Senior Governance, Risk and Compliance Analyst

Senior Governance, Risk and Compliance Analyst (12-month contract, PH) 6 days ago Be among the first 25 applicants Company Description Carousell Group is the leading multi-category platform for secondhand in Greater Southeast Asia on a mission to inspire the world to start selling, and to make secondhand the first choice. Founded in August 2012 in Singapore, the Group has a leading presence in seven markets under the brands Carousell, Cho Tot, Laku6, Mudah.my, OneShift, Ox Luxe, Ox Street, and Refash, serving tens of millions of monthly active users. Carousell is backed by leading investors including Telenor Group, Rakuten Ventures, Naver, STIC Investments and Sequoia Capital India. As a team of passionate individuals working together to solve meaningful problems, there is so much more for you to discover in a career with Carousell. Our culture is made up of hiring, developing, and promoting people who embody our values of HEART, which is an acronym for Humility, Empathy, Accountability, Relentlessly resourceful and Teamwork. Together as an organisation, we make magic happen. Job Description We are seeking a seasoned Senior GRC Analyst to build, lead, and mature our IT Governance, Risk, and Compliance program. This is a pivotal role where you will be the primary architect of our new Sarbanes‑Oxley (SOX) IT controls framework and will be responsible for establishing and leading the company's annual internal IT audit program. This is a technical, hands‑on role. You will not only design the control framework but also be expected to dive directly into our diverse systems (from SaaS platforms like Oracle Netsuite and Salesforce to CI/CD tools like Jenkins and Github) to verify configurations, analyze access controls, and retrieve audit evidence. You will be responsible for designing and implementing a unified control framework that is both compliant and practical, bridging the gap between high‑level financial reporting principles (COSO) and granular IT governance practices (COBIT). This position is critical for establishing a resilient, transparent, and scalable control environment to support our growth and mature our IT governance function. This role works closely with key stakeholders, including SaaS owners, Legal, Finance, CorpIT, Security Engineering, as well as external auditors. This is a high‑impact position with a clear path for growth into team leadership for the right candidate. Responsibilities Program Leadership & Strategy: Lead the development, documentation, and implementation of the SOX IT RACM Program. Proactively drive the IT control maturity milestones, advancing the program from an ad‑hoc (Level 1) to a defined (Level 2) and implemented (Level 3) state. Framework & Control Harmonization: Architect a unified control framework for both internally built and SaaS‑based systems, ensuring all controls are mapped to both COSO principles and COBIT processes. Framework Analysis: Lead control harmonization efforts by analyzing multiple frameworks (including ISO 27001, Cyber Trust Mark, and CCF) to identify common controls and streamline our compliance ambitions. Internal Audit Leadership: Establish and lead the company's annual internal IT audit program, including developing the annual risk‑based audit plan, performing and managing internal audits and assessments to evaluate the effectiveness of controls, and ensuring that all internal audit results are documented and re‑usable for external audits. You will be the primary driver for reporting on control effectiveness to the Steering Committee and senior leadership. Technical Control Validation & Audit: Act as a hands‑on technical GRC expert. This includes: Independently navigating in‑scope systems (with temporary admin rights as needed) to find configuration settings, review access (roles, permissions, groups), and validate controls directly. Analyzing authentication and access management (SSO, SAML, OAuth, IAM) to ensure they are implemented according to policy. Understanding and auditing CI/CD pipelines, batch jobs, and incident management processes, using tools like Jira tickets and system audit trails as artifact evidence. Stakeholder Remediation & Strategy: Lead GRC advisory and remediation sessions with SaaS and in‑house system owners. Use ITGC evaluations (like the Controls Evidence Templates) to establish a control baseline, communicate surfaced deficiencies, and collaboratively develop mid‑term and long‑term roadmaps to mitigate risks. Risk & Control Management: Lead risk identification workshops to define and document the IT RACM for all SaaS and in‑scope systems. Collaborate with Legal and Security teams to contribute to the wider Enterprise Risk Matrix (ERM) and ensure PII/data privacy risks are appropriately identified and controlled. Audit & Stakeholder Management: Serve as the primary GRC liaison for all external and internal audits, ensuring audit readiness and effectively communicating the hybrid COSO/COBIT control approach. Tooling & Governance: Lead the “Tool Enablement” objective, including the selection and implementation of a GRC tool. Establish program governance, including a Steering Committee, and provide quarterly PMO updates. Culture & Training: Develop and deliver training programs to build and foster a culture of trust, control, and accountability across all business systems. Qualifications Education: Bachelor's Degree (or equivalent) in Information Technology, Computer Science, IT Audit, or a related field. Experience: 3–5+ years of progressive experience in IT Audit, IT Risk Management, or IT GRC. SOX Expertise: Demonstrable, hands‑on experience in building, implementing, and/or managing a SOX 404 IT controls program. Governance Frameworks: Expert‑level knowledge and practical implementation experience with COSO (for ICFR) and COBIT (for ITGCs). Strong understanding of other frameworks like ISO 27001, Cyber Trust Mark, CCF, NIST, and PCI‑DSS is also required. Audit Experience: Deep experience in managing and responding to external audits, particularly SOC 1. Deep Technical Acumen (Mandatory): Strong understanding of modern authentication and authorization protocols (SSO, OAuth, SAML); IAM concepts including roles, privileges, and permissions; proficiency in navigating configuration settings of diverse systems; knowledge of IT operations concepts such as batch jobs, incident management, and use of ticketing systems like Jira and audit trails. Automation & Learning Mindset: Aptitude for learning new technologies and building GRC automation workflows. Certifications: CISA, CRISC, CISM, CGEIT highly preferred. Leadership & Program Management: Proven ability to manage complex projects, drive milestones, and lead cross‑functional initiatives. Communication Skills: Exceptional communication and presentation skills in translating complex technical control requirements into business‑friendly language. Independence: Ability to operate independently, think strategically, and represent the GRC program across the organization. Additional Information By proceeding with your application, you are adhering to our PDPA policies. In case you are interested to know more, read about our Candidates Personal Data Privacy Statement. #J-18808-Ljbffr