Senior Governance, Risk and Compliance Analyst (12-month contract, PH)

We are seeking a seasoned Senior GRC Analyst to build lead and mature our IT Governance Risk and Compliance program. This is a pivotal role where you will be the primary architect of our new Sarbanes-Oxley (SOX) IT controls framework and will be responsible for establishing and leading the companys annual internal IT audit program.

This is a technical hands-on role. You will not only design the control framework but also be expected to dive directly into our diverse systems (from SaaS platforms like Oracle Netsuite and Salesforce to CI/CD tools like Jenkins and Github) to verify configurations analyze access controls and retrieve audit evidence.

You will be responsible for designing and implementing a unified control framework that is both compliant and practical bridging the gap between high-level financial reporting principles (COSO) and granular IT governance practices (COBIT) . This position is critical for establishing a resilient transparent and scalable control environment to support our growth and mature our IT governance function.

This role works closely with key stakeholders including SaaS owners Legal Finance CorpIT Security Engineering as well as external auditors. This is a high-impact position with a clear path for growth into team leadership for the right candidate.

Responsibilities:

• Program Leadership & Strategy: Lead the development documentation and implementation of the SOX IT RACM Program. Proactively drive the IT control maturity milestones advancing the program from an ad-hoc (Level 1) to a defined (Level 2) and implemented (Level 3) state .

• Framework & Control Harmonization: Architect a unified control framework for both internally built and SaaS-based systems ensuring all controls are mapped to both COSO principles and COBIT processes.

• Framework Analysis: Lead control harmonization efforts by analyzing multiple frameworks (including ISO 27001 Cyber Trust Mark and CCF) to identify common controls and streamline our compliance ambitions.

• Internal Audit Leadership: Establish and lead the companys annual internal IT audit program. This includes developing the annual risk-based audit plan performing and managing internal audits and assessments to evaluate the effectiveness of controls and ensuring that all internal audit results are documented and re-usable for external audits. You will be the primary driver for reporting on control effectiveness to the Steering Committee and senior leadership.

• Technical Control Validation & Audit: Act as a hands-on technical GRC expert. This includes:

  • Independently navigating in-scope systems (with temporary admin rights as needed) to find configuration settings review access (roles permissions groups) and validate controls directly.

  • Analyzing authentication and access management (SSO SAML OAuth IAM) to ensure they are implemented according to policy.

  • Understanding and auditing CI/CD pipelines batch jobs and incident management processes using tools like Jira tickets and system audit trails as artifact evidence.

• Stakeholder Remediation & Strategy: Lead GRC advisory and remediation sessions with SaaS and in-house system owners. You will be responsible for using ITGC evaluations (like the Controls Evidence Templates) to establish a control baseline clearly communicate surfaced deficiencies and collaboratively develop mid-term and long-term roadmaps to mitigate all identified risks.

• Risk & Control Management: Establish and lead risk identification workshops to define and document the IT RACM for all SaaS and all in-scope systems. Collaborate with the Legal and Security teams to contribute to the wider Enterprise Risk Matrix (ERM) and ensure PII/data privacy risks are appropriately identified and controlled.

• Audit & Stakeholder Management: Serve as the primary GRC liaison for all external and internal audits ensuring audit readiness and effectively communicating the hybrid COSO/COBIT control approach.

• Tooling & Governance: Lead the Tool Enablement objective including the selection and implementation of a GRC tool. Establish program governance including a Steering Committee and provide quarterly PMO updates.

• Culture & Training: Develop and deliver training programs to build and foster a culture of trust control and accountability across all business systems.

Qualifications :

• Education: Bachelors Degree (or equivalent) in Information Technology Computer Science IT Audit or a related field.

• Experience: 3-5 years of progressive experience in IT Audit IT Risk Management or IT GRC.

• SOX Expertise: Demonstrable hands-on experience in building implementing and/or managing a SOX 404 IT controls program is essential.

• Governance Frameworks: Expert-level knowledge and practical implementation experience with COSO (for ICFR) and COBIT (for ITGCs). Strong understanding of other frameworks like ISO 27001 Cyber Trust Mark CCF NIST and PCI-DSS is also required.

• Audit Experience: Deep experience in managing and responding to external audits particularly SOC1.

• Deep Technical Acumen (Mandatory): The ideal candidate must be able to:

  • Demonstrate a strong understanding of modern authentication and authorization protocols (e.g. SSO OAuth SAML).

  • Understand Identity and Access Management (IAM) concepts including roles privileges permissions and the difference between default/built-in vs. custom accounts/groups .

  • Be technically proficient enough to navigate the configuration settings of diverse systems to find evidence.

  • Understand IT operations concepts including batch jobs incident management and the use of ticketing systems (like Jira) and audit trails as evidence .

• Automation & Learning Mindset (Highly Desired): An aptitude for and keen interest in learning new technologies. We are a heavy user of GenAI and automation tools like n8n; a candidate who is comfortable and willing to build their own GRC automation workflows (e.g. for evidence collection) to bridge gaps pending a formal GRC tool would be at a significant advantage.

• Certifications: Professional certifications such as CISA CRISC CISM or CGEIT are highly preferred.

• Leadership & Program Management: Proven ability to manage complex projects drive milestones and lead cross-functional initiatives.

• Communication Skills: Exceptional communication and presentation skills. Must have the ability to translate complex technical control requirements (the how) into business-friendly language (the what and why) for stakeholders and leadership.

• Independence: Ability to operate independently think strategically and effectively represent the GRC program across the organization.

Additional Information :

By proceeding with your application you are adhering to our PDPA case you are interested to know more read about our Candidates Personal Data Privacy Statement. 

Remote Work :

No

Employment Type :

Contract