Agents of Change: Theresa Grafenstine of Citi

Agents of Change: Theresa Grafenstine of Citi

Join Richard Chambers for a new episode of his Agents of Change video series, featuring conversations with internal audit leaders from some of the world’s most prominent organizations about innovation in the profession.

In this episode, Richard sits down with Theresa Grafenstine, Global Chief Auditor, Technology at Citi, to discuss the transformational changes she’s been able to drive by building strong relationships across the organization, including:

  • Blazing trails to orchestrate the first phishing attack training at the U.S. House of Representatives.
  • Laying the groundwork for success by investing time on the front end to turn skeptics into advocates for ambitious new projects.
  • Working with the Citi innovations team to find opportunities to leverage technology to automate, navigate millions of records, know if a metric is in or out of risk appetite, and more!

Watch the full conversation, and read the can’t-miss highlights below.

Theresa Grafenstine of Citi shares how she’s driven transformational change in government, public accounting, and private industry by embracing the human aspect of audit.

Position Yourself as a Trail Blazer

Richard Chambers: Terry, in my book, “Agents of Change,” I take the position that internal auditors should seek to drive change in the organizations they serve. I defined agents of change in the profession as internal auditors who are catalysts for transformation that creates value within the organizations they serve. What’s your view on internal auditors as agents of change, and is that how you would define it?

Theresa Grafenstine: I absolutely would define it that way, Richard. When I read the book, I thought that was a great way to describe us. I don’t think everybody, if you’re in internal audit, would naturally say, “I’m going to blaze some trails, and change these things, and change the world.” If you want to really be a leader in the profession, that’s how you should see yourself. I think that one of the worst things you could do is to have that defeatist view like, “Well, I’m only one person, and I’m an auditor, and I don’t run this place. How could I make a difference?” You can make a difference. You just need to position yourself that way.

Invest Time in Relationships to Drive Change

Richard Chambers: I’ve watched your career over the years, and it’s been evident to me that wherever you went, you were this inspiring change agent in the organizations you served. From your experience, how receptive have members of management and even boards been in the organizations where you’ve served, particularly in the more recent years since you were out of government?

Theresa Grafenstine: I think in general, whether it’s related to an audit or just life, people are a little afraid of change. They’re going to be naturally skeptical. They’re going to want to make sure that they trust you. Why do you want to do this? Is something wrong? Did I do something? Am I going to get in trouble? These are all natural feelings. If we take the human aspects into account, things go a lot quicker and more smoothly because people know that you’re a trusted person. I’m not out to get anybody. I’m not out to get you. I’m out to help us to get to a better place. You can’t come in on day one and say, I’m here to rip the place apart. I’m going to completely turn it upside down and change everything. Nobody wants you to do that. You need to lay the groundwork first by becoming a known person, where they know your heart and where you’re coming from. It’s a good investment of time, and then you can make your changes. 


I was in the government for 25 years, in the inspector general world. And then off in public accounting, where you’re dealing with clients, and now I’m in the private sector in financial services. I think there are more things in common across industries than there are differences. Because humans are humans are humans, regardless of their backgrounds. So, I think that those principles hold true across all of those industries.

Orchestrating a Phishing Attack Against the House of Representatives

Richard Chambers: Even in the federal government, when I was wearing the heavy mantle of being the Inspector General, normally you expect that people are going to be resistant and a bit fearful. If you take a different approach, and if you really open up and try to help the organization improve, people will be more receptive to you. Is that what you’ve found?

Theresa Grafenstine: I absolutely find that. I worked for the U.S. House of Representatives for 19 years of my career. You’re dealing with politicians, and the idea that they have an auditor running around actually comes as quite a surprise to some of them. You have to invest time, because every two years we’d have an election and I’d have a new batch of staffers and members that were on my oversight committee, and I’d have to reinvest in making those relationships. But once they get to know you, they realize I’m not out there to make headlines — I’m behind the scenes, and I’m here to make the place better. It’s better if I find the cracks than if a bad actor does. 


I think one great example was going into the head counsel for the Speaker’s office and the Minority Leader’s office to say “Hey, I know that one of the biggest cyber threats out there is phishing. We don’t have a phishing campaign right now, but we need to get our 10,000 political staffers trained on what it means to protect the House from phishing. I’d like to orchestrate a phishing attack against the House of Representatives — but I need your support to do that.” Now, it was benign, I didn’t have actual malware attached to it. But it was definitely a heavy lift to go in there asking that. They thought that I was crazy initially, but I sold the case to them as something we needed to do — because if I don’t get people on alert about what a phishing email looks like, a bad actor is going to be successful, they’re going to get on our network, and it’s going to be a lot worse. So after some really intense conversations, I got their buy-in. My organization was the first ever to conduct a series of phishing exercises until it became operationalized. At that point, the chief information security officer took it on as an operationalized role, but we were the ones blazing the trails on that one — and it was risky.

Richard Chambers: So then you didn’t have to be the heavy and go in and tell somebody they inadvertently opened a phishing email. It was on somebody else once you transferred that responsibility.

Theresa Grafenstine: Exactly, but they did click my links! We would send out very enticing messages, because the bad guys will invest time to figure out what’s going to make somebody click a link. We would do things knowing the election cycle and when they would go on recess. For one particular year we did one around Thanksgiving and pardoning a turkey. The White House has been pardoning a turkey since I think the 1950s, and we said, we’re going to do that at the House. I got a lot of clicks on that one. They inevitably would call my office and say, are we going to have that Turkey Gala? And I had to say, “Well, no, it was a phishing exercise!”

