Laura Bussey

Director, Risk Advisory Services

Risk Advisory Services

Contact

Executive Summary

Executive summary

Laura is a Director in BDO’s Risk Advisory Services team in Melbourne, specialising in technology, cyber, and data risk management. With over 12 years of experience across the United States and Australia, she brings a pragmatic, client-centric approach to risk management, balancing regulatory expectations with operational realities.

Laura has deep expertise in the financial services sector, including banking and alternative finance, and wealth and asset management, and she has held industry leadership roles, including at a major superannuation provider. She delivers high-impact IT and cybersecurity risk assessments and audits, regulatory compliance reviews, and third-party assurance, helping clients strengthen governance, reduce exposure, and meet evolving regulatory demands.

Laura is known for her strategic insight, audit quality leadership, and ability to guide both onshore and offshore teams through complex risk landscapes with confidence.

Expertise

IT third party assurance (GS007, ASAE 3150 and 3402, SOC 1/2)
IT audit and assurance
Regulatory compliance readiness assessments and ongoing compliance reviews (APRA CPS 230, APRA CPS 234)
Cyber security risk maturity assessment (NIST CSF)
Technology risk and consulting
Sarbanes-Oxley (SOX) implementation and control.

Experience

Cybersecurity and IT risk management

Partnering with internal cyber teams to deliver independent assurance to executive stakeholders and Boards on the progress and effectiveness of cyber remediation and uplift programs.
Conducting cybersecurity framework reviews (NIST CSF), cloud migration risk assessments, and operational risk assessments to reduce risk exposure and strengthen control environments.
Reviewing and enhancing IT risk management frameworks, including developing control libraries aligned to NIST, ISO, and COBIT standards to support strategic risk governance.

Third-party risk and assurance reporting

Designing and executing third-party risk management programs, including policy development, risk tiering, information requirements, and compliance outcome evaluation.
Leading third-party assurance engagements (SOC 1, SOC 2, ASAE 3402, GS007) across custody, asset management, superannuation administration, and IT operations.
Educating stakeholders on assurance reporting requirements and guiding control design and effectiveness assessments to meet regulatory and client expectations.

Regulatory compliance and internal audit

Leading internal audit programs across cybersecurity, cloud migration, business continuity, and third-party risk, aligned to APRA CPS 230, CPS 232, and CPS 234.
Conducting APRA prudential standard readiness and compliance assessments, identifying control gaps and advising on tactical and strategic remediation.
Supporting SOX readiness and implementation for US listings, including operational testing and control evaluation.

IT audit and assurance

Leading multi-country IT audit teams for big-four banks and global financial institutions, overseeing end-to-end delivery of IT audit programs (including ITGCs, application controls, and business process testing), and presenting findings to c-suite and Board audit/risk committees through formal reporting.

Qualifications and affiliations

Chartered Accountant and Member, CA ANZ
Certified Information Systems Auditor (CISA)
Certified in Risk and Information Systems Control (CRISC)