Aaron Gagnon of McKinsey & Co Dreams Bigger When It Comes to Audit Strategy

Aaron Gagnon of McKinsey & Co Dreams Bigger When It Comes to Audit Strategy

Join Richard Chambers for a new episode of his Agents of Change video series, featuring conversations with internal audit leaders from some of the world’s most prominent organizations about innovation in the profession.

In this episode, Richard sits down with Aaron Gagnon, Chief Audit Officer of McKinsey & Company and former CAE at Apple and Abercrombie & Fitch, to discuss why his playbook for building forward-looking internal audit functions always starts with getting his house in order and cultivating relationships of trust across the organization, including:

  • If you receive a blank check from the Audit Committee and a mandate to transform internal audit — what are your next steps?
  • To build stronger relationships across the org, start by sharing with others — even as far as your quarterly audit report to the Board — and they’ll be more likely to share with you.
  • Dreaming a little bigger: why getting to the next level isn’t about how many audits you complete, but about how you elevate your team, improve your technology use, and impact the company. 

Watch the full conversation, and read the can’t-miss highlights below.

Aaron Gagnon of McKinsey & Company reflects on internal audit transformation at McKinsey, Apple, and Abercrombie & Fitch.

To the Audit Committee, Success Looks Like Having More Requests for Advisory Work Than Capacity

Richard Chambers: Aaron, I wrote the book Agents of Change about internal auditors who are catalysts for transformation that helps to create value for the organizations they serve. Most people don’t think of internal auditors as being value creators or enhancers, they just think of them as being value protectors. But what’s your view? Is it appropriate for internal auditors to help the organization grow and achieve success other than just protecting the assets?

Aaron Gagnon: Absolutely. I think a lot of us talk about the assurance side and the advisory side. In my experience working with a couple different Boards, they more and more want us to do that. Obviously, they’re always trying to be careful to make sure we do our core responsibilities — there’s a strong need for that. I worked formerly at Apple, and I remember we had an audit committee presentation at one point when we were having more people ask for advisory work than we had capability, and we were trying to balance that with the amount of assurance. I remember one of the audit committee members said to me, “This is how I know that you’ve been successful here. You’ve got more people asking for your help than you can provide.”  

Richard Chambers: It’s interesting because that’s a performance metric that I think is underutilized. There’s a lot of debate — even at a conference that I attended recently — by internal auditors saying “How should we measure our performance?” There tends to be a lot of focus on outputs. How many audits did I do last year? What percent of the audit plan did that complete? But what you’re talking about, one way of measuring your success might be how often the phone rings or you get a text message or an email asking for help.

Aaron Gagnon: Yeah, part of that conversation was to say, “Here’s all the requests on the advisory side. Here’s what I’m going to do, and here’s what I’m not doing.” It becomes a conversation about the things we won’t do on an advisory side, not because we can’t, but because we have limited capacity — and here’s how I’ve prioritized it.

Playbook for Internal Audit Transformation: Get Your House in Order and Start Building Relationships

Richard Chambers: You know, when I talk about agents of change in internal audit, I talk about the fact that if you want to be an agent of change, you’ve got to start at home. That is within internal audit itself. Now, I know that you’ve been a transformational agent in the internal audit functions that you’ve led. Can you share any perspectives, insights, or stories about how you might have been that change agent when you took over an internal audit function?

Aaron Gagnon: Yeah, actually at Abercrombie and Fitch, then at Apple, and then at McKinsey — all three came with a mandate that we want something different. At this point, I feel like I kind of have a bit of a playbook on how to do this. Where you come in and say, where are we today? You meet with all the key stakeholders and say, “What is it that you want?”I joke a little bit and say “do you want chocolate, vanilla, or strawberry? It’s all ice cream and it all tastes good, but which version do you want?” So, figuring that piece of it out and then coming up with a strategic plan for how we get there. Where are the gaps and where do we want to be? Putting that roadmap out there. 

