Manager Internal Audit & Risk
Description:
The Manager – Internal Audit & Risk is a key leadership role responsible for providing independent assurance and strategic oversight across Mercans’ global payroll outsourcing and SaaS delivery operations. This role leads internal audits, manages enterprise risks, ensures regulatory compliance, and actively contributes to continuous process improvement. The role also focuses on auditing and monitoring contract compliance, service level adherence, and root cause analysis (RCA) for operational failures—ensuring service excellence and contractual integrity across client engagements.
Duties and Responsibilities
Internal Audit & Process Assurance
Design and execute a comprehensive, risk-based internal audit plan across financial, operational, IT, and compliance areas—specifically targeting payroll delivery, SaaS platform, client lifecycle processes, and back-office operations.
Conduct process efficiency and compliance audits to evaluate workflow effectiveness, automation, internal controls, and adherence to policies across business functions.
Lead control testing around data accuracy, payroll timelines, client invoicing, SLA delivery, and data privacy in multi-country environments.
Present clear, actionable audit reports to management, including root cause identification, process gaps, and corrective action plans.
SLA & Contract Compliance Monitoring
Conduct periodic SLA and contract compliance audits to verify fulfillment of client-specific service commitments (e.g., TAT, accuracy, reporting, platform availability).
Review delivery metrics, issue logs, and system data to assess SLA performance and contractual obligations.
Flag potential deviations or risk exposures and recommend proactive measures for contractual compliance.
Partner with client success and delivery teams to ensure accurate interpretation and operationalization of contractual terms.
Risk Management & Governance
Maintain and evolve the enterprise risk management (ERM) framework to identify, assess, and mitigate operational, compliance, data security, and third-party risks.
Perform quarterly risk assessments and ensure appropriate mitigation plans are in place and monitored.
Regularly update and maintain the enterprise-wide risk register, ensuring visibility of key risks at the executive level.
Participation in RCA & Corrective Action Processes
Actively participate in Root Cause Analysis (RCA) processes for SLA breaches, audit findings, client escalations, incidents, and non-conformances.
Support process owners in identifying systemic breakdowns, contributing factors, and long-term preventive measures.
Ensure that RCA outcomes are documented, tracked, and integrated into internal audits and compliance checks.
Regulatory, Information Security & Certification Compliance
Ensure continuous compliance with internal policies and external regulations including ISO 27001, ISO 9001, ISO 27701, ISO 22301, SOC 1 & 2 Type 2, GDPR, NIST, and country-specific payroll rules.
Support preparation and successful closure of all external and client audits with zero major non-conformities.
Oversee internal readiness for recertification and surveillance audits for ISO/SOC frameworks.
Handle RFPs, client due diligence questionnaires, and annual information security self-assessments.
Stakeholder Reporting & Client Support
Provide periodic reports on audit findings, risk posture, compliance gaps, and control effectiveness to the senior management team, audit committee, and other key stakeholders.
Collaborate with cross-functional teams including Payroll Operations, Implementation, Product, HR, and Compliance to embed controls and mitigate operational risks.
Support client-specific audit and compliance requests, including scheduled and ad-hoc assessments.
Training & Culture of Compliance
Develop and deliver training programs on audit readiness, SLA compliance, risk mitigation, and information security best practices.
Promote a culture of compliance, accountability, and continuous improvement through awareness and communication initiatives.
Continuous Audit & Data Analytics
Implement continuous auditing techniques using data analytics tools to proactively detect anomalies, control failures, or policy deviations in real time.
Develop dashboards and KPIs to monitor key risk and compliance metrics across payroll cycles, platform usage, and service delivery.
Collaborate with IT to leverage data pipelines for automated control testing and reporting.
Change Control & Platform Release Audits
Review change management processes for the SaaS platform, including version releases, hotfixes, and system updates.
Audit pre- and post-deployment controls to ensure security, regression testing, data integrity, and operational readiness are maintained.
Validate rollback procedures, segregation of duties, and release documentation to ensure platform stability.
Third-Party & Vendor Risk Assessments
Conduct audits and due diligence reviews on third-party service providers involved in payroll processing, software development, cloud hosting, or compliance.
Evaluate vendor contracts for risk clauses, data protection provisions, and performance SLAs.
Ensure third-party risk management is integrated into the broader ERM framework.
Business Continuity & Disaster Recovery Audits
Review and test the effectiveness of business continuity and disaster recovery plans across payroll operations and technology infrastructure.
Evaluate the organization’s ability to meet SLAs during crises or platform downtime.
Participate in BCP/DR drills and recommend improvements based on risk exposure and scenario outcomes.
Internal Control Framework Development
Standardize and maintain the organization’s internal control framework aligned with COSO, COBIT, or ISO models.
Facilitate control self-assessments across business units to drive ownership and proactive compliance.
Client-Specific Governance Support
Participate in client governance reviews, QBRs (Quarterly Business Reviews), and performance presentations where audit, SLA, or compliance matters are discussed.
Serve as a liaison with key clients for audit and infosec-related queries.
Strategic Advisory Role
Provide insights to senior leadership on emerging risks, compliance trends, and areas of strategic vulnerability or improvement.
Advise on new country expansions, product launches, or business models from a risk and compliance standpoint.
Qualifications & Experience
Bachelor’s degree in Accounting, Finance, Business Administration, Engineering, or a related field.
Preferred certifications: CIA, CISA, CRMA, CPA, ISO 27001 Lead Auditor.
Minimum of 7 years of experience in internal audit, risk management, compliance, or SLA governance—preferably in SaaS, BPO, or payroll outsourcing environments.
Proven experience in auditing client delivery operations, service contracts, IT platforms, and regulatory compliance frameworks.
Familiarity with root cause analysis (RCA), CAPA processes, and issue tracking tools.
Expertise in global standards and frameworks (e.g., GDPR, ISO, SOC).
Proficiency in using audit, risk, or analytics platforms.
Excellent communication and stakeholder management skills.