The CAE Perspective: Audit Plan Priorities, Keys to Career Success, and Talent Management Strategies

The CAE Perspective: Audit Plan Priorities, Keys to Career Success, and Talent Management Strategies

What’s top of mind for chief audit executives right now? Richard Chambers moderates a lively conversation with Shannon Urban (VP& CAE at Hasbro), Diana Pagliarini (EVP & General Auditor at State Street), and Carl Hatfield (Managing Director at Protiviti) that ranges from top internal audit priorities to keys for career success to talent management strategies: 

  1. Focus areas on risk-centric audit plans in a time of high risk volatility
  2. Skills and habits for career success in internal audit today.
  3. Creative approaches to identify, attract, and retain forward-thinking talent.

Watch the full conversation, and read the can’t-miss highlights below.

Audit Leaders from Hasbro, State Street, and Protiviti discuss audit plan priorities, talent management strategies, and more!

Flexibility, Opportunity — and Money. Creative Approaches Attracting and Retaining Talent

Shannon Urban, Hasbro: When we’re looking to attract talent into Hasbro, we’re obviously looking for specific audit skill sets — the same unicorn probably everyone else is looking for in terms of good audit skills, good soft skills — someone who’s innovative, hungry, and looking to learn a lot. If you’re good at Power BI, Celonis, and data analytics, that’s great too. 

But I think what attracts people to a company like ours at Hasbro is flexibility — and that we try to have some fun along the way as well. We work for a toy company, you have to have a little bit of fun, right? We try to do that by providing good work-life balance. I think that’s super critical for everyone today. We operate in a hybrid model coming back from the pandemic. Before Covid, it was a five day a week kind of environment, but we’ve opened that up and said, be where you need to be when you need to be there. We think that we need people to be in the office. We think there’s value in that, so we’re in about two days a week and everyone works from wherever they need to be on those other days. We also have half-day Fridays year round as a company, which doesn’t hurt either.  

On the opportunity side — especially in this environment where you can’t always promote everyone when you want to promote them, and you can’t always give everyone the big bonus if your company’s not performing the way you’d like it to — how can we give people opportunities within internal audit to be exposed to different parts of the business, to get hands on with some of our strategic initiatives? For example, building out or driving our implementation of AuditBoard and playing a role in that. So, helping to give them opportunities to continue to develop as professionals and build and flex those other skills besides just core audit skills — we’re finding that’s working. 

Carl Hatfield, Protiviti: One thing we’ve seen implemented a little bit more recently at some large audit shops is resource pooling, where you have more junior folks open to a resource pool where they get to work on many different types of audits. There’s a core skill set, but they also have the opportunity to work on different lines of business, with different people, and on different entities and risk items within the organization. Later, they have the opportunity to graduate that resource pool and expand into further depth within certain areas. 

Diana Pagliarini, State Street: I took this role during the pandemic, and stepping in at a very volatile time I tried to just remind myself to focus on the controllable things, but it’s important to walk the talk. Joining a group of 300 individuals, it took me a year and a half, but I met with every single person one-on-one for half an hour to get to know them a little bit. Then now as every new person comes into our department, they get a one-on-one with me and they get an email the first week from me welcoming them, introducing our strategy, and looking forward to an upcoming conversation. I think retention starts on the first day. 

Another thing we noticed is that folks who were really well trained — around the five to seven year mark — were leading our audits and training our people. They were the most in-demand and they had the sharpest spike in turnover. We asked, what was going on there? That’s also the point in the org chart where there’s fewer and fewer jobs going upward. What can we do? I’m running a series of workshops with all of our folks at this level around the world. I keep it to a group of about 15 to 20 so we can have a good interaction. It isn’t about performance, it’s is about development plans — defining activities, experiences, and exposures like working on the AuditBoard project. Things that get them interested, involved, exposed to different people, and put more cards in their hands for their career. These workshops also gives you as a leader an opportunity to demonstrate that you’re committed to them. It’s really tough for the competition to step in — money only goes so far, but when they feel they’re supported it can make a real difference. 

The piece that hasn’t come up is money, and that is a factor. In 18 months we’ve had three different exercises. One was a very specific retention exercise. Six months later we did a review of our pay ranges did some market adjustments. Then I said, wait a minute, while we’re in the range, what are the salaries folks are leaving at compared to the salaries we’re paying people in the market? Our third exercise was trying to close that gap.There is no silver bullet — money certainly wasn’t it — but it was a step in the right direction, and it was important to the team to hear about it. 


These are just some of the collection of activities that we’ve had, and to give you a sense of the dynamic we had last year about 22% turnover, and that’s gone down substantially to about 8%. We’re not declaring victory — this is something we have to stay at, all of us, over a period of time. But overall, I found the best thing that helps me is trying to listen as much as I can. 

