Adila Matthew

Working as part of Deloitte's advisory team on GRC and compliance engagements across SOC 2, ISO 27001, SOX, PCI-DSS, and NIST CSF.

The work covers the full cycle; gap assessments, control design review, TOD and TOE testing, evidence coordination, and audit close. On the third-party risk side, I've built TPRM frameworks from scratch on engagements that had none: standardized questionnaires, vendor risk-tiering criteria, contract security requirements, and monitoring programs that give clients ongoing visibility rather than a point-in-time snapshot.

Something this work keeps reinforcing: the gap between a control existing on paper and one that actually operates is exactly where most audit findings live. Getting in early, finding that gap, and closing it before the auditor arrives, that's the whole job.

Three and a half years running GRC and compliance work across client engagements: SOC 2, ISO 27001, PCI-DSS, and NIST.

This is where I built the cross-framework depth that most analysts take much longer to develop. The core of the work was control assessments, evidence collection, audit coordination, risk register management, and third-party risk. On the policy side, I developed and maintained information security policies, standards, and governance documentation, making sure what was written reflected how the business actually operated, not just how the policy said it should. What this role taught me: knowing a framework isn't the hard part.

The hard part is translating what it requires into something that works in a specific environment, and making sure it holds up when the auditor is in the room.