Position: Manager - Internal Audit & Risk
Job Grade: 6
Department: Quality Control & Risk Management (QCRM)
Ref code: REF-QCRM-MIAR-03.2025
Location: Remote
Working Hours: 40 hours per week
Reports to: Head - Quality Council & Risk Management
Job Summary:
The Manager – Internal Audit & Risk is a key leadership role responsible for providing
independent assurance and strategic oversight across Mercans’ global payroll outsourcing and
SaaS delivery operations. This role leads internal audits, manages enterprise risks, ensures
regulatory compliance, and actively contributes to continuous process improvement. The role also
focuses on auditing and monitoring contract compliance, service level adherence, and root cause
analysis (RCA) for operational failures—ensuring service excellence and contractual integrity
across client engagements.
Duties and Responsibilities:
1. Internal Audit & Process Assurance:
● Design and execute a comprehensive, risk-based internal audit plan across financial,
operational, IT, and compliance areas—specifically targeting payroll delivery, SaaS
platform, client lifecycle processes, and back-office operations.
● Conduct process efficiency and compliance audits to evaluate workflow effectiveness,
automation, internal controls, and adherence to policies across business functions.
● Lead control testing around data accuracy, payroll timelines, client invoicing, SLA
delivery, and data privacy in multi-country environments.
● Present clear, actionable audit reports to management, including root cause
identification, process gaps, and corrective action plans.
2. SLA & Contract Compliance Monitoring:
● Conduct periodic SLA and contract compliance audits to verify fulfillment of
client-specific service commitments (e.g., TAT, accuracy, reporting, platform availability).
● Review delivery metrics, issue logs, and system data to assess SLA performance and
contractual obligations.
● Flag potential deviations or risk exposures and recommend proactive measures for
contractual compliance.
● Partner with client success and delivery teams to ensure accurate interpretation and
operationalization of contractual terms.
1
�
3. Risk Management & Governance:
● Maintain and evolve the enterprise risk management (ERM) framework to identify,
assess, and mitigate operational, compliance, data security, and third-party risks.
● Perform quarterly risk assessments and ensure appropriate mitigation plans are in place
and monitored.
● Regularly update and maintain the enterprise-wide risk register, ensuring visibility of key
risks at the executive level.
4. Participation in RCA & Corrective Action Processes:
● Actively participate in Root Cause Analysis (RCA) processes for SLA breaches, audit
findings, client escalations, incidents, and non-conformances.
● Support process owners in identifying systemic breakdowns, contributing factors, and
long-term preventive measures.
● Ensure that RCA outcomes are documented, tracked, and integrated into internal audits
and compliance checks.
5. Regulatory, Information Security & Certification Compliance:
● Ensure continuous compliance with internal policies and external regulations including
ISO 27001, ISO 9001, ISO 27701, ISO 22301, SOC 1 & 2 Type 2, GDPR, NIST, and
country-specific payroll rules.
● Support preparation and successful closure of all external and client audits with zero
major non-conformities.
● Oversee internal readiness for recertification and surveillance audits for ISO/SOC
frameworks.
● Handle RFPs, client due diligence questionnaires, and annual information security
self-assessments.
6. Stakeholder Reporting & Client Support:
● Provide periodic reports on audit findings, risk posture, compliance gaps, and control
effectiveness to the senior management team, audit committee, and other key
stakeholders.
● Collaborate with cross-functional teams including Payroll Operations, Implementation,
Product, HR, and Compliance to embed controls and mitigate operational risks.
● Support client-specific audit and compliance requests, including scheduled and ad-hoc
assessments.
7. Training & Culture of Compliance:
● Develop and deliver training programs on audit readiness, SLA compliance, risk
mitigation, and information security best practices.
2
�
● Promote a culture of compliance, accountability, and continuous improvement through
awareness and communication initiatives.
8. Continuous Audit & Data Analytics:
● Implement continuous auditing techniques using data analytics tools to proactively
detect anomalies, control failures, or policy deviations in real time.
● Develop dashboards and KPIs to monitor key risk and compliance metrics across payroll
cycles, platform usage, and service delivery.
● Collaborate with IT to leverage data pipelines for automated control testing and
reporting.
9. Change Control & Platform Release Audits:
● Review change management processes for the SaaS platform, including version
releases, hotfixes, and system updates.
● Audit pre- and post-deployment controls to ensure security, regression testing, data
integrity, and operational readiness are maintained.
● Validate rollback procedures, segregation of duties, and release documentation to
ensure platform stability.
10.Third-Party & Vendor Risk Assessments:
● Conduct audits and due diligence reviews on third-party service providers involved in
payroll processing, software development, cloud hosting, or compliance.
● Evaluate vendor contracts for risk clauses, data protection provisions, and performance
SLAs.
● Ensure third-party risk management is integrated into the broader ERM framework.
11.Business Continuity & Disaster Recovery Audits:
● Review and test the effectiveness of business continuity and disaster recovery plans
across payroll operations and technology infrastructure.
● Evaluate the organization's ability to meet SLAs during crises or platform downtime.
● Participate in BCP/DR drills and recommend improvements based on risk exposure and
scenario outcomes.
12.Internal Control Framework Development:
● Standardize and maintain the organization’s internal control framework aligned with
COSO, COBIT, or ISO models.
● Facilitate control self-assessments across business units to drive ownership and
proactive compliance.