Key Areas in the Audit Plan in a Volatile Risk Environment

Diana Pagliarini, State Street: The first thing I’m thinking about is around change: the change that’s coming and the change that’s happened. The great resignation didn’t just affect internal audit, it affected certain businesses. Things perhaps that have been stable for some time may now be disruptive. The steady stuff is worth a look to see, can you get a metric on turnover above a certain level in different parts of the organization? That’s your ongoing risk assessment. I think that’s really a key area of focus and an opportunity both the way forward and the way back.

I also think about things like the convergence of risk. If we think about geopolitical risk, you look at concentration of risk, where the footprint of the company is, and then you add to that an operational risk, it’s really different now. Risks don’t behave and stay in their own pillars. They move around, they take on their own life. But that’s an opportunity for us to look at those differently. So I think that that’s really important for us and the sustainability of processes that we’ve seen, that’s a new dynamic all its own. So how do you keep on top of that? 

I try to keep in mind, what are the headliner messages in the audit plan? An example of this is a culture audit. You talk to a business head or the CEO about a culture audit, everybody gets nervous. We’ve got so many more risks going on, why are we looking at culture? Well, there’s a framework and there’s certain jurisdictions around the world that have laws on this. This is now the new norm. What I do find is if we’re doing first-time audits, we should make that known to the board when we deliver the plan and to the business heads when we’re talking through our plan and when we’re issuing reports. If this is a first-time audit, we should say that. If you do a first-time audit and they come out well, that’s a strong statement. If it’s a first-time audit and things were bumpy, I’m not sure people would be terribly surprised. But it’s a new kind of call to action. 

Then the last thing, which is so important, is when I sit down with the business leaders, the one question I always ask is, “if there’s a way we could help or I could look at something in the organization, what would it be?” There’s always an active conversation around that. I’m always walking out thinking, is that on the plan? Do I need to add it? Is that more important that what we have? It starts a dialogue of how we can be helpful? The good thing is it starts the phone ringing, the bad thing is it starts the phone ringing. How do you do all of this? But that’s a good problem to have. 

Carl Hatfield, Protiviti: Around company transformations and emerging technology, with organizational change management and M&A activity it’s important to understand how the organization is changing and how it will be utilizing some of the newer technologies — cloud, IoT, blockchain, AI. All these newer technologies organizations are starting to roll out, looking at it not just from an overall impact, whether it’s operational or financial, but certainly reputational aspects. 

We’re really focused on AI as organizations roll that out, whether it be on insurance claims decisioning system or other areas within the business. Now it’s ChatGPT and what are we doing about that? What’s their policy? How are we protecting against it? Et cetera, et cetera. Those are the types of emerging areas of risk coverage. 

Process mining technology is something organizations are looking to adopt both operationally within internal audit to really look at data to see how a process works. Why do we get an invoice and then go create a vendor? That’s probably not the way it’s supposed to work. There’s lots of other examples, but process mining technology is really something that organizations are focused on. 

Navigating Geopolitical Risk

Shannon Urban, Hasbro: Yeah, it was funny, I was joking with someone that I’m not sure why we even bothered to put an audit plan together this year because we go through our process, we do the enterprise risk assessment on behalf of the company. and we build our plan off of that risk assessment in the fall, present it and get it approved by the audit committee in December. I’m going to venture a guess that 40% of it is probably irrelevant right now as I look at what’s happening and just the change in the organization. If there’s one theme or thread that goes through pretty much everything I think we will cover this year in internal audit, it’s that change and transformation

As we think about our audit plan for this year, the reality for us at Hasbro is, we spend 60% of our time on SOX — that’s way too much time as an organization. One of the primary efforts for us is, how can we change that dynamic? How can we rebalance that need to focus on the internal controls over our financial reporting versus all of the other risks that are really top of agenda for the company broadly? We launched a massive change effort ourselves, to SOX optimization or rationalization, call it what you will, to really try to drive down to the core of what we need to do on SOX and cut out all the noise so that we have more time to focus on the other things we had on our plan, which are really directly tied to some of the key strategies of the organization. 

For example, we’re investing heavily in the growth of our video games and digital gaming development. If you don’t know anything about video gaming, it takes a lot of time and money and it takes a village to build a video game — and there is no guarantee that it’s going to be a success after you spend three to five years developing it. We’re getting involved in looking at video game development on the front end as we’re investing as a company in that process. How do we make sure we have stage gates so we don’t sink a lot of money into the project to just have to trash it at the end of the day? They work with third parties, video game development companies, which is like three guys in a basement somewhere in Austin, Texas, right? You can just think about the risks that that introduces to the organization. 

We hired a CISO for the first time just last year. He has spent the last six months putting in a cyber risk assessment program, which the company never had before. We are going to go in this year and look at his process and try to get some reliance on that because there’s no way we can look at cyber risk across the organization. We’re trying to expand that part of the pie that’s really tagged to those key growth strategies of the organization so we can spend less time on the lower financial risk stuff.

Looking for more thought leadership? Check out our on-demand webinar library for more leaders and experts discussing timely issues, insights, and experiences.

Related Articles