December 9, 2021 • 5 min read

Agents of Change: Paul Sobel of COSO

ON THIS PAGE

Don’t Just Let Change Happen — Be a Catalyst for Change

Moving Beyond a Defense Role to Enhance Value for the Organization

Creating Own Opportunities to Radically Transform Internal Audit

Risks May Be Unknown, but They’re Not Unknowable — Collaborate to Get Ahead

Explore New Technologies to “Recreate” Yourself — and Open New Doors

Internal auditors must take ownership of how we’re perceived

Healthcare Audit: Ensuring Compliance and Improving Patient Care

Cybersecurity Audit Essentials: Roles & Responsibilities, Steps, and Best Practices

Don’t Just Let Change Happen — Be a Catalyst for Change

Moving Beyond a Defense Role to Enhance Value for the Organization

Creating Own Opportunities to Radically Transform Internal Audit

Risks May Be Unknown, but They’re Not Unknowable — Collaborate to Get Ahead

Explore New Technologies to “Recreate” Yourself — and Open New Doors

Join Richard Chambers for a new episode of his Agents of Change video series, featuring conversations with internal audit leaders from some of the world’s most prominent organizations about innovation in the profession.

In this episode, Richard sits down with Paul Sobel, Chairman of the Committee Of Sponsoring Organizations of the Treadway Commission (COSO), to share key insights and stories about how he drove transformative change in internal audit as CAE and CRO of Georgia-Pacific, including:

Why internal audit needs to be a catalyst for change — not just get dragged along for the ride.
Risks may be unknown, but they’re not unknowable — collaboration between audit, risk, and compliance is key to surfacing risks sooner.
How getting interested in emerging technologies helped him “recreate” himself, and opened doors in his career.

Watch the full conversation, and read the can’t-miss highlights below.

Paul Sobel, COSO Chairman, shares lessons learned as a technology early adopter and catalyst for transformative change.

Don’t Just Let Change Happen — Be a Catalyst for Change

Richard Chambers: Paul, in my book, Agents of Change, my thesis was that to be successful in the 21st century, internal auditors have to be more than just assurance providers, even more than advisors. I defined agents of change as those internal auditors who are catalysts for transformational ideas that drive and create value for the organizations they serve. Is that a definition that resonates with you?

“Paul Sobel: I think that hits the nail on the head, particularly the words, “catalyst for transformation.” So often people let change happen to them and then they say, “See, I can handle change.” But that’s not what you’re talking about at all. You’re talking about people who can be the catalyst for change, who can make change happen. I think that’s extremely important in an organization, particularly these days with the rapid pace of change. We need to make sure that internal auditors aren’t passed by and getting dragged along for the ride because over time they will perhaps be viewed as not as relevant. So by being a catalyst for change, organizations will continue to look at them as a valuable part of the organization beyond just the role they play as an internal auditor.”

Moving Beyond a Defense Role to Enhance Value for the Organization

Richard Chambers: Paul, having worked for so many different organizations in a number of roles both in audit and risk management, you’ve obviously had exposure to different management views of audit along the way. Do you think management and even boards in companies today see internal audit as having that change agent role or do they at least support internal auditors who want to be more than just the ones who hand them a report?

“Paul Sobel: It’s an interesting question because certainly internal audit has advanced beyond the green eyeshade perspective, but I think there’s still many who view them as being there to be the defense, to provide assurance, to give comfort. But we’re all in it for the same reason: to help the organization be successful. I believe board members and executives, at least the ones I’ve interfaced with, actually may be a little surprised, but they embrace the idea that we can be agents of change within our organizations. They know that we’re not just providing them the assurance that they need, but we’re trying to help the organization be successful and enhance value in whatever way we can.”

Creating Own Opportunities to Radically Transform Internal Audit

Richard Chambers: I argue in the book that before internal auditors can be seen as change agents in the organizations they serve, they have to be change agents within internal audit — be willing to transform the way internal audit undertakes its mission, uses technology, and identifies and follows risks. Are there any particular examples that you’d share where you as a Chief Audit Executive, and in several different companies along the way, that you drove change in internal audit?

“Paul Sobel: It’s a good point that being a change agent within the company sometimes is situational — opportunity related — but within internal audit, we always have that opportunity, we can drive that change more.”

Risks May Be Unknown, but They’re Not Unknowable — Collaborate to Get Ahead

Richard Chambers: I always saw you as someone who championed change in the organizations you lead and you have served in dual roles, you have served as a Chief Audit Executive, you have served as a Chief Risk Officer. There’s a lot of conversation these days about the importance of having a connected view of risk within a company, within an organization. As one who’s held both of those roles, how would you encourage internal auditors and chief risk officers to be more collaborative in supporting their organizations?

“Paul Sobel: I like that phrase, connected risk. I think that’s a good way of looking at it. It really does come down to combined assurance. To me, the first step is to show some humility because I think there can be a lot of turf wars between audit and risk or audit and compliance. There doesn’t need to be, we all work for the same company, we’re all after the same objectives. Once you put that behind you, it’s much easier to talk to the other individual. We may have different roles and responsibilities, but we are still working with the same fundamental information. Risks may be unknown, but they’re not unknowable. The more we can share, the more we can collaborate, the better it will be for the company to be successful.”

Explore New Technologies to “Recreate” Yourself — and Open New Doors

Richard Chambers: We’ve been through a lot the last couple of years. I think all of us have grown, evolved, and been more innovative than we even thought possible. Looking ahead, it would appear as though our risks are going to be racing at high velocity and they’re going to be very volatile for years to come. If I ask you to pull out Paul Sobel’s crystal ball, what are some things that internal audit needs to do to be successful in the decade ahead?

“Paul Sobel: First and foremost we have to recognize that change is going to continue to happen, and the pace of change is likely to continue to accelerate. We saw an acceleration during the pandemic, and I see no reason why it will slow down. I think one of the biggest challenges facing the profession is upskilling for those new risks and new technologies. That’ll be a key challenge — we don’t all have to be experts in all of the latest greatest technologies, but we have to know enough to understand it and be confident enough to go get the resource when we need to. They may not be somebody you hire off the street — they may be a consultant, co-sourcing, whatever — but we have to recognize that the level of expertise needed in many of these areas is going to go beyond where most of us are today.”