Lead Audit Manager

Assurity Trusted Solutions (ATS) is a wholly owned subsidiary of the Government Technology Agency (GovTech). As a Trusted Partner over the last decade, ATS offers a comprehensive suite of products and services ranging from infrastructure and operational services, authentication services, governance and assurance services as well as managed processes. In a dynamic digital and cyber landscape, where trust & collaboration are key, ATS continues to drive mutually beneficial business outcomes through collaboration with GovTech, government agencies and commercial partners to mitigate cyber risks and bolster security postures.

Key Responsibilities:

Role Purpose: A senior practitioner-leader who ensures CDA's audit engine generates high-fidelity intelligence, the analysis brain produces actionable systemic insights, and the capability enabler builds sustainable WOG IT audit capacity. Operates as a systems thinker who sees how audit execution, risk intelligence, policy feedback, and capability uplift form a single integrated loop — and takes accountability for keeping that loop functioning.

PILLAR 1 — AUDIT EXECUTION

1. Oversee a portfolio of a minimum of 10 IM8 audits as portfolio manager and 4 audits as audit manager within the fiscal year, ensuring:
• Coverage of critical risk areas informed by threat intelligence and systems criticality, not solely by compliance checklists
• Problem framing at the scoping stage: defining audit objectives around "what could go wrong and why" rather than "what controls exist", applying a risk-based lens that interrogates root causes and systemic conditions
• Clear, concise articulation of audit findings framed as risk narratives — connecting individual control gaps to broader systemic exposure, downstream dependencies, and potential cascading impact
• Recommendations that address root causes and systemic conditions, not merely surface-level control deficiencies, enhancing the organisation's risk management posture
• Timely issuance of reports as per planned timelines
2. Enforce data standardisation and structured taxonomy during fieldwork to ensure findings are "machine-readable" and immediately ingestible by Pillar 2's PRISM engine — understanding that the quality of systemic intelligence is bounded by the quality of data generated at the execution layer.
3. Supervise vendor engagement with a dual lens:
• Day-to-day management of outsourced auditors on live engagements
• Performance scoring that feeds Pillar 3's PRIME vendor ecosystem management, ensuring the "Capability Flow" loop (Pillar 3 → Pillar 1) is grounded in real performance data
4. Apply threat-informed thinking across the full risk landscape during audit execution — not limited to cyber controls, but extending to:
• Data risk: quality degradation, lineage failures, privacy exposure from dataset combination
• Resiliency risk: failover architectures tested annually but changed continuously
• Platform risk: supply chain vulnerabilities in cloud providers, third-party components, and AI APIs
• Practice risk: the gap between how processes are designed and how they are actually executed under deadline pressure
5. Champion experimentation with AI and automation tools during audit execution:
• Actively use and provide feedback on the Unified Audit Automation Product (AI-generated risk-based work programs, Automated Control Testing, Generative Reporting, QA automation)
• Identify where manual audit steps can be replaced or augmented by AI, and work with the Technology & Analytics horizontal to iterate on tooling
• Model comfort with imperfect-but-improving AI outputs, treating tool adoption as an iterative learning process rather than a binary deployment decision

PILLAR 2 — AUDIT ANALYSIS

1. Co-lead the annual audit risk assessment and planning process by:
• Applying systems thinking to identify and prioritise key risk trends across WoG — looking beyond individual agency findings to spot interconnected risks, shared vulnerabilities, and common root causes
• Referencing industry threat intelligence, cybersecurity reports, and emerging technology trends to frame audit objectives around where the threat landscape is moving, not where it was
• Developing audit objectives that are explicitly hypothesis-driven: "We believe X risk is systemic because of Y signals — this audit will test that hypothesis"
• Creating audit plans that articulate procedures, timelines, and resources aligned to risk hypotheses
2. Co-lead the systemic analysis of IM8 audits by:
• Conducting cross-portfolio analysis of IM8 audits from the preceding fiscal year, using PRISM and other analytical tools to identify patterns, correlations, and systemic root causes that individual audit reports cannot surface
• Framing analysis outputs as actionable intelligence — not merely "here is what we found" but "here is what this means for WoG risk posture, and here is what should change"
• Presenting analysis results to GovTech Seniors with clear articulation of systemic implications and recommended interventions
3. Operate the Policy Feedback Loop as a Trusted Advisor:
• Actively provide structured, evidence-based feedback to Policy Developers on whether IM8 policies are working on the ground — where agencies struggle to implement, where policy intent diverges from operational reality, and where controls are producing formal compliance without corresponding assurance
• Frame policy feedback around "why failures occur" (root cause and implementation context), not merely "what failed" (control gaps)
• Contribute to the development or enhancement of IM8 policies, standards, and guidelines for emerging technology domains (OT, SIoT, Resiliency of Digital Services, Cloud adoption, ransomware, dependency risks, AI governance)
4. Generate anticipatory intelligence: move beyond retrospective analysis to identify emerging risk patterns before they materialise as audit findings — routing early signals to the right stakeholders (policy teams, agency leadership, Pillar 3 for capability response).

