Andrew Struthers-Kennedy

Tom O’Reilly: Andrew, we've known each other for almost a decade. You're an incredibly capable and competent professional—what made you decide to build your career in internal audit and SOX consulting? What is it about this field that convinced you to make it your life's work? Well,

Andrew Struthers-Kennedy: I've spent my entire career in consulting and professional services. I started at Arthur Andersen in the UK as the global partnership was unwinding. When Deloitte acquired the majority of Andersen's UK practices and people, I transitioned there. A couple of years later, Protiviti—which had emerged from Andersen's risk consulting business in 2002—was expanding internationally. They were building out their UK business, and five of us from Deloitte (all formerly Andersen) joined to help with that expansion.

I've been in risk consulting ever since. I can't claim any special foresight in choosing this career path from my time as a student—I was simply attracted to the Big Five and other consulting firms' strong reputations for quality training programs and immersive early-career development opportunities. I wasn't afraid of hard work and wanted an organization known for robust training and talent development.

I started in Andersen's Business Risk Consulting and Assurance practice, specifically in their Computer Risk Management group. This was cutting-edge IT risk and controls work in the mid-to-late '90s. When I moved to Deloitte, I joined their Enterprise Risk Services (ERS) practice supporting both internal and external audit, again focusing on IT. My interest in governance, risk compliance, and assurance just continued to grow. I was always curious about our client companies and eager to learn more about how they operated, how they used technology, and how they were managing risks and opportunities related to use of technology.

I have a natural curiosity—asking questions, seeking to understand how things really work, looking for improvement opportunities not just in risk management but in streamlining operations and leveraging systems. This approach has defined my 25-plus year career. About seven or eight years ago, my predecessor Brian Christensen (something of a legend in the internal audit community)  asked me to realign internally within Protiviti to lead our Technology Audit and Advisory practice reporting to him—a natural extension of my work that had been more broadly focus on governance and risk management, but now with a specific focus on internal audit and controls assurance.

A few years in that role led to my current position leading the broader global practice. In the time I spent reporting to Brian, we established our Internal Audit Next Gen framework (which has stood the test of time and is still referenced heavily today), and also established a formal part of our practice focused on developing solutions and services related to enabling technologies (including data and AI, and even though AI solutions were far less accessible back then, we had a clear vision on the transformative potential they represented to internal audit- and controls-focused professionals).   I love helping companies discover things they might not have time to explore themselves—opportunities to work better, faster, and smarter while managing risk effectively. As an internal auditor, you get unique exposure across the entire business, vertically and horizontally, from analysts to executives and board members. I haven't found another role that offers such comprehensive insight into all aspects of an organization. This remains true today.

Now, our profession is increasingly focused on transformation, advancement, innovation, and technology enablement. There are many more opportunities to provide consultative services and engage in discussions about transformation. While we have professional guidelines and guardrails—it's not a free-for-all—there's significant room for innovation, especially in the adoption of emerging technology, data analytics, and other tools to improve our work. That's extremely exciting.

Tom O’Reilly: If you had to pick just one transformation initiative that every internal audit team and leader should prioritize, what would you say is most essential? What's the one thing everyone should have implemented already or seriously consider implementing now?

Andrew Struthers-Kennedy: Ha! You can't make me pick just one. I think AI would be the expected answer—and I genuinely believe that as a profession, we need to fully embrace it. We must develop a robust understanding of AI's capabilities and limitations while educating ourselves on how to maximize its value in our daily work, particularly with GenAI and large language models. My number one recommendation, especially for those starting out, is to educate yourself on effective prompting techniques (a discipline that has emerged along with the emergence of GenAI solutions and formally referred to as “prompt engineering”). Practice these routinely and use these solutions for your own productivity—you'll quickly find opportunities to apply them in a business context.

But I also think there should be more emphasis by Internal Audit teams on further developing capabilities beyond just the technically-oriented areas. Whether it's cybersecurity, sustainability reporting, or fraud risk management—these technically-oriented areas, along with emerging technologies, data, automation, GRC, and AI, sometimes cause us to overlook what I have heard referenced as “power skills”. These include creative thinking, critical thinking, effective communication, problem-solving, an innovative mindset, and the ability to deconstruct and distill complex concepts into elements that can be simply evaluated and communicated. Add to that effective project management and leadership—there's a whole range of these skills, though this isn't exhaustive.

When I think about the contemporary and future auditor, if we have a base level of data acumen combined with the right complement and depth of these power skills, we're looking at a highly effective internal consultant. That person becomes a valuable internal auditor and an impactful external consultant. You can more effectively deploy and apply technical skills when viewing them through this power skill lens. So if I had to pick one area, it would be exploring and examining the right complement of skill sets in individuals and teams as we build our functions for the future.

