IT Controls, Risk

The role

The IT Controls, Risk & Audit Assurance Manager leads the oversight, development, and execution of organization-level IT control frameworks, risk assurance, and audit engagement activities. Operating independently, the role is responsible for ensuring that IT operations, projects, and systems meet internal control standards, regulatory expectations, and audit readiness across all technology domains.

The incumbent serves as the central point of coordination and escalation for all IT-related assurance matters and will actively engage with IT, second-line Risk/Compliance, and third line Internal/External Audit functions.

The team

IT Controls, Risk and Audit Assurance Manager, reporting to the Head of IT Governance in DTS (Data, Technology & Security) Department, is part of the IT Governance team. This team collaborates with stakeholders across the organisation to establish process and policies for managing IT, ensuring alignment between technology and business, with focus on managing risks and compliance with frameworks.

Key stakeholders include the CIO, CTO, Architecture, Enterprise Security, and Product delivery teams, along with the Chief Information Security Officer, Chief Data Officer, Chief Risk Officer, and Project Management Office.

Key Responsibilities

• Build, design, implement and maintain a clearly documented, auditable, and updated IT control framework (e.g., PSPF, ISM, NIST-aligned) that applies across infrastructure, applications, and cloud environments.
• End-to-end ownership of IT-related audits (internal/external/regulatory); issues addressed with validated evidence and sustained resolution.
• Create a detailed RCM process and perform periodic RCMs, control testing, and deep dives performed across IT domains with stakeholder engagement and risk-informed actions.
• Ensure all IT compliance obligations (e.g., PSPF, ISM) are mapped to controls; periodic assurance performed with documented evidence and reporting.
• Ensure all policies and processes are in place, up to date, accurate and regularly reviewed.
• Ensure regular and timely production of executive-level dashboards (e.g., audit status, risk posture, control effectiveness), used in governance forums.
• Perform Root cause analysis and ensure remediation plans for control gaps are defined, tracked, and independently validated.
• Provide subject matter expertise on IT risk identification, assessment and mitigation strategies.
• Be an active contributor to Risk and Audit Committees; trusted advisor to senior IT leadership.
• Supports or leads configuration and operation of Governance, Risk, and Compliance platforms.
• Oversee the assessment and management of risks associated with third-party vendors and service providers including FOCI risks, ensuring they meet the organization's IT control standards and compliance requirements.
• Lead and drive continuous improvement initiatives within the IT control and audit processes to enhance efficiency and effectiveness.
• Perform an advisory role in new system designs, major IT projects, and transformation initiatives to embed 'right-first-time' controls.
• Develop and deliver training and awareness programs to ensure that all relevant stakeholders are knowledgeable about IT control frameworks, risk management practices, and audit requirements.
• Maintain regular communication with key stakeholders, providing updates on IT control, risk, and audit activities, and ensuring alignment with business objectives and driving a risk aware culture

About you

• Extensive experience in IT audit, technology risk management, IT control assurance, including direct leadership roles.
• Strong background in regulated environments, particularly banking, insurance, or capital markets.
• Proven record of leading audit and regulatory engagements (e.g., PSPF, ISM, NIST etc.).
• Experience building and managing enterprise-wide control frameworks and assurance programs across hybrid IT environments.
• Desirable Professional Certification – CISA, CISM, CRISC or equivalent

To work with us, you must be an Australian citizen with eligibility to gain a NV1 clearance through the Australian Government Security Vetting Agency.

About APRA

Australian Prudential Regulation Authority (APRA) was established in 1998 as an independent statutory authority that supervises almost 1,200 financial institutions that manage $8.6 trillion in assets for Australians across the banking, insurance and superannuation sectors.

In overseeing the safety, competitiveness and stability of the financial system, we seek to recruit, develop and retain highly skilled professionals, who want to help shape financial services and protect the financial wellbeing of the Australian community. Our employee base of almost 900 come predominantly from the commercial financial services industry or other government agencies; as such, we have the feel of a small corporate organisation that can work flexibly and with agility.

Why Work for APRA

We recognise the skills, experience and commitment that our staff bring to their professional lives, and we seek to reward them accordingly. We also recognise that for our staff to be able to perform at their best, we need to ensure that they are able to bring their best selves to work. Our commitment to wellbeing is having engaged people supported by resilient leaders within a values-aligned culture.

At APRA, we're committed to providing an inclusive workplace where everyone belongs, feels valued and respected. We aspire to attract and foster diversity of background, thought, and experience, recognising that a broad range of perspectives, approaches and ideas makes us stronger, and better enables us to meet our obligation to protect the financial wellbeing of the Australian community. If you need any adjustments during the recruitment process, please inform at application stage so we can do our best to accommodate your requirements.