking and other digital
channels. From an audit perspective, what are the top two risks you would flag for our
management committee?"

**Candidate:** "Sir, the top two risks would be:

1. **Application Security:** The risk of vulnerabilities within the mobile app itself or its
APIs that could lead to data breaches or unauthorized transactions. This requires rigorous
penetration testing and secure coding practices.

2. **Customer Identity Theft and Fraud:** The risk of social engineering attacks like
phishing, where customers are tricked into revealing their credentials. This requires robust
multi-factor authentication and continuous customer awareness campaigns."

**CRO:** "Good points. Now, the NBE has just issued a new directive on cybersecurity.
What is the first thing you would do as our new IS Auditor?"

**Candidate:** "My first step would be to perform a detailed gap analysis. I would take the
directive, line by line, and compare it against our existing IT security policy, control
framework, and current system configurations. This would immediately give us a prioritized
list of what we are compliant with and where we have gaps. I would then present this to you
and the IT management with recommendations for an action plan."

### **Key Takeaways for a Successful Interview:**

* **Use the STAR Method:** For behavioral questions, always structure your answer with
Situation, Task, Action, Result.

* **Be Bank-Specific:** Weave in your knowledge of Awash Bank's products (Mobile

Banking, CBS) and the regulatory environment (NBE).

* **Think in Terms of Risk:** Always link technical findings to business impact (financial
loss, reputational damage, regulatory fines).

* **Show Professionalism:** Frame yourself as an objective advisor, not an adversary to

the IT department.
By preparing for these types of dialogues, you will demonstrate the technical depth, critical
thinking, and communication skills Awash Bank is looking for.

Of course. Here is a detailed breakdown of the duties and responsibilities of an

**Information Systems Auditor at Awash Bank**, structured to show the progression from
core tasks to strategic impact.

### **1. Core Audit Execution & Delivery**

This is the fundamental, day-to-day work of planning and performing audits.

* **Risk-Based Audit Planning:** Develop detailed audit programs for specific IT areas
(e.g., Core Banking System, Network Security, Awash Mobile Banking) based on a risk
assessment.

* **Fieldwork and Testing:** Execute audit procedures, which include:

* Interviewing IT staff, system administrators, and business process owners.

* Reviewing system configurations, security settings, and access control lists.

* Examining IT policies, procedures, and documentation.

* Performing substantive tests to verify the effectiveness of controls (e.g., testing if user
access reviews are actually performed, if changes are properly approved).

* **IT General Controls (ITGC) Focus:** Conduct deep-dive audits on the foundational
controls across all key systems, specifically:

* **Access Security:** Who can access what data and systems? (User access
provisioning/de-provisioning, privileged access management).

* **Change Management:** How are software and system changes made? (Testing,
approval, and deployment to production).

* **IT Operations:** How are systems backed up and recovered? (Backup verification,
disaster recovery plans).

### **2. Specific Domain Audits (Awash Bank Context)**

Applying core auditing to the specific technological landscape of Awash Bank.

* **Digital Banking Channels:** Audit the security and controls of:

* **Awash Mobile Banking and Internet Banking:** Testing authentication (2FA),

encryption, session management, and API security.
 * **ATM/POS Network:** Auditing for physical tampering, logical security (PIN
encryption), and transaction reconciliation processes.

* **Core Banking System (CBS):** Perform focused audits on the bank's central system
(like Flexcube or Finacle) to ensure the integrity, availability, and confidentiality of all
financial and customer data.

* **Cybersecurity Audits:** Evaluate the bank's cyber defense posture, including:

* Firewall, intrusion detection/prevention systems (IDS/IPS).

* Vulnerability management and patch management processes.

* Security awareness and phishing simulation results.

* Incident response plan and past incident reports.

* **Disaster Recovery & Business Continuity (DR/BCP):** Assess the IT DR plan, review
test results, and verify that Recovery Time (RTO) and Recovery Point (RPO) objectives are
achievable.

* **Third-Party/Vendor Risk Management:** Audit the controls and security practices of

critical vendors (e.g., cloud providers, payment switch operators, fintech partners).

### **3. Analysis, Reporting, & Advisory**

Transforming findings into actionable business intelligence.

* **Root Cause Analysis:** For every finding, determine the underlying process or control
failure, not just the symptom.

