M-Pesa Senior Permanent Controller: IT, Cyber security and Data Analytics

Job Description

Role Purpose

To design, monitor, test, and continuously improve the permanent control framework over IT processes, cybersecurity controls, fraud risk controls, and data-driven monitoring, ensuring that key risks are identified, assessed, mitigated, and reported in line with internal control objectives, regulatory expectations, and the company’s risk appetite.

The role provides independent oversight and challenge to control owners/operators (1st Line of Defense), validates effectiveness through control testing and analytics, and ensures timely remediation of weaknesses; it does not execute daily operational controls. Evaluate adherence to Internal policies and procedures.

Key Responsibilities

1) IT General Controls (ITGC) – Permanent Control Oversight

• Maintain and update the IT permanent control plan and control library
• Perform control design review and operating effectiveness testing of ITGCs.
• Assess segregation of duties and role allocation appropriateness, drive remediation actions.
• Validate the adequacy of logs, evidence retention, and control traceability for audits/regulatory reviews.

2) Cybersecurity and Information Security Controls

• Oversee permanent controls for security governance, vulnerability management; endpoint and network security, firewall rules, data security and security incident response.
• Review cybersecurity dashboards and KRIs; escalate deviations and material exposure.
• Coordinate with Information Security to ensure security-by-design controls are embedded in projects.

3) Fraud Risk Controls – Prevention, Detection and Response Oversight

• Maintain a permanent fraud control framework across transaction monitoring rules effectiveness, account takeover and social engineering trends, agent/channel fraud and internal fraud controls
• Perform thematic reviews on fraud typologies and emerging risks; recommend enhancements to detection rules.
• Monitor the end-to-end fraud case workflow: detection → investigation → closure → recovery → reporting.
• Track fraud losses, trends, and control gaps; ensure action plans are owned, dated, and closed.

4) Data Analytics for Permanent Control (Continuous Control Monitoring – CCM)

• Build and maintain analytics-based controls and continuous monitoring for IT/security/fraud
• Define data requirements, validation checks, and lineage for reliable monitoring.
• Implement a structured issue management and alert escalation mechanism.

5) Risk Assessment, Control Testing and Assurance Activities

• Execute permanent control testing
• Issue clear results in Observation – Risk – Recommendation format with severity ratings.

6) Governance, Reporting and Remediation. Follow up.

• Produce monthly/quarterly permanent control reports:
• Escalate material risks to senior management and governance forums.
• Ensure closure validation: verify remediation evidence and prevent recurrence through control redesign.

7) Policy, Standards and Continuous Improvement

• Contribute to the definition/updating of IT security policies, access standards, change management standards and fraud risk management standards and monitoring frameworks
• Promote automation of controls and reduction of manual controls.
• Support regulatory examinations and internal/external audits, ensuring preparedness and evidence availability.

Deliverables (Key Outputs)

• Control test programs and working papers (test scripts, sampling, evidence, results)
• Dashboards and KRIs (access anomalies, change violations, fraud trends)
• Control Issues and Remediation Tracker with validated closures
• Thematic reviews (e.g., privileged access, patch compliance, fraud typologies)

Required Qualifications & Experience

• Bachelor’s (or higher) in IT, Computer Science, Cybersecurity, Information Systems, or related.
• 5 years’ experience in IT controls, cybersecurity governance, fraud risk, or IT audit.
• Proven experience with:
• ITGC, access governance, change management controls
• Cybersecurity control frameworks and monitoring
• Fraud controls and analytics-based detection methodologies
• Control testing, issue tracking, and remediation validation

Technical Skills (Must Have)

• IT controls: access reviews, PAM concepts, RBAC/SoD, change governance.
• Cybersecurity: vulnerability and patch management, endpoint/network controls, incident response lifecycle.
• Data analytics: SQL (preferred), Excel advanced, dashboarding (Power BI/Tableau), basic Python (nice-to-have).
• Evidence-based testing discipline; ability to write clear audit-style findings.

Competencies (Behavioral)

• Strong independent challenge mindset (2nd LoD) with diplomacy and influence.
• High integrity, confidentiality, and professional skepticism.
• Structured thinking; strong report writing and communication skills.
• Ability to handle complex issues, multiple stakeholders, and tight deadlines.