Tom O’Reilly: That's a fantastic answer. Looking back on your career—your professional track record in our industry is matched by very few. As you reflect on your own success, what key attributes do you believe directly contributed to becoming the global leader for Protiviti?

Andrew Struthers-Kennedy: Career paths vary based on contextual factors like your organization and the roles you take on or aspire to. Everyone's path needs to be charted differently. Let me offer a few key attributes.

There's a common phrase that "hard work pays off." Being willing to go the extra mile never hurts. Early in my career, I had a different perspective on working extra hours than what might exist today. My view was that if I put in 60 productive hours per week—and I'm not suggesting this is the only way or even recommending it—that's effectively a year and a half's worth of work in a year, benchmarked against a 40-hour week. By being deliberate about the experiences I sought and making productive use of that additional time, I could accelerate my learning curve. I gained more exposure and could better identify my interests—whether in types of clients, industries, strategic initiatives, or people inside and outside the organization I wanted to align with. This approach helped me reach my goals faster than I might have otherwise.

I continue challenging myself to learn something new every cycle. For some, that's 30 minutes of focused learning daily. For others, it's weekly, or project-by-project. The cycle itself isn't important—what matters is having a mindset of deliberate, continuous learning and staying attuned to the market. For us, that means understanding what our clients and buyers care about, ensuring we're keeping pace or staying ahead, and bringing relevance, value and insights to our discussions. We want them to walk away having learned something new from their encounter with us. 

Tom O’Reilly: In your role at Protiviti over the past 15-plus years, you've probably hired over 200 internal audit consultants. When you're interviewing candidates and coaching your leadership team on interviewing internal auditors, what key traits do you look for in individuals who will carry out internal audit responsibilities?

Andrew Struthers-Kennedy: This will vary depending on your mandate, function, and team's primary focus. For us in the client service business, I'll share three key criteria I learned from a partner early in my career—and they still hold true today.

First, would I feel comfortable introducing this person to my favorite client? Would I be comfortable working with them on a long-term assignment? There are variations of this, like "Would I enjoy sitting next to them on a long flight?" These questions really point to cultural fit. Do I feel this person will align with our organization's culture and values, which we hold sacred? Will they be a good fit for how we interact with clients?

Beyond the interpersonal aspects, there's the technical evaluation. Do they have a compelling career story? Not everyone meticulously plans their career path—some take a more opportunistic approach. But can they articulate their journey authentically, especially if they've worked in multiple places? Do they show genuine interest—more than just looking for a job—and excitement about this opportunity? Can they clearly explain why they think Protiviti is the right next step in their career?

Finally, I evaluate whether they have interests that align with our clients' focus areas. These might be industry-specific, sector-oriented, or particular domains where we're looking to expand our team's expertise—technical areas like cybersecurity, AI, ESG, or fraud. These are the main criteria I consider in discussions, along with their enthusiasm and excitement. I make my own judgment about whether that enthusiasm is genuine, based on how they discuss their career journey and this potential opportunity.

Tom O’Reilly: After they've been at Protiviti for two, three, or four years as a staff or senior consultant, what attributes do you and your leadership team look for to determine if they're ready for more responsibilities and promotion?

Andrew Struthers-Kennedy: One of Protiviti's key strategic priorities is delivering exceptional experiences. We aim for a five-star experience—both internally and for our clients—while developing that same level of loyalty within our teams and client portfolio. Though this is crucial early in one's career, it remains a core measure for evaluating ourselves and our teams throughout. Are we consistently delivering exceptional experiences? Does this person truly impress—showing engagement, knowledge, and producing work with a wow factor? While not everything can have that wow factor (it's challenging to make an RCM exciting), the care and attention invested in the work product, especially at the earliest career stages, distinguishes high performers and those showing high potential from those who may not push themselves further.

Simply being "good enough" isn't sufficient. Every deliverable needs that extra review cycle—it carries your name, the company's name, and the client is paying for it. It must be our absolute best work. This mindset and follow-through begin to differentiate people early in their careers.

Our industry has additional specific requirements: Are they engaged in the profession? Do they actively participate in organizations like the IIA? Do they take their professional networking seriously and approach it systematically? As careers advance, maintaining an active professional network that facilitates introductions and referrals becomes invaluable. In consulting, where sales expectations increase with seniority, success becomes much more challenging without a well-cultivated professional network.

Do they demonstrate serious commitment to professional development? Are they supporting both internal initiatives and external activities? It circles back to what I mentioned about raising your hand and keeping it raised—showing genuine interest and enthusiasm for areas beyond core client service, then actively participating. These traits consistently mark the high performers and high-potential individuals I've encountered throughout my career.

Tom O’Reilly: Yes, and I imagine you would agree that these characteristics are just as applicable to those in Sarbanes-Oxley and internal audit functions as they are to Protiviti.