* **Report Drafting:** Prepare clear, concise, and objective audit reports that detail the
condition, criteria, cause, risk, and recommendation for each finding.

* **Risk Assessment:** Evaluate the financial, operational, and reputational impact of

each control deficiency to prioritize management's action.

* **Management Advisory:** Provide practical, cost-effective recommendations to

management to improve the control environment and mitigate risks. Act as a consultant to
help design effective controls for new systems.

### **4. Compliance & Regulatory Oversight**

Ensuring the bank adheres to external and internal rules.

* **National Bank of Ethiopia (NBE) Directives:** Monitor and ensure the bank's IT
practices comply with all relevant NBE directives on IT, cybersecurity, and data privacy.
* **Internal Policies & Standards:** Ensure IT activities align with the bank's internal IT
security policy, information security manual, and other governance frameworks.

* **Framework Adherence:** Utilize established frameworks like **COBIT (Control

Objectives for Information and Related Technologies)** and **NIST Cybersecurity
Framework** to guide the audit approach and assessment.

### **5. Continuous Monitoring & Follow-Up**

Ensuring issues are resolved and the control environment improves over time.

* **Issue Tracking:** Maintain a log of all audit findings and management's action plans.

* **Follow-Up Audits:** Conduct follow-up reviews to verify that management has

implemented agreed-upon remediation actions effectively and within the stipulated
timeframe.

* **Continuous Risk Monitoring:** Stay updated on emerging IT threats, new technologies

adopted by the bank, and changes in the regulatory landscape to proactively adjust the
audit plan.

In summary, an Information Systems Auditor at Awash Bank is not just a checker of boxes.
They are a **key risk advisor and assurance provider**, responsible for ensuring that the
technology which powers the bank's operations and digital growth is **secure, resilient,
and trustworthy**, thereby protecting the bank's assets and its customers' trust.

Of course. Here is a comprehensive guide for an **Information Systems Auditor** job

interview at a bank, structured as a conversation with potential questions and strong,
concise answers.

### **2. "What are the biggest IT risks for Awash Bank?"**

"Primarily, **cyber attacks** targeting mobile and internet banking. Secondly, **third-party
risk** from fintech partners. Third, **Core Banking System resilience**—ensuring uptime
and data integrity through strict change and access controls. Finally, **compliance** with
evolving NBE directives on IT and cybersecurity."

### **3. "How would you audit our Mobile Banking app?"**

"My focus would be on four key areas:

1. **Authentication:** Testing the strength of login, 2FA, and biometrics.

2. **Data Security:** Verifying encryption of data in transit and at rest.

3. **Session Management:** Ensuring sessions timeout correctly.

4. **API Security:** Reviewing how the app communicates with your servers for
vulnerabilities."

### **4. "Describe your IT General Controls (ITGC) audit approach."**

"I focus on the three critical areas:

* **Access Controls:** Sampling user accounts to check for proper authorization and
segregation of duties.

* **Change Management:** Tracing system changes from request to implementation,

ensuring proper testing and approval.

* **Backup & Recovery:** Verifying that backups are successful and disaster recovery
plans are tested."

### **5. "You find a critical vulnerability, but IT needs a week to patch it. What do you
do?"**

"I would immediately escalate the risk. Then, I'd work with the IT team to implement
**temporary compensating controls**, such as blocking the vulnerable port at the firewall
or increasing monitoring. I would document the risk and follow up daily until the patch is
applied."

### **6. "An employee is suspected of snooping on customer accounts. How do you
investigate?"**

"First, I would coordinate with HR and Legal. Then, I would preserve and analyze the
employee's **system access logs** from the Core Banking System to see which accounts
they viewed, when, and from which terminal. I would look for a pattern of access without a
business need and present the factual evidence."

**7. "Why do you want to work at Awash Bank?"**

"Awash Bank is a leader in Ethiopia's financial sector. Your commitment to digital

innovation is impressive, and with that growth comes critical risks. I want to use my skills to
directly contribute to the security and stability of a leading national institution, ensuring its
continued success."

### **Phase 1: Understanding the Interview Structure**

You can expect a multi-stage process:

---

### **Phase 3: Anticipated Interview Questions & Strategic Answers**

Here are questions categorized by theme, with explanations on what the interviewer is
really asking and how to structure your answer.

**2. "What do you think are the biggest IT risks facing a bank like Awash today?"**

* **What they want to know:** Your ability to think strategically and apply your knowledge
to their specific context.