Turning Skeptics into Advocates

Richard Chambers: I believe that before internal auditors can be seen as change agents in their organizations, they have to start by being change agents in the internal audit function itself. Do you agree with that? If so, what are some things that you would point to as transformational changes you’ve made in audit over the years?

Theresa Grafenstine: Unless you have your house in order, I don’t know what moral credibility you would have to make recommendations about how other people should be making their ship straighter. One of the first things I do any time I come into a position of leadership is to take an assessment of where we’re at. Then if I can, I benchmark with other organizations, or I talk to people in my network and see what’s going on in the space. One of the things I’ve done that was hugely transformational internally is that I stood up an advisory function at the Inspector General. Unheard of in that community! When I did that back in 2006, it was really, really cutting edge. Nobody had done that, but I felt strongly about it. Obviously, I put up the internal firewalls to make sure you’re not auditing and advising. But I knew that we could blaze the trails and help Congress to noodle through things like, what does risk management look like here? What does something like capital planning look like for things that are institutional, not political? Looking at it through a different lens. 


But before I could sell it to the stakeholders, I had to sell it to the auditors. A lot of the auditors thought, “This is blasphemy. You can’t do advisory. That’s not what auditors do.” You have to get people on board internally at first. I think sometimes people are so quick to rush in their changes that they end up making themselves their own stumbling blocks. It takes longer to get people on board, but it will be more successful if you slow down and you talk to people. I asked, “What are your concerns, auditors? Why do you think this is a bad idea? Can we put safeguards in? How can I work with you to make you feel comfortable about this?” Eventually, if you invest that time on the front end helping people understand why you’re going in a particular direction, the skeptics end up being your biggest advocates. 

Technology Frees Up Auditors to Use Critical Thinking to Ask the Tough Questions

Richard Chambers: One of the terms that I use for technology in internal audit is that it’s a capacity multiplier — that by using technology, you will enhance the capacity of the department, get audits done quicker and better, and be able to address more risks over time. Are there ways that you use technology in your various roles that you think enhance the effectiveness and efficiency of the audit team?

Theresa Grafenstine: Oh, absolutely. If you’re not using technology, you’re missing out. You’re not giving your organization the assurance that it needs and deserves. I can remember early in my career, I worked for the U.S. Department of Defense, and we would walk around with physical folders for sample items, and there may be 300 sample items. I’d have to carry that big old briefcase around to different sites. Fast forward to where we’re at now. Instead of doing samples, I can look at the entire universe. I think that it is a multiplier. Instead of physically looking at specific fields and specific records, write a script for that. Robotic process automation, artificial intelligence, there’s all sorts of things that are ready right now that we never had in the past. It frees you up to have auditors do things that really require critical thinking and analysis. 


My current employer, Citi Financial Services, is hugely invested in innovation. We have an entire department for our internal audit that just focuses on innovations constantly pressing us, “Help us to help you.” I work with the innovations team all the time about things like, “How do we automate this? How can we look through millions and millions of records to identify critical fields? How do we know if a metric is in or out of risk appetite, or it’s going haywire and it’s an area we need to drill into?” Whether it’s in cybersecurity, continuity of operations, business, regulatory areas — the possibilities are just endless. Technology absolutely frees up your staff to do things that are more on the anomaly side and really drilling in and asking those tough questions, instead of using all their time to go through things that can just be done with a press of the button.

Richard Chambers: In what ways has the use of or reliance on technology helped you and your team during the past year? Are there ways that it got you through COVID that maybe were more efficient, and maybe changed the way you’re going to do things in the future?

Theresa Grafenstine: Beyond just looking at things like transactions, when you think about technology with COVID, initially for all of us, it was asking, “how are we going to do our jobs?” Technology has been an enabler for people to stay connected. I have a team of about 300 auditors on my team who are all over the world. There’s no way that we could be in the same room. The fact that we can connect with each other and see each other eye to eye, despite being in different time zones and different corners of the world — that in itself is such an enabler, and I think COVID really pushed that along.

Courage Means Saying What Needs to Be Said — with Empathy

Richard Chambers: In the book that we wrote on agents of change, we listened to more than 600 chief audit executives who told us what they thought were the real attributes that agents of change needed: business acumen, strategic mindset, being relationship-centric, and being innovative. Are there any others that you might add to that list?

Theresa Grafenstine: One I think I would add, which is kind of baked into all of those, is courage. A lot of times being the change agent — it’s scary when you think about it. A lot of times when people think about courage, they think of jobs that require physical danger like being a soldier or a police officer. Those obviously require a lot of courage, but being an auditor — it’s very rare that we’re the popular kids in the room. Not everybody’s happy that we’re there, and they’re not always happy to hear our messages.


Sometimes you’re out there standing on your own in meetings where people don’t want you to say anything, and you have to speak up. Having the courage to say what needs to be said, but doing it in a way that has that empathy, that helps those human relationships, and that shows you understood the problem. 

All Auditors Must Be Technologists Going Forward

Richard Chambers: If I ask you to pull out a crystal ball and share your perspectives, what do you think the biggest challenge for our profession will be in the decade ahead?

Theresa Grafenstine: I think a lot of times people don’t feel like they should have to be technologists. You know, let the IT people do that. I think technology might be a challenge for a segment of our audit population, because they don’t feel like that has to be their job. But it’s going to be all of our job because technology’s going to be baked into every aspect of what we do. I would say, really embrace it. It doesn’t mean you have to be a coder. It doesn’t mean you have to go through and start pulling apart algorithms. But you do need to understand that, because we’re immersed in it.