Senior Governance, Risk and Compliance Analyst (12-month contract)

Company Description

Carousell Group is the leading multi-category platform for secondhand in Greater Southeast Asia on a mission to inspire the world to start selling, and to make secondhand the first choice. Founded in August 2012 in Singapore, the Group has a leading presence in seven markets under the brands Carousell, Cho Tot, Laku6, Mudah.my, OneShift, Ox Luxe, Ox Street, and Refash, serving tens of millions of monthly active users. Carousell is backed by leading investors including Telenor Group, Rakuten Ventures, Naver, STIC Investments and Sequoia Capital India.

As a team of passionate individuals working together to solve meaningful problems, there is so much more for you to discover in a career with Carousell. Our culture is made up of hiring, developing, and promoting people who embody our values of HEART, which is an acronym for Humility, Empathy, Accountability, Relentlessly resourceful and Teamwork. Together as an organisation, we make magic happen.

Job Description

We are seeking a seasoned Senior GRC Analyst to build, lead, and mature our IT Governance, Risk, and Compliance program. This is a pivotal role where you will be the primary architect of our new Sarbanes-Oxley (SOX) IT controls framework and will be responsible for establishing and leading the company's annual internal IT audit program.

This is a technical, hands-on role. You will not only design the control framework but also be expected to dive directly into our diverse systems (from SaaS platforms like Oracle Netsuite and Salesforce to CI / CD tools like Jenkins and Github) to verify configurations, analyze access controls, and retrieve audit evidence.

You will be responsible for designing and implementing a unified control framework that is both compliant and practical, bridging the gap between high-level financial reporting principles (COSO) and granular IT governance practices (COBIT) . This position is critical for establishing a resilient, transparent, and scalable control environment to support our growth and mature our IT governance function.

This role works closely with key stakeholders, including SaaS owners, Legal, Finance, CorpIT, Security Engineering, as well as external auditors. This is a high-impact position with a clear path for growth into team leadership for the right candidate.

Responsibilities :

• Program Leadership & Strategy : Lead the development, documentation, and implementation of the SOX IT RACM Program. Proactively drive the IT control maturity milestones, advancing the program from an ad-hoc (Level 1) to a defined (Level 2) and implemented (Level 3) state .
• Framework & Control Harmonization : Architect a unified control framework for both internally built and SaaS-based systems , ensuring all controls are mapped to both COSO principles and COBIT processes.
• Framework Analysis : Lead control harmonization efforts by analyzing multiple frameworks (including ISO 27001, Cyber Trust Mark, and CCF) to identify common controls and streamline our compliance ambitions.
• Internal Audit Leadership : Establish and lead the company's annual internal IT audit program. This includes developing the annual risk-based audit plan, performing and managing internal audits and assessments to evaluate the effectiveness of controls , and ensuring that all internal audit results are documented and re-usable for external audits. You will be the primary driver for reporting on control effectiveness to the Steering Committee and senior leadership.
• Technical Control Validation & Audit : Act as a hands-on technical GRC expert. This includes :
• Independently navigating in-scope systems (with temporary admin rights as needed) to find configuration settings, review access (roles, permissions, groups), and validate controls directly.
• Analyzing authentication and access management (SSO, SAML, OAuth, IAM) to ensure they are implemented according to policy.
• Understanding and auditing CI / CD pipelines, batch jobs , and incident management processes , using tools like Jira tickets and system audit trails as artifact evidence.
• Stakeholder Remediation & Strategy : Lead GRC advisory and remediation sessions with SaaS and in-house system owners. You will be responsible for using ITGC evaluations (like the Controls Evidence Templates) to establish a control baseline, clearly communicate surfaced deficiencies, and collaboratively develop mid-term and long-term roadmaps to mitigate all identified risks.
• Risk & Control Management : Establish and lead risk identification workshops to define and document the IT RACM for all SaaS and all in-scope systems. Collaborate with the Legal and Security teams to contribute to the wider Enterprise Risk Matrix (ERM) and ensure PII / data privacy risks are appropriately identified and controlled.
• Audit & Stakeholder Management : Serve as the primary GRC liaison for all external and internal audits , ensuring audit readiness and effectively communicating the hybrid COSO / COBIT control approach.
• Tooling & Governance : Lead the 'Tool Enablement' objective, including the selection and implementation of a GRC tool. Establish program governance, including a Steering Committee , and provide quarterly PMO updates.
• Culture & Training : Develop and deliver training programs to build and foster a culture of trust, control, and accountability across all business systems.

Qualifications

Additional Information

By proceeding with your application , you are adhering to our PDPA policies. In case you are interested to know more, read about our Candidates Personal Data Privacy Statement.

Skills Required

Iso 27001, Saml, Jira, COSO, Oauth, Cobit, Iam, nist, Sso