* **Sample Answer (Prioritize):**

* **1. Cybersecurity Attacks:** "The shift to digital channels makes Awash a prime
target for phishing, ransomware, and social engineering attacks aimed at customer data
and funds."

* **2. Third-Party/Vendor Risk:** "As the bank relies more on fintech partners, cloud
services, and payment switches, ensuring the security of these external entities is critical."

* **3. Core Banking System Resilience:** "Any outage or integrity issue in the Core
Banking System (like Flexcube or Finacle) could halt all operations. Controls around
change management, access, and disaster recovery are paramount."

* **4. Data Privacy and Compliance:** "With the NBE's increasing focus, ensuring
robust data protection and adherence to regulatory directives is a top-tier risk."

**3. "Describe a time you had a difficult finding with an IT manager. How did you handle
it?"**

* **What they want to know:** Your communication, diplomacy, and conflict resolution
skills.

* **Sample Answer Strategy (Use the STAR method):**

 * **Situation:** "During an audit of network security, I found that a critical firewall rule
was misconfigured, exposing a segment of the internal network."

* **Task:** "My task was to report this high-risk finding and get management to commit
to a timely remediation."

* **Action:** "I first scheduled a private meeting with the Network Manager. I presented
the objective evidence—network diagrams and scan results—without being accusatory. I
explained the potential business impact (e.g., 'This could allow an attacker to reach our
database servers') rather than just stating the technical flaw. I listened to his perspective,
which was that the change was made under pressure for a business project. We then
worked together to design a more secure alternative."

* **Result:** "The manager agreed on the risk and implemented the fix within 48 hours.
This approach maintained a positive relationship and led to a more secure outcome."

#### **B. Technical & Domain-Specific Questions**

**4. "If you were to audit our Mobile Banking application, what would be your key areas of
focus?"**

* **What they want to know:** Your practical knowledge of auditing modern digital
channels.

* **Sample Answer:**

* **Authentication & Access Controls:** "I would test the strength of the login process,
including password policies, biometric security, and multi-factor authentication (2FA) for
transactions."

* **Session Management:** "I'd check if sessions timeout appropriately and if tokens

are invalidated after logout."

* **Data Security:** "I'd verify that sensitive data like account numbers and transaction
details are encrypted in transit (using TLS) and at rest on the device."

* **API Security:** "I'd review how the app communicates with backend servers, testing
for common API vulnerabilities like insecure direct object references."

* **Vulnerability Management:** "I'd inquire about the process for regular penetration
testing and code reviews of the application."
**5. "Walk us through how you would audit the IT General Controls (ITGC) for our Core
Banking System."**

* **What they want to know:** Your understanding of the foundational controls.

* **Sample Answer (Structured):**

* "I would focus on the three key areas of ITGC:

1. **Access Controls:** I'd sample user accounts to verify that access is granted based
on job roles (role-based access control), review privileged accounts (like 'admin'), and
check evidence of periodic user access reviews. I'd also look for and test 'segregation of
duties' conflicts (e.g., a user who can both create a loan account and approve it).

2. **Change Management:** I'd select a sample of changes (both emergency and

standard) from the change log and trace them through the process. I'd verify they were
properly authorized, tested in a staging environment, and approved before being moved to
production.

3. **Computer Operations:** I'd review the backup and recovery procedures, verify
successful backup logs, and inquire about the last Disaster Recovery drill, checking its
success against the Recovery Time and Point Objectives (RTO/RPO)."

**6. "The National Bank of Ethiopia (NBE) has issued a new directive on cybersecurity.
What would be your first steps?"**

* **What they want to know:** Your regulatory knowledge and project management skills.

* **Sample Answer:**

* "First, I would obtain and perform a detailed gap analysis of the new directive against
the bank's existing cybersecurity policies and controls."

* "I would then present the findings to the Head of Internal Audit and relevant IT/InfoSec
managers, prioritizing the gaps based on risk."

* "I would work with management to develop a realistic action plan with owners and
deadlines to address the gaps."

* "Finally, I would incorporate the new regulatory requirements into our annual audit
plan to ensure ongoing compliance is monitored and tested."
#### **C. Scenario-Based & Problem-Solving Questions**

**7. "An employee in the branches is suspected of using their system access to
inappropriately view customer account information. How would you investigate this?"**

* **What they want to know:** Your forensic mindset and understanding of detective
controls.