PILLAR 3 — IT AUDIT CAPABILITY DEVELOPMENT

1. Co-lead the operationalisation of risk-based auditing (RBA) across WoG by:
• Providing training to WoG auditors and agencies that goes beyond methodology mechanics to build problem-framing and systems-thinking capability — helping auditors ask better questions, not just follow better checklists
• Maintaining and updating audit methodology and processes, ensuring they evolve in response to Pillar 2's systemic intelligence (the "Intelligence Flow": Pillar 2 → Pillar 3)
• Raising awareness through WoG briefings, newsletters, blogs, and community engagement
2. Ensure the relevance and currency of IM8 and audit methodology training, aligning content with:
• Current policy requirements
• Systemic risk themes identified by Pillar 2
• Emerging technology domains and threat vectors
• AI tool adoption and automation literacy
3. Drive technology-enabled capability uplift:
• Identify and assess areas where technology (including AI, automation, and analytics) can enhance the efficiency and effectiveness of the WoG audit process
• Champion the distribution of CDA's Unified Audit Automation Product to Agency IA teams
• Develop and execute implementation plans for viable technology solutions, treating rollout as an experiment-and-iterate process with structured feedback loops
4. Stay current with emerging technologies, threat vectors, and trends in the audit and assurance profession — maintaining the practitioner depth required to credibly advise agencies and shape WoG audit direction.

• A degree in an IT-related discipline or equivalent qualification
• Professional certifications such as CISA and cloud security certification (e.g., CCSP, CCSK) are essential
• A minimum of 12 years of experience in the ICT field, with at least 10 years in ICT audit, assurance, and/or compliance management
• Demonstrated experience leading complex audit portfolios, conducting fieldwork, and deep understanding of regulatory compliance, governance, and internal controls
• Experience in cyber security, cloud application development, and commercial public cloud platforms is strongly preferred
• Prior experience in application development or cloud-native engineering is advantageous

• Mindset & Capabilities:

• Problem Framing: Demonstrated ability to define audit and assurance problems in terms of "what could go wrong and why" — structuring engagements around risk hypotheses rather than control checklists
• Systems Thinking: Ability to see how individual audit findings connect to systemic conditions, cross-agency patterns, and policy-implementation gaps. Comfortable reasoning about interconnected risks and second-order effects
• Threat-Informed Perspective: Ability to assess risk across the full landscape — cyber, data, resiliency, platform, and practice risk — not limited to traditional IT control domains
• AI & Experimentation Fluency: Demonstrated comfort with AI tools, data analytics, and audit automation. Willingness to experiment with emerging technologies (including generative AI) and iterate on imperfect outputs. Experience deploying or championing AI/automation in audit or assurance contexts is strongly preferred
• Continuous Intelligence Orientation: Ability to shift from episodic assurance (point-in-time audits) toward continuous signal generation — identifying emerging patterns and routing intelligence to the right stakeholders before gaps become findings
• Robust understanding of technology, IT management processes, technology risks, and internal controls
• Strong written and verbal communication and presentation skills — ability to frame complex risk narratives for senior leadership
• Ability to deliver high-quality, thorough work with attention to detail

Join us and discover a meaningful and exciting career with Assurity Trusted Solutions!

The remuneration package will commensurate with your qualifications and experience. Interested applicants, please click "Apply Now".

We thank you for your interest and please note that only shortlisted candidates will be notified.

By submitting your application, you agree that your personal data may be collected, used and disclosed by Assurity Trusted Solutions Pte. Ltd. (ATS), GovTech and their service providers and agents in accordance with ATS’s privacy statement which can be found at: https://www.assurity.sg/privacy.html or such other successor site.

• We promote a learning culture and encourage you to grow and learn.
• Annual Leave Benefits with additional perks such as Family Care and Birthday Leave.
• Working in a collaborative environment with helpful team members