Sophie Chang

Managed enterprise-wise remediation program for user access management. Key activities and achievements:

• Identified gaps in control design and operating effectiveness and grouped into themes
• Chaired solutioning workgroup constituted with POCs from all BUs, discussed and derived operationally feasible action plans for implementation
• Conducted workgroups with senior management for refinement of proposed action plans until approved
• Chaired implementation workgroup constituted with POCs from all BUs to kick start implementation activities with detail instructions provided, polled implementation status and challenges faced during implementation, and apprised senior management on implementation status, escalated matters requiring their attention and decision
• Conducted implementation fieldwork for own workstream, oversee and guided implementation fieldwork for 2 other workstreams assigned to junior staff

Took part in CCoP audits as audit engagement team:

• Reviewed RFIs prior submission and pre-amped SMEs for potential observations
• Supported SMEs for audit discussions during fieldwork and reporting
• Reviewed draft audit report including management action plans and timelines for accuracy and reasonableness

Took part in annual CII Risk Assessment Exercise:

• Reviewed risk scenarios and risk ratings proposed by external consultants for reasonableness
• Reviewed draft reports (risk assessment, VA, PT, architecture review, host security review) including management action plans and timelines for accuracy and reasonableness

• Triage information requests and ensure quality and timely submissions of requested items to Asia Pacific regulatory authorities as well as internal/external audit
• Daily and weekly engagement status reporting to senior management
• Core member of APAC regional team for monitoring high severity incidents
• Managing resources and engagement assignment for team

• IM8 Technology Audit & Compliance Policy maker & advisor
• Coordinated and managed annual GovTech inspections on government agencies
• Workgroup member in establishing audit methodologies for IM8 audit
  
• Main trainer to external auditors on IM8 audit and technology auditor conversion programme
• Support senior management in driving improvement initiatives including implementing agile auditing

Risk Assessment

• Supported partnering audit portfolio heads in annual risk assessment process to identify and analyse changes in risk profiles and proposed changes to draft annual audit plan where appropriate
• Raised issues/concerns outside normal audit process as part of continuous risk assessment process
• Chaired regular meetings with business stakeholders to gather updates on key business initiatives and current progress, and provided independent opinions to ensure risks are identified and addressed timely
• Reviewed MI and reports regularly to keep up-to-date with key trends within business

Audit Deliverables

• Led and participated in assigned audit engagements
• Ensured audit deliverables meet quality standards and timelines in-line with the defined audit methodology
• Monitored and validated audit issues for issue closure and escalate audit findings that remain unresolved
• Audit portfolio focused on systems used by Private Banking and Wealth Management business, as well as those systems used by ASA in country teams.

• Prepared risk assessments / risk noting papers on Singapore systems and supporting infrastructure for regular Technology Risk Forum attended by country CIO
• Advisor of recommended risk & control practices to Singapore country team
• Led and conducted end to end annual self-assessment against BCS Participant Security Program (PSP). Key control domains include cyber incidents response management, vulnerability management, access management, security monitoring, network security
• Managed end-to-end cycle of annual MAS TRMG self-assessment which includes reviewing of evidence and adherence comments provided by stakeholders from relevant domains, for submission to MAS
• Led audit ripple discussions with Singapore country teams (incl. CTM, Country ICS, CSS) in assessing applicability and follow-up actions required for Singapore
  
• Coordinated with relevant stakeholders for audit issue follow-up and validated closure effort for audit issues raised by regulator, external and internal audits
• Represented Country Technology R&C team in incident calls to facilitate root cause analysis
• Reconciled various regulatory control requirements at country level in preparation of upcoming compliance assessment which include MAS Cyber Hygiene Notices, MAS TRM Guidelines, MAS MEPS+ control requirements and BCS PSP
• Reviewed and highlighted changes in regulatory requirements and internal policies, chaired discussions with Singapore country teams and consolidate country team feedback for internal/external communications

• Represented Internal Audit function in the IT risk management forum chaired by Head of Information Security and attended by CIO and technology department heads, to provide independent opinions with regard to Technology-GRCs (Governance, Risk Management & Compliance) in NETS
  
• Reviewed technology risk assessments performed by other business units for adequacy & reasonableness
• Designed standard audit guidance (with references to MAS regulatory requirements and PCI-DSS); planning, supervising, conducting audit fieldwork, risk assessing audit issues and reviewing of audit work performed by audit team members
  
• Coordinated audit issue discussions amongst stakeholders and validated closure-efforts
  
• Audits led and fieldwork performed included Technology Strategy and Management; IT Risk Management; Business Continuity Management; Network Infrastructure; Corporate Infrastructure; Platform Audit (Windows); System Development and Support; Change, Incident and Problem Management; Application Audit (payment system); Online System Security (payment system); Data Centre; and Business audits on processes relating to merchant onboarding and termination as well as client account management
  

• Drove continuous risk assessment on Group Technology & Information Security on changes in people, process & technology
• Conducted annual risk assessment for assigned processes within the Bank's Technology universe
• Scoped and designed test steps for assigned audits. It included planning discussions with stakeholders to understand processes, and determining risks and key controls to be assessed during fieldwork
  
• Coordinated audit issue discussions amongst stakeholders and validated closure-efforts
  
• Audits led and fieldwork performed include Security Administration; Data Leakage (Monitoring of emails and uploads to websites); Information Security; Inventory Management; MAS issue remediation review; Authentication and Directory Services; Network and Peripherals
  

Managed audit and advisory engagements:

• Engagement planning - budget negotiation, engagement scoping and resource allocation
• Regular meeting with clients on engagement status reporting, issue discussions (with senior management), and identifying business opportunities
• Drafting official audit reports and clear internal reviews

Delivered the following audit and advisory services to clients:

• Business process and internal control reviews (non-banking clients)
• MAS regulatory compliance/readiness assessments (i.e. IBTRM/TRM; Outsourcing Guidelines) for banking and financial institutions
• IT audits (as financial audit support), SOX audits, software licensing reviews
  

Conducted assigned audit fieldwork on the bank’s infrastructure and processes include:

Infrastructure related

• Security hardening review - AS400 and HP NonStop (Tandem)
• SANS storage and resiliency review
• Service Oriented Architecture (SOA) process and infrastructure review
  

Process related

• Change management
• Computer operations
• IT project management and delivery
  

Managed and conducted assigned audit engagements. Activities include:

• Budget negotiation; audit planning, scoping and resourcing
• Conduct audit fieldwork such as IT general control testing, IT application control testing in accordance with KPMG Audit Methodology
• Coach junior associates through structured trainings on audit fundamentals, and through pre-engagement briefings / on-the-job guidance for specific engagements
• Assist audit managers in internal and external engagement reporting
  

Supported business operations of 12 to 14 global/regional corporate customer accounts in:

• Ensuring timely refresh of customer-specific product pricing and catalogs
• Following through sales orders to ensure timely delivery
• Attending to customer escalations relating to sales orders as the first go-to person, coordinating with internal resources for actions until case close
• Channeling customer feedback to corporate account managers in US and Germany through scheduled calls and discussing improvement actions required
• Monitoring and reporting operational KPIs
  

Led 5 members in delivering smooth daily operation:

• Migrated product pricing and catalogues for Hewlett-Packard (HP) corporate customer accounts onto newly deployed global e-catalog system
• Assisted operation manager in recruitment process including candidate selections and conducting interviews
• Attended daily operation calls with client (HP e-business process system support teams) on service delivery
• Conducted structured and ad hoc trainings training for new hires