* **Sample Answer:**

* "I would start by coordinating with HR and Legal to ensure the investigation is handled
properly."

* "I would then immediately preserve the logs from the Core Banking System and the
Active Directory related to that user's account."

* "My analysis would focus on the user's transaction logs: what accounts did they
access, at what times, and from which terminal? I would look for patterns, such as
accessing accounts of friends, family, or celebrities without a business need."

* "I would correlate this with other data, like CCTV footage or door access logs, to
confirm the user was at their workstation at the time of the access."

* "I would document all evidence in a clear, factual manner for management to take
action."

**8. "You discover a critical vulnerability in an internet-facing system that could lead to a
data breach. The IT team says it will take a week to patch. What do you do?"**

* **What they want to know:** Your risk assessment and communication skills under
pressure.

* **Sample Answer:**

* "I would immediately escalate the finding to my supervisor and the CISO/Head of IT,
clearly stating the criticality and potential business impact."

* "I would work with them to understand the root cause of the delay. Is it a testing
requirement? A resource issue?"

* "I would ask if there are compensating controls that can be implemented immediately
to mitigate the risk in the interim, such as:
 * Blocking the vulnerable port at the firewall.

* Isolating the system from the rest of the network.

* Implementing intensified monitoring for exploitation attempts."

* "I would formally document the risk acceptance if no immediate action is taken and
follow up daily until the patch is applied

### **Phase 4: Your Questions to the Interviewer**

Asking insightful questions shows your interest and strategic thinking.

* "How does the internal audit function demonstrate its value and independence to the
Board's Audit Committee at Awash Bank?"

* "What is the biggest IT audit challenge the department has faced in the last year, and
what was the outcome?"

* "Can you describe the career path for an IS Auditor within Awash Bank?"

* "What is the bank's appetite for adopting new technologies like cloud computing or AI,
and how is the audit function preparing to assess the associated risks?"

### **1. Overview: The Role of an IS Auditor at Awash Bank**

At its core, an IS Auditor at Awash Bank acts as an **independent and objective assurance
provider**. They are the "guardians of the digital fortress," ensuring that the bank's rapidly
evolving technology landscape is secure, reliable, and compliant. Their work directly
protects customer deposits, maintains the integrity of financial records, and safeguards
the bank's reputation.

#2. Why This Role is Especially Critical at Awash Bank**

The Ethiopian banking sector, including Awash Bank, is undergoing significant digital
transformation. This creates unique risks that the IS Auditor must address:

* **Rapid Digitalization:** The push for mobile banking (e.g., Awash Mobile Banking),
internet banking, ATM/POS network expansion, and core banking system (CBS) upgrades
introduces new vulnerabilities.

* **Increased Cyber Threats:** As the bank's digital footprint grows, it becomes a more
attractive target for phishing, ransomware, and fraud attacks.
* **Regulatory Scrutiny:** The National Bank of Ethiopia (NBE) is increasingly focused on
IT governance and cybersecurity within financial institutions.

* **Dependence on Technology:** A failure in a critical system (like the CBS) could halt all
banking operations, leading to massive financial and reputational damage.

### **3. Key Focus Areas for an IS Auditor at Awash Bank**

The job description's responsibilities translate into these concrete areas of scrutiny:

**A. Core Banking System (CBS) and Critical Applications**

The CBS (likely a system like Flexcube, Finacle, or a similar platform) is the heart of the
bank. The auditor would focus on:

* **IT General Controls (ITGC):**

* Access Controls:** Who has access to the CBS? Are privileges (e.g., to create a new
loan account, reverse a transaction) based on the "principle of least privilege"? Are user
access reviews performed regularly?

* Change Management:** How are patches and updates to the CBS applied? Is there a
formal process to test changes in a non-production environment before going live?

* **System Development Life Cycle (SDLC):** For any in-house developed software (or
heavily customized systems), are there proper controls during design, development, and
testing?

* **Application Controls:** Specific controls within the software itself, such as:

* **Input Controls:** Ensuring data entered is accurate and valid (e.g., an interest rate
cannot be set to 500%).

* **Processing Controls:** Ensuring transactions are processed completely and

accurately.

* **Output Controls:** Ensuring reports and transaction outputs are reliable.

#### **B. Digital Banking Channels**

This is a high-risk area due to direct customer interaction.