3
�
13.Client-Specific Governance Support:
● Participate in client governance reviews, QBRs (Quarterly Business Reviews), and
performance presentations where audit, SLA, or compliance matters are discussed.
● Serve as a liaison with key clients for audit and infosec-related queries.
14.Strategic Advisory Role:
● Provide insights to senior leadership on emerging risks, compliance trends, and areas of
strategic vulnerability or improvement.
● Advise on new country expansions, product launches, or business models from a risk
and compliance standpoint.
Qualifications & Experience:
● Bachelor’s degree in Accounting, Finance, Business Administration, Engineering, or a
related field.
● Preferred certifications: CIA, CISA, CRMA, CPA, ISO 27001 Lead Auditor.
● Minimum of 7 years of experience in internal audit, risk management, compliance, or SLA
governance—preferably in SaaS, BPO, or payroll outsourcing environments.
● Proven experience in auditing client delivery operations, service contracts, IT platforms,
and regulatory compliance frameworks.
● Familiarity with root cause analysis (RCA), CAPA processes, and issue tracking tools.
● Expertise in global standards and frameworks (e.g., GDPR, ISO, SOC).
● Proficiency in using audit, risk, or analytics platforms.
● Excellent communication and stakeholder management skills.
4
�
Performance Goals:
1. Annual Audit Plan Execution:
● Specific: Develop and execute an annual risk-based audit plan covering payroll, SaaS, and
compliance functions.
● Measurable: Achieve at least 90% completion of scheduled audits by the end of the fiscal
year.
● Achievable: Use a structured audit schedule and cross-functional collaboration to ensure
completion.
● Relevant: Supports compliance, risk mitigation, and internal control improvement.
● Time-bound: Complete by fiscal year-end with quarterly progress tracking.
2. SLA & Contract Compliance Audits
● Specific: Perform SLA and contract compliance audits to verify service delivery and
contract adherence.
● Measurable: Conduct a minimum of 4 audits annually, ensuring 95% compliance with
contractual obligations.
● Achievable: Coordinate with client success and delivery teams to audit high-impact
engagements.
● Relevant: Ensures client satisfaction and regulatory compliance.
● Time-bound: One audit per quarter, with findings reported within 15 business days.
3. Process Efficiency Improvements
● Specific: Identify and address inefficiencies in core operational processes through internal
audits.
● Measurable: Achieve at least a 20% improvement in processing time, accuracy, or cost
efficiency in target areas.
● Achievable: Implement and monitor changes collaboratively with process owners.
● Relevant: Enhances service quality and scalability.
● Time-bound: Improvements to be realized within 90 days post-audit.
4. Root Cause Action Implementation
● Specific: Ensure timely closure of critical RCA findings related to audit issues or service
delivery failures.
● Measurable: 100% of critical RCA corrective actions implemented within 60 days.
● Achievable: Maintain an RCA tracking log and escalation mechanism.
● Relevant: Strengthens incident prevention and process maturity.
● Time-bound: Monitor monthly and report implementation status quarterly.
5. Risk Register Management
● Specific: Maintain and update the enterprise risk register to reflect evolving business and
operational risks.
● Measurable: Conduct updates quarterly with 100% of high-priority risks assigned
mitigation plans.
● Achievable: Leverage inputs from audits, leadership, and department risk champions.
● Relevant: Improves risk visibility and strategic decision-making.
● Time-bound: Updates completed by the 15th day of each quarter.
5
�
6. External Audit & Certification Readiness
● Specific: Support readiness for external audits and compliance certifications (ISO, SOC,
client audits).
● Measurable: Achieve zero major non-conformities in 95% of audit cycles.
● Achievable: Conduct mock audits and documentation reviews before audits.
● Relevant: Protects certifications and client trust.
● Time-bound: Prepare at least 30 days before scheduled audits.
7. Compliance & Infosec Training
● Specific: Conduct training to improve employee awareness of compliance and information
security standards.
● Measurable: Deliver 4 quarterly sessions with 90% attendance and 80% post-assessment
score.
● Achievable: Utilize LMS tools and interactive formats.
● Relevant: Reduces human error and strengthens the compliance culture.
● Time-bound: Sessions to be completed by the last month of each quarter.
8. Continuous Audit Integration
● Specific: Implement continuous audit mechanisms in business-critical areas.
● Measurable: Deploy in at least 3 core processes by year-end with monthly reporting
dashboards.
● Achievable: Collaborate with IT and data teams for tool setup.
● Relevant: Enables real-time control monitoring and rapid response.
● Time-bound: Launch first pilot by Q2 and complete rollout by Q4.
9. Third-Party Risk Assessments
● Specific: Perform vendor risk assessments to ensure third-party compliance and
performance.
● Measurable: Complete assessments for 100% of high-risk vendors annually.
● Achievable: Use a standardized checklist and schedule vendor audits.
● Relevant: Reduces exposure to external risk factors.
● Time-bound: Assessments completed within 30 days of vendor classification.
10.Client Governance & Audit Engagement
● Specific: Actively contribute to client governance forums and audits.
● Measurable: Attend 90% of QBRs/governance meetings and present audit insights in all
sessions.
● Achievable: Prepare standard decks and conduct pre-meeting alignment with internal
teams.
● Relevant: Enhances client confidence and promotes transparency.
● Time-bound: Engagement tracked and reviewed biannually.