I think you’re right that the first step is to get our house in order before we can go out and help the rest of the organization. We need to get ourselves in a good place. We need to build the reputation, right? It’s not always just the reputation, but it’s building our relationships of trust. Part of relationship building is being open with people in the business. People are more willing to share with you when you share with them. For a lot of people, internal audit is a black box. All they know is you show up, I get an audit report, and I have no idea what’s going on and how you came up with it. But you can open up and say, “Here’s the audit process, here’s how this works.” When I started at Apple, and I’ve done the same thing at McKinsey, I do a little bit of a roadshow to demystify internal audit. Here’s what it is. Here’s what we can do from an assurance perspective. Here’s what we can do from an advisory perspective. Really helping educate folks about what that journey is. I’ll share my quarterly audit report that I’m giving to the Board. If you’re the head of information security or some other part of the business — everybody’s interested in that. 

Then, I think people are more willing to share with you and say, “Here’s the things that are important to me.” You start getting that relationship where you get a senior vice president who says, “Hey, can you go look at this for me?” You start to have the question, do you want me to look at this from an assurance perspective? And a lot of times they say, “Yes, I want an audit done. Let me know how this is going.” Or, “I know I have an opportunity. Can you work with our team to improve the controls in this space?” That’s how you build it up and really help create that change. You can’t start with the last part. You’ve got to start with getting your house in order.

Overcoming Speed Bumps After Getting a Blank Check From the Audit Committee to Transform Internal Audit

Richard Chambers: Are there any speed bumps that you hit as you were trying to come into these new organizations and get everybody to rethink internal audit?

Aaron Gagnon: At Apple, they had an internal audit team that had pretty much done SOX work and fraud work — and to be quite fair they were really good at it, it’s probably the best SOX program I’ve ever seen, even my time at Ernst and Young and other places. Two new board members came in and said that’s great, but that’s not internal audit and we really need an internal audit function… I actually ended up going for a 45-minute meeting with one of these Audit Committee members, and we talked for two hours. At the end, this audit committee member said, “Listen, we’re going to give you a blank piece of paper and a blank check. Don’t be shy. They have $260 billion in cash.” Now, the CFO didn’t agree with that, as you can imagine, but the Audit Committee member basically said, “You’re going to come back in six months and tell us what this organization needs to look like and how much management needs to write the check for — and you’re going to do this at the largest market cap company in the world.” I thought that’s the best sales pitch I’ve ever heard in my life. Sign me up! 

Getting back to the question about speed bumps, I think that was driven by the audit committee, people who had an outside point of view and said, “That isn’t internal audit. This is what internal audit should be.” Giving that guidance to management. I think it was a little bit of a challenge for the CFO at first because they had a lot going on — I mean, the company was growing at crazy pace, 30-something percent a year for multiple years. This was not what he wanted to deal with, he was trying to deal with the revenue side of the house. We were able to demonstrate the value when we had his peers coming and asking for our help. I remember about two years in the CFO said, “Okay, Aaron, I get it. I see the value. I kind of did this kicking and screaming, but I’m totally on board and I totally understand why we need to go this direction.” He even said it in front of the audit committee! He actually valued what we brought to the table.

“Dream a Little Bigger, Darling”: Leaning Into Strategy to Level Up Your Audit Team

Richard Chambers: You’ve described these roles that you came into and your first order of business was this transformational change, but then once you were there, was there a need for a strategic plan? Because I know the new IIA Standard, Standard 9.2, requires the CAE to develop a strategic plan and lead the organization by that strategic plan. What’s your experience been with that?

Aaron Gagnon: When I was at Apple at the beginning it was just, “How do we build?” We’re building the foundation of a house. How do we put that down? A couple years into it we came back with our strategic plan: what does this look like down the road? I think sometimes as CAEs we get a little bit lost in the one-year plan, and it’s very limited as to where you’re trying to go. I’m just trying to deliver what I’ve got to deliver. 

I really do think that that longer term strategy is not so much about all the audits I’m going to do. The IIA puts out a framework on the maturity of an internal audit organization. Where are we today? How do we get to that next level? That’s not really about completing audits. That’s about how do we elevate our talent? How do we improve our technology usage? How do we have more impact around the company that we work with? 

Strategy is important and your audit plan comes out of that. With that strategy, to quote inception, you need to dream a little bigger, darling. Try to think about, “How does that look down the road? What’s that vision for the future?” That’s the challenge for a lot of us CAEs is to step out of this year and think about where we’re going to be in three to five years.

Check out more audit leader interviews with Richard Chambers on our Agents of Change video series channel.