* **Awash Mobile Banking & Internet Banking:**

* **Authentication: ** Is multi-factor authentication (2FA) robust and mandatory for

high-value transactions?
 * **Session Management:** Are user sessions securely timed out after periods of
inactivity?

* **API Security:** How do the mobile apps communicate with the backend servers? Are
the APIs secure against common attacks?

* **Penetration Testing:** Regularly engaging ethical hackers to test the security of

these applications.

* **ATM & POS Network:**

* **Physical Security:** Controls to prevent tampering (skimming devices).

* **Logical Security:** Encryption of PINs and data during transmission.

* **Reconciliation:** Ensuring all ATM transactions are accurately reconciled daily.

**C. Cybersecurity and Data Protection**

* **Network Security:** Reviewing firewalls, intrusion detection/prevention systems

(IDS/IPS), and network segmentation.

* **Vulnerability Management:** Is there a process to regularly scan systems for

vulnerabilities and patch them promptly?

* **Incident Response:** Does the bank have a tested plan to respond to a cybersecurity
incident (e.g., a data breach or ransomware attack)?

* **Data Privacy:** Ensuring customer data is handled in accordance with the NBE's
directives and the bank's privacy policy. This includes data encryption at rest and in transit.

#### **D. IT Governance and Strategy**

* **IT Policies & Procedures:** Do they exist, are they up-to-date, and are they effectively
communicated?

* **IT Risk Management:** Is there a formal process for identifying, assessing, and
mitigating IT risks?

* **Business Continuity (BCP) & Disaster Recovery (DRP):**

* **BCP:** How will the bank continue critical operations if a disaster hits a head office
or branch?

* **DRP:** Specifically, how will IT systems (especially the CBS) be recovered? What is
the Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? The auditor would
test the DRP by participating in a recovery drill.
#### **E. Third-Party/Vendor Management**

Awash Bank likely uses external vendors for cloud services, payment switches, software,
etc. The auditor must ensure these vendors are secure.

* **Due Diligence:** Were vendors assessed for security before being contracted?

* **Contractual Controls:** Do contracts include clauses for security, confidentiality, and

right-to-audit?

* **Ongoing Monitoring:** Is vendor performance and security posture monitored

regularly?

### **4. The Audit Process in Practice at Awash Bank**

The "analyzing risks and controls" part follows a structured cycle:

1. **Planning & Risk Assessment:** The auditor identifies the area to audit (e.g., the
mobile banking platform) and understands the key risks (e.g., unauthorized fund transfer,
application downtime).

2. **Fieldwork & Testing:**

* They interview the IT team, network administrators, and application owners.

* They examine system configurations, review access logs, and analyze change
management tickets.

* They perform tests—for example, trying to log in with a test user from two different
devices to see if the first session is terminated.

3. **Reporting:** The auditor writes a report detailing:

* **Condition:** What was found (e.g., "150 user accounts had outdated passwords").

* **Criteria:** What the standard should be (e.g., "Bank policy requires password reset
every 90 days").

* **Cause:** Why it happened (e.g., "No automated enforcement mechanism").

* **Risk:** The potential impact (e.g., "Increased risk of account compromise").

* **Recommendation:** The proposed solution (e.g., "Enforce password expiry policy in

the Active Directory").
4. **Follow-up:** The auditor tracks the management's action plan to ensure the issue is
fixed within an agreed timeframe.

### **5. Required Skills & Knowledge for Success at Awash Bank**

* **Technical:** Deep understanding of networks, operating systems (Windows Server,

Linux), databases (Oracle, SQL Server), and core banking architecture.

* **Frameworks & Standards:** Knowledge of **COBIT**, **NIST Cybersecurity

Framework**, and **ISO 27001** is essential.

* **Regulatory:** Familiarity with **National Bank of Ethiopia (NBE)** directives on IT,

cybersecurity, and risk management.

* **Certifications:** A **CISA (Certified Information Systems Auditor)** is highly valuable

and often a requirement for career advancement.

* **Soft Skills:** Excellent communication skills to explain technical vulnerabilities to

non-technical senior management and the Board's Audit Committee.

### **Conclusion**

In summary, an Information Systems Auditor at Awash Bank is not just a technical checker
but a **key strategic risk advisor**. They enable the bank to pursue its digital growth
agenda with confidence by ensuring that the technology supporting this growth is resilient,
secure, and trustworthy. Their work is fundamental to protecting the bank's assets and,
most importantly, the trust of its millions of customers.

