Job Description

At CommBank, we never lose sight of the role we play in other people’s financial wellbeing.
Our focus is to help people and businesses move forward, to progress. To make the right
financial decisions and achieve their dreams, targets and aspirations. Regardless of where
you work within our organisation, your initiative, talent, ideas and energy all contribute to
the impact that we can make with our work. Together we can achieve great things.

Your Business
CommBank is recognized as leading the industry in IT and operations with its world-class
platforms and processes, agile IT infrastructure, and innovation in everything from
payments to internet banking and mobile apps. To achieve this competitive advantage and
deliver better customer outcomes we have a dependency on a range of Suppliers providing
products and services.

Your Impact and Contribution

This role is to support the supplier risk agenda at CommBank, primarily through the
execution of supplier risk assessments and providing quality risk advice to the business.
The contribution of this role will allow the Group to make risk-based decisions with agility to
improve the Group’s overall supplier risk exposure.

Roles and Responsibilities

•The individual should have the ability to work effectively under pressure without
compromising professional standards or quality of the work being performed.
•Understand the process workflow related to assessments from the initiation phase through
completion by having conversations with suppliers during walkthroughs and capture key
control areas effectively
•Design and conduct controls assurance testing for CBA suppliers
•Regularly review key controls for design and operating effectiveness
•Follow the Group’s Operational Risk Management Framework to conduct Control
Assurance Program testing by:
 Planning for a review (based on schedule of key controls reviews, RiskInSite data, Risk
Controls Self-Assessments (RCSA) data and contractual obligations)
 Designing the controls effectiveness testing and documenting the scope
 Conducting the testing in accordance with the sampling methodology designed and obtain
evidence
 Document outcomes of conformance / non-conformance
 Testing of supplier environment (including locations outside of Australia) •Work with
internal and external stakeholders to ensure the timely and effective execution of CAP
testing
 •Understanding of COSO framework and its relevance to SOC
 •Detailed understanding of SOC reports (SOC2, Type 1, 2), ISMS reports and ability to relate
the IT General Controls, IT Application Controls, Cyber Controls to the SOC framework.
 •Technical writing including reporting on the effectiveness and documentation of
observations
 •Ability to travel up to 25% for CAP testing, if required.

Required Skills
 •At least 6 years work experience in the Financial Services industry in Audit, Compliance or
consulting environments;
•Preferably experienced in Control Assurance testing for supplier environment;
•Previous experience in Non-Financial Risk/IT, Operational Risk, or Compliance desired;
•Sound understanding of information security management, privacy, IT service continuity, IT
disaster recovery, business continuity management,  Client Data Protection and third party
control assurance;
•Demonstrated ability to build, engage, and maintain effective working relationships with a
broad range of stakeholders;
•Ability to investigate, analyze, review and document processes in order to improve or
enhance IT controls for better business outcomes;
•Proven verbal and written communication skills appropriate for the role;
•Effective time management with strong planning and organizational skills.
 Knowledge of current applicable regulatory requirements relevant to regulated financial
institutions. Familiarity with APRA standards (not limited to CPS220, 231, 232);
 Certification like CISA, CRISC, CGEIT, CISM, COBIT, or ISO27001 would be preferred