Hồ Chí Minh
Full-time
This role owns internal audits for IT systems and tech product operations while (re)designing processes and controls to ensure compliance, security, efficiency, and scalability. This is a hybrid Internal Audit × Process Quality Assurance role in a product company.
What you will do
1) IT Systems \& Security Audit* Plan and execute risk-based audits: ITGC, IAM/SoD, change \& release, backup/DR, logging/monitoring, vulnerability \& patch, vendor/third-party risk, cloud (AWS/Azure/GCP), data platforms.
Application/product audits across SDLC/SSDLC, DevOps/CI/CD, APIs, privacy \& data protection, infra configuration, environment segregation.
Mobile \& SDK focus: verify SDK/permission changes per release; detect SDK diffs across versions; validate app store compliance.
Real‑time infra focus: test topic ACLs, rate‑limit/throttle, spam/abuse detection signals, failover/DR drills, and end‑to‑end logging/traceability.
Build/maintain Risk Register, Control Library, and testing programs (test of design/effectiveness).
Track remediation to closure; validate root-cause fixes.
2) Process Audit \& (Re)Design* Map as-is processes (BPMN/SIPOC/RACI), analyze cycle time/defects/bottlenecks; design to-be processes optimizing cost–speed–quality.
Define process controls, KPIs/SLAs, SOPs/Playbooks/Checklists; embed preventive \& detective controls.
Co-design SDLC “quality gates”; digitize workflows in Jira/Service Desk or workflow engines.
3) Compliance \& Governance* Align to frameworks/standards: ISO 27001/27701, SOC 2, COBIT, ITIL, OWASP/SSDLC, and data privacy laws (e.g., GDPR, PDPD), Cybersecurity Law (VN).
Prepare for external audits/assessments; coach control owners across functions.
Govern data residency/retention, records of processing, and privacy‑by‑design reviews (PIA/DPIA).
4) Data \& Analytics for Audit* Build analytics on logs/tickets/deploys/access/cost to detect anomalies and risk trends (leading indicators).
Automate periodic controls and alerts; maintain dashboards for control health and remediation status.
5) Stakeholder Management \& Enablement* Orchestrate with Product, Engineering, QA, SecOps, Data, Finance Ops, and Legal.
Run training, workshops, and change-management communications.
What you will need
Must-Have* Bachelor’s in CS/IT/Information Systems (or equivalent) with solid technical grounding (web/app, APIs, databases, networks, cloud basics).
5+ years of experience in IT Audit, Process/Quality Assurance, or Tech Risk/Compliance in product/SaaS/fintech/high tech.
Strong process modeling (BPMN), root-cause analysis, and control design; working knowledge of SDLC/DevOps/CI/CD and ITIL (Incident/Problem/Change/Release).
Data skills: basic SQL queries; comfort with logs/metrics; Excel/BI proficiency; scripting (Python) is a plus.
Excellent communication and influencing; able to challenge both technical and operational stakeholders.
Nice-to-Have / Certifications* CISA/CIA/CRISC/ISO 27001 LA, ITIL, COBIT, CSSLP; Lean Six Sigma (Green/Black Belt); PMP or Agile (Scrum/Kanban).
Experience with cloud audits (AWS/Azure/GCP), SOC 2/ISO 27001 readiness, and privacy programs.
Hands-on with workflow/GRC tools (Jira/Confluence/ServiceNow; OneTrust/Drata/Vanta, etc.).