Richard Chambers: Paul, in my book, Agents of Change, my thesis was that to be successful in the 21st century, internal auditors have to be more than just assurance providers, even more than advisors. I defined agents of change as those internal auditors who are catalysts for transformational ideas that drive and create value for the organizations they serve. Is that a definition that resonates with you?
Paul Sobel: I think that hits the nail on the head, particularly the words, “catalyst for transformation.” So often people let change happen to them and then they say, “See, I can handle change.” But that’s not what you’re talking about at all. You’re talking about people who can be the catalyst for change, who can make change happen. I think that’s extremely important in an organization, particularly these days with the rapid pace of change. We need to make sure that internal auditors aren’t passed by and getting dragged along for the ride because over time they will perhaps be viewed as not as relevant. So by being a catalyst for change, organizations will continue to look at them as a valuable part of the organization beyond just the role they play as an internal auditor.
Richard Chambers: Paul, having worked for so many different organizations in a number of roles both in audit and risk management, you’ve obviously had exposure to different management views of audit along the way. Do you think management and even boards in companies today see internal audit as having that change agent role or do they at least support internal auditors who want to be more than just the ones who hand them a report?
Paul Sobel: It’s an interesting question because certainly internal audit has advanced beyond the green eyeshade perspective, but I think there’s still many who view them as being there to be the defense, to provide assurance, to give comfort. But we’re all in it for the same reason: to help the organization be successful. I believe board members and executives, at least the ones I’ve interfaced with, actually may be a little surprised, but they embrace the idea that we can be agents of change within our organizations. They know that we’re not just providing them the assurance that they need, but we’re trying to help the organization be successful and enhance value in whatever way we can.
Richard Chambers: I argue in the book that before internal auditors can be seen as change agents in the organizations they serve, they have to be change agents within internal audit — be willing to transform the way internal audit undertakes its mission, uses technology, and identifies and follows risks. Are there any particular examples that you’d share where you as a Chief Audit Executive, and in several different companies along the way, that you drove change in internal audit?
Paul Sobel: It’s a good point that being a change agent within the company sometimes is situational — opportunity related — but within internal audit, we always have that opportunity, we can drive that change more.
A couple of examples come to mind from Georgia-Pacific. About a year after I joined the company in 2011, I recognized that as a company, we weren’t really taking advantage of data analytics the way that we could. I was able to bring somebody who had some acumen in that area over from another part of the organization, we hired a real sharp individual off-campus, and we started to do some things. Now they’d be kind of common, but experimenting with Alteryx and Tableau and being able to analyze data, extract data, and present data in ways that the company hadn’t really seen before. That, I think, raised the stature of internal audit over the ensuing years. About five years after that, they rightfully said, “We need to pull this out of audit and make it a corporate center of excellence.” That made me feel very good because I was the impetus — and even though we incubated it within audit, it ultimately ended up where it should be.
Richard Chambers: I always saw you as someone who championed change in the organizations you lead and you have served in dual roles, you have served as a Chief Audit Executive, you have served as a Chief Risk Officer. There’s a lot of conversation these days about the importance of having a connected view of risk within a company, within an organization. As one who’s held both of those roles, how would you encourage internal auditors and chief risk officers to be more collaborative in supporting their organizations?
Paul Sobel: I like that phrase, connected risk. I think that’s a good way of looking at it. It really does come down to combined assurance. To me, the first step is to show some humility because I think there can be a lot of turf wars between audit and risk or audit and compliance. There doesn’t need to be, we all work for the same company, we’re all after the same objectives. Once you put that behind you, it’s much easier to talk to the other individual. We may have different roles and responsibilities, but we are still working with the same fundamental information. Risks may be unknown, but they’re not unknowable. The more we can share, the more we can collaborate, the better it will be for the company to be successful.
Richard Chambers: We’ve been through a lot the last couple of years. I think all of us have grown, evolved, and been more innovative than we even thought possible. Looking ahead, it would appear as though our risks are going to be racing at high velocity and they’re going to be very volatile for years to come. If I ask you to pull out Paul Sobel’s crystal ball, what are some things that internal audit needs to do to be successful in the decade ahead?
Paul Sobel: First and foremost we have to recognize that change is going to continue to happen, and the pace of change is likely to continue to accelerate. We saw an acceleration during the pandemic, and I see no reason why it will slow down. I think one of the biggest challenges facing the profession is upskilling for those new risks and new technologies. That’ll be a key challenge — we don’t all have to be experts in all of the latest greatest technologies, but we have to know enough to understand it and be confident enough to go get the resource when we need to. They may not be somebody you hire off the street — they may be a consultant, co-sourcing, whatever — but we have to recognize that the level of expertise needed in many of these areas is going to go beyond where most of us are today.
Now I’m going to flip that around and say new technologies can also be an opportunity for internal auditors. I think back in my career, I had a couple of times when I “recreated” myself. I’ve always been in some form of auditing, external, internal, et cetera, but early in my career I decided I wanted to learn more about technology, and I had this brilliant idea that computers are probably here to stay. The knowledge I gained early on actually opened some doors for me and served me very well when I moved into chief audit roles later. In the late 1990s, I became very interested in risk assessment, which grew into broader enterprise risk management. I was with Arthur Andersen at the time, and I got to work with some of the real thought leaders on the topic, which ultimately helped me create a competency that I never would have had otherwise.
My challenge to internal auditors is to seize the opportunity that’s out there. My crystal ball’s a little fuzzy for 10 years out, but there will be opportunities for people to pursue something to recreate themselves. Make sure it’s something you enjoy doing, and then you’d be surprised what kind of doors that will open. I think that’s really what the profession is going to need, a bunch of people who are saying, “I want to be more than the traditional view of an internal auditor.” That’s what will take this profession into the next decade.