1) IT Systems & Security Audit

• Plan and execute risk-based audits: ITGC, IAM/SoD, change & release, backup/DR, logging/monitoring, vulnerability & patch, vendor/third-party risk, cloud (AWS/Azure/GCP), data platforms. 
• Application/product audits across SDLC/SSDLC, DevOps/CI/CD, APIs, privacy & data protection, infra configuration, environment segregation. 
• Mobile & SDK focus: verify SDK/permission changes per release; detect SDK diffs across versions; validate app store compliance. 
• Real‑time infra focus: test topic ACLs, rate‑limit/throttle, spam/abuse detection signals, failover/DR drills, and end‑to‑end logging/traceability. 
• Build/maintain Risk Register, Control Library, and testing programs (test of design/effectiveness). 
• Track remediation to closure; validate root-cause fixes. 

2) Process Audit & (Re)Design

• Map as-is processes (BPMN/SIPOC/RACI), analyze cycle time/defects/bottlenecks; design to-be processes optimizing cost–speed–quality. 
• Define process controls, KPIs/SLAs, SOPs/Playbooks/Checklists; embed preventive & detective controls. 
• Co-design SDLC “quality gates”; digitize workflows in Jira/Service Desk or workflow engines. 

3) Compliance & Governance

• Align to frameworks/standards: ISO 27001/27701, SOC 2, COBIT, ITIL, OWASP/SSDLC, and data privacy laws (e.g., GDPR, PDPD), Cybersecurity Law (VN).
• Prepare for external audits/assessments; coach control owners across functions. 
• Govern data residency/retention, records of processing, and privacy‑by‑design reviews (PIA/DPIA).  

4) Data & Analytics for Audit

• Build analytics on logs/tickets/deploys/access/cost to detect anomalies and risk trends (leading indicators). 
• Automate periodic controls and alerts; maintain dashboards for control health and remediation status. 

5) Stakeholder Management & Enablement

• Orchestrate with Product, Engineering, QA, SecOps, Data, Finance Ops, and Legal. 
• Run training, workshops, and change-management communications.