Sector IT Audit, Risk & Compliance Manager at Avon HMO

Avon Healthcare Limited (Avon HMO) provides healthcare services to individuals, families, groups, companies and the government. We offer a comprehensive line of products and services that caters to the unique needs of all our members, at every price point. We were incorporated on the 26th of August, 2010 and duly licensed by the regulatory authority(NHIS) to operate as a national HMO. Our range of healthcare services has been designed with organisations such as yours in mind. In addition to our health insurance plans, we offer health risk assessment, occupational health management and employee well-being services. Across all these services, we are able to customise our offerings to suit your specific needs. Through our network of over 300 hospitals and clinics spread across the 36 states and major LGAs in the country, we commit to providing your staff and their families easy to access, responsive and world best standards healthcare services.

Job Summary

• The Sector IT Audit, Risk & Compliance Manager plays a pivotal role in safeguarding the technology-enabled processes and digital assets of Avon HMO and Avon Medical. This role ensures proper IT governance, policy and regulatory compliance, cybersecurity assurance, and risk-based audit practices across both organisations.
• The individual will conduct IT audits, evaluate internal controls, ensure compliance with policies (e.g., data protection, cybersecurity, IT usage), and support key technology and digital health initiatives by embedding risk and assurance early in the project lifecycle. The position also supports readiness for both internal and external regulatory audits.

Key Responsibilities

IT Audit & Assurance

• Develop and execute an annual risk-based IT audit plan for the sector.
• Conduct audits across:
  • Hospital Information Systems (HIS) and Electronic Medical Records (EMR)
  • HMO claims platforms and core business systems
  • Cloud infrastructure, data backups, and disaster recovery environments
  • Logical access controls, change management, IT general controls (ITGC)
• Perform pre- and post-implementation reviews for major IT initiatives.
• Ensure audit findings are reported clearly and tracked to closure.

Policy Compliance & Regulatory Adherence

• Monitor compliance with internal IT and cybersecurity policies.
• Ensure adherence to NDPA and NHIS digital health regulatory frameworks.
• Collaborate with the Data Privacy Officer and Policy Management team to:
  • Monitor policy updates and staff attestations
  • Identify and escalate non-compliance or exceptions

IT Governance & Risk Management

• Maintain and update the IT risk register across Avon HMO and Avon Medical.
• Track mitigation plans and closure of risk and audit items.
• Participate in business continuity and disaster recovery assurance exercises.
• Serve as a risk advisor on governance and technology steering forums.

Cybersecurity Oversight

• Review access logs, firewall configurations, and threat alerts.
• Support vulnerability scans, phishing simulations, and awareness sessions.
• Audit privileged access, dormant accounts, and administrative controls.
• Participate in incident response post-mortems and impact assessments.

Operational Process Assurance

• Review patient, claims, and billing processes for control gaps.
• Support digitisation of workflows with assurance on data integrity and configuration controls.
• Identify manual overrides, mismatches, and workflow inconsistencies affecting service delivery.

Data Integrity & Reporting Validation

• Validate NHIS reporting data, HMO dashboards, and sector KPIs.
• Investigate data discrepancies across interconnected systems (e.g., EMR vs. Claims).
• Recommend safeguards for data flows, report automation, and audit trails.

Project & Change Assurance

• Evaluate IT projects and change requests for control compliance.
• Track high-risk digital initiatives, vendor-led implementations, and critical upgrades.
• Embed assurance requirements during system design, UAT, go-live, and post go-live phases.

Reporting & Engagement

• Prepare concise, impactful reports and dashboards for:
  • Sector MDs and Head of Healthcare
  • Group Head, IARC
  • Sector Management Team
• Support internal awareness sessions, cross-team working groups, and governance workshops.

Technology Skills & Tools Required

IT Audit & Control Evaluation

• Experience with ITGCs, application control audits, and process walkthroughs.
• Ability to audit EMR/HIS, HMO platforms, and ERP environments.
• Knowledge of COBIT, ISACA, NIST, and healthcare IT standards.

Access & Identity Management

• Proficiency in reviewing Active Directory, RBAC, MFA, and access logs.
• Ability to conduct SoD reviews and privileged access audits.

Network & Infrastructure Audit

• Basic knowledge of firewalls, patch management, antivirus tools, and DR environments.
• Familiarity with Azure/AWS cloud configurations and security layers.

Audit & Monitoring Tools

• Exposure to GRC tools (e.g., Audit Board, MetricStream), SIEM (e.g., Sentinel, QRadar), and vulnerability scanners (e.g., Nessus, Qualys).
• Strong Excel and report scripting capability for audit documentation.

Data & System Integrity Reviews

• Experience with data reconciliation, SQL-based queries, and log file analysis.
• Knowledge of ETL audits, transformation logic validation, and output accuracy testing.

Key Skills and Competencies

Technical Expertise

• In-depth knowledge of IT audit, cybersecurity controls, and regulatory frameworks.
• Understanding of sector-specific digital workflows and their control implications.

Governance & Oversight

• Proficiency in risk registers, mitigation planning, and assurance in IT projects.
• Ability to audit vendor controls and manage SLA compliance oversight.

Communication & Influence

• Strong report writing and communication skills for both technical and non-technical audiences.
• Confidence in leading discussions with cross-functional teams and management.

Behavioural Attributes

• High integrity, objectivity, and discretion in managing confidential and sensitive matters.
• Meticulous attention to detail, with strong investigative and analytical instincts.
• Proactive and organised approach to multi-entity responsibility and reporting.

Requirements

• Bachelor’s degree in information technology, Computer Science, or a related discipline.
• Minimum of 8 years’ relevant experience in IT audit, risk management, or compliance.
• Prior work in healthcare, insurance, or other regulated sectors preferred.
• CISA certification.
• Additional certifications (CRISC, ISO 27001, CISSP, CDPSE) are highly desirable.
• Familiarity with Nigerian data protection and health sector compliance frameworks.

Method of Application