Of course. This is a well-defined job description for an Information Systems (IS) Auditor in a
banking context. Given the critical role of IT in modern banking and the stringent regulatory
environment, this is a high-responsibility position.

Here is a detailed breakdown of what this job entails, the key responsibilities, required
skills, and why the role is so crucial for a bank.

The description outlines four core pillars of the role:

1. **Conducting Audits & Projects:** This is the core activity. It involves planned,
systematic reviews of the bank's technology landscape.

2. **Monitoring Adherence to Controls:** This is a continuous oversight function to ensure

that established IT policies and procedures are being followed.
3. **Analyzing Risks & Recommending Improvements:** This is the analytical and
consultative part of the role, moving beyond just finding problems to proposing solutions.

4. **Reporting:** This is the communication link, providing transparency to management

and the audit committee.

### Key Responsibilities (Expanded from the Description)

An IS Auditor in a bank would typically be responsible for:

**A. Audit Execution:**

* **Planning:** Developing risk-based audit plans for specific areas (e.g., a review of the
new mobile banking app, the data center, or the loan origination system).

* **Fieldwork:** Performing audit procedures, which include:

* Interviewing IT and business personnel.

* Reviewing system configurations, security settings, and access logs.

* Examining policies, procedures, and documentation.

* Testing controls to see if they are operating effectively (e.g., testing if a user's access is
revoked promptly after they leave the bank).

* **IT General Controls (ITGC) Review:** A fundamental part of the job, auditing controls
over:

* **Access Security** (who can access what systems and data).

* **Change Management** (how software and systems are updated).

* **System Operations & Backup** (how systems are maintained and recovered in a
disaster).

**B. Specific Areas of Scrutiny in a Bank:**

* **Cybersecurity:** Reviewing firewalls, intrusion detection systems, vulnerability

management, and endpoint protection.

* **Data Privacy & Protection:** Ensuring compliance with regulations like GDPR, CCPA,
etc., especially for sensitive customer data.

* **Network Security:** Assessing the security of the bank's internal and external network
connections.
* **Disaster Recovery & Business Continuity (DR/BCP):** Testing the bank's plans to
recover IT systems after a major incident.

* **Application Controls:** Auditing specific business applications (like core banking,

trading platforms, or ATM networks) for logical and process controls.

* **Third-Party/Vendor Risk:** Assessing the security and controls of external vendors

(e.g., cloud providers, payment processors).

* **Compliance:** Ensuring adherence to banking regulations (e.g., SOX, GLBA, FFIEC

guidelines, PCI-DSS for card payments).

**C. Reporting and Communication:**

* **Drafting Reports:** Writing clear, concise, and objective audit reports that detail
findings, risks, and recommendations.

* **Presenting Results:** Discussing findings with IT management and business process

owners.

* **Follow-up:** Tracking management's progress in addressing the identified issues.

### Required Skills and Qualifications

**Hard Skills:**

* **Technical Knowledge:** Understanding of operating systems (Windows, Linux),

networks, databases, and cloud platforms (AWS, Azure).

* **IT Governance Frameworks:** Familiarity with **COBIT** (Control Objectives for

Information and Related Technologies), which is the de facto framework for IT audit.

* **Risk & Control Frameworks:** Knowledge of **NIST Cybersecurity Framework**, **ISO

27001**, and **ITIL**.

* **Banking Regulations:** Understanding of the financial services regulatory landscape.

* **Audit Methodology:** Proficiency in risk assessment, control design evaluation, and

audit testing techniques.

* **Certifications:** Highly desirable certifications include:

* **CISA (Certified Information Systems Auditor)** - The gold standard for this role.

* **CISSP (Certified Information Systems Security Professional)** - For a deeper

security focus.
 * **CRISC (Certified in Risk and Information Systems Control)**

**Soft Skills:**

* **Analytical Thinking:** Ability to analyze complex processes and identify potential

weaknesses.

* **Attention to Detail:** Crucial for spotting inconsistencies in logs or configurations.

* **Communication Skills:** Must be able to explain technical issues to non-technical

business managers and senior leadership.

* **Objectivity & Integrity:** Must remain independent and unbiased.

* **Project Management:** Ability to manage audit assignments from start to finish on

time.