Will North Email and Phone Number

At KPMG I am responsible for helping clients understand and improve the effectiveness of their control framework to manage technology, cyber and privacy risks.

At HSBC I was responsible for auditing key IT applications as part of integrated internal audits across front and back office processes within the private and investment bank, covering various asset classes such as equities and FX. This requires obtaining a detailed understanding of how technology supports the business process and identifying the key IT General Controls and IT automated controls that are pivotal in mitigating key business risks.Recent experience includes:- Custody and treasury - I was responsible for identifying and auditing the key IT automated controls with the settlement, corporate actions and securities lending processes. This included providing assurance over interface controls to ensure the completeness and accuracy of data processing, and conducting application code reviews of key CASS related controls such as the how the IT applications segregate client assets during the settlement process. I was also responsible for managing a team member to provide assurance over relevant IT General Controls of the applications using a risk based approach.- Cyber security and data loss prevention - I was responsible for working in a team to provide assurance over key cyber security and data loss prevention controls within a European private bank. My remit included assurance over malware prevention, privileged access monitoring, database security and network security controls.- Financial crime processes – I assessed the effectiveness of key IT controls over three financial crime applications for transaction monitoring, name screening and transaction screening. The key areas of focus were controls to ensure the completeness and accuracy of data interfaces with upstream applications and change control over screening rules.

I was responsible for the creation, management and delivery of the IT internal audit plan - covering both infrastructure and application audits - to provide assurance over key technology risks for this retail and commercial “challenger bank”.As well as performing audits autonomously, I was responsible for managing an assistant audit manager to deliver the IT audit plan and a co-source budget of approximately £100k per annum to deliver IT audits where internal resource was not available or specialist skills were required. I was also responsible for maintaining the relationship with the Chief Technology Officer and IT senior leadership team to communicate the IT internal audit plan and obtain their support for changes to it. Example experience includes : - IT audit plan creation - on joining the Bank I developed a four year risk-based IT internal audit plan that included coverage of industry good practice IT control frameworks (ISO 27002, ITIL v3 and COBIT v5) and key Bank applications. I also developed a programme of eight cyber security audits to be delivered over a two year period, designed to provide assurance to the Audit Committee over this key risk to the Bank, and a schedule of audits that were designed to provide assurance over the delivery of a critical IT project to replace a savings application that managed £1bn of customer deposits. - Online savings platform – I performed an end to end security review of the controls in place to mitigate key cyber security and fraud risks within a new online banking application. This included review of web application controls (e.g. customer authentication), infrastructure controls (e.g. network segregation) and the supporting contact centre processes to administer customer accounts (e.g. changes to nominated bank account details).

At PwC I performed technical cyber security internal audits myself, managed small teams in the delivery of less complex cyber security reviews and more general IT internal audits and assisted senior cyber security specialists in the delivery of consulting engagements.I was responsible for managing the IT internal audit plans for a number of clients, including a private bank, and managed the relationship with client contacts including heads of IT, finance directors and chief operating officers. I also led the IT controls benchmarking proposition in the Midlands, which I redesigned and increased its value.Example experience includes: - Cyber security strategy review – I assisted the PwC national cyber security team, including the ex CISO of a FTSE 100 bank, in assessing the adequacy of the cyber security strategy for a highly targeted FTSE 100 defence company. I was required to provide critical challenge to the cyber security strategy created by the company’s CISO, write the first draft report with the feedback from the PwC team and attend client meetings to discuss the findings. - Technical cyber security review – I reviewed the effectiveness of cyber security controls supporting a key online customer account management application for a FTSE 100 utilities company. The review included assessment of controls over vulnerability management, network security, security event monitoring and identify and access management. - Programme assurance – I performed a pre go live readiness review of a major application implementation that assessed the effectiveness of testing (e.g. User Acceptance Testing), data migration, staff training and communication.

At Experian I managed the end to end delivery of technically and logistically complex global IT and integrated internal audits. I predominantly led audits - managing teams of up to three of my peers - as well as working autonomously and supporting business auditors on integrated audits.Along with having full responsibility throughout the internal audit process for planning, fieldwork and reporting, I maintained relationships with senior IT management and third party co-source where specialist technical or language skills were required. I was involved in the creation of the IT audit plan, including attending global audit management meetings to develop the plan and presenting the draft plan to the global chief information officer and his senior management team. I also developed a data analytics suite using ACL to analyse the general ledger, sales ledger and purchase ledger to identify potential issues for further investigation by business auditors. The analytics suite included tests for issues such as duplicate payments and suppliers with the same bank account details as staff. Example experience included: - IT audit management - I managed an internal audit of Experian’s global identity and access management team. My core responsibilities included managing three IT audit peers based within the UK and North America to perform audit testing at three processing centres located in the UK, North America and Costa Rica. I also performed data analytics testing using ACL to test a 100% population of leavers across the UK and North America to check if their access had been removed from seven key global systems. - Database security – as part of the internal audit of a fraud detection application I conducted a security review of the underlying Oracle database. This included looking at the security configuration of the database (e.g. authentication mechanisms), the administration of user access and management of critical patch updates.