Andrew Struthers-Kennedy: Absolutely. Another key trait we routinely notice is someone who follows the "see something, do something" principle. These individuals don't just identify opportunities for improvement—they take initiative to implement solutions. Whether it's revamping our work papers, enhancing our delivery methods, or applying emerging technology to solve a problem, they don't simply point out the opportunity. Instead, they take ownership and develop solutions, often returning with a prototype or fully packaged approach.

This problem-solving mindset of seeing challenges and actively tackling them puts people in the spotlight faster than other qualities. It's exactly the kind of proactive approach our clients expect from us, and we love seeing it from our team members on internal matters.

Tom O’Reilly: Let's shift gears a bit. What distinguishes good Chief Audit Executives from truly great ones?

Andrew Struthers-Kennedy: I think—and I'll borrow this from a colleague—the key mindset is putting yourself in the position of senior management and the audit committee. We must constantly challenge ourselves to answer essential questions: "So what? Who cares? What does this really mean? Why should I care?" We've all been in audit committee meetings where we get questions directly about the relevance or value of a particular observation. The great audit leaders consistently challenge themselves to have clear and compelling answers to these questions.

When you maintain this mindset, consequential opportunities reveal themselves. You naturally focus on strategic areas because anything less won't stand up to these fundamental questions. You engage more often in an advisory capacity alongside your assurance role, providing contemporary and forward-looking perspectives in addition to traditional checks and balances. You lean heavily into data-driven insights and thoughtfully embrace new tools and technologies—not just because they're trendy, but because they genuinely add value.  You are focused on learning and developing and building high performing teams and exciting career opportunities.

We've written papers on these characteristics, but it comes down to strategic alignment, an advisory mindset, and a laser focus on delivering relevant value and insights. This includes leveraging enabling technologies across the spectrum—from traditional analytics to contemporary GRC solutions and emerging AI capabilities. It's this combination that separates the best audit leaders and functions from those still developing.

Tom O’Reilly: Great response. When you think about your clients and their audit committees in 2025, what do you believe are the expectations for Chief Audit Executives? From the audit committee chair's perspective, what should a world-class CAE deliver?

Andrew Struthers-Kennedy: I think audit committees are expecting clarity on the strategy for the internal audit function—now a requirement in the new Global Internal Audit Standards. Beyond that, audit committees want more than just progress reports and readouts. They expect audit leaders to provide perspectives and insights on industry trends. Audit leaders can gain these insights through networking groups, peer connections, and engagement with other leaders in the profession, including partner firms and thought leaders like you, Tom, who provide valuable perspectives in this space.

Distilling and curating these insights for committee briefings is becoming a leading practice and growing expectation. Having a clear strategy—you might call it a transformation plan—means communicating to the committee how our function will evolve over the coming year. This could cover our methodology, reporting approaches, engagement strategies, and technology roadmap.

It's also crucial to strike the right balance between assurance and advisory work, which varies by organization and the mandate provided by the audit committee. Some committees are very focused on assurance and specific aspects of the organization's risk profile, while others want internal audit to engage more broadly in strategically critical areas.

Understanding committee expectations should be a two-way dialogue. Present them with emerging practices, options, and opportunities while being receptive to their feedback. This push-pull dynamic becomes self-reinforcing over time—the more you share about your initiatives, leading practices, and industry developments, the more engaged they become. While they may not adopt every suggestion, this ongoing dialogue ensures we're aligned with their expectations and organizational mandate.

Tom O’Reilly: If I'm advancing in my career and have just earned the opportunity to become Chief Audit Executive at my current company or a new organization, what would you advise? How would you coach me about the hardest part of being a CAE that new executives don't fully appreciate until they're in the role? What's the one thing you would warn me about before I start my role as a CAE?

Andrew Struthers-Kennedy: One of the most critical aspects is building relationships with your board and audit committee, especially without prior exposure to them.

Many new CAEs find this aspect particularly challenging due to their limited board-level experience.

Your leadership capabilities present another vital consideration. If you're new to managing team performance, developing staff, or evaluating organizational gaps—especially when determining how the function should evolve—the people leadership component can be daunting. These leadership skills often require time and experience to develop, as they rarely come naturally to new CAEs.

Tom O’Reilly: As a Chief Audit Executive seeking a co-source partner, what criteria would you recommend I use in making my selection?

Andrew Struthers Kennedy: As a buyer, you need to assess cultural fit carefully. Ask prospective partners about their engagement approach, especially regarding any friction points you've experienced with previous partners. Have robust discussions about day-to-day operations—similar to hiring employees, you'll spend significant time together. You want to ensure there will be strong relationship building and trust development, with clear and honest communication between teams.

Another key dimension is evaluating their capabilities. Do they have the breadth and depth to meet your specific needs? Consider factors like geographical presence, team size, and expertise across relevant domains. I strongly recommend meeting the actual team members who'll do the work. At our firm, we don't separate sales from delivery teams—we're one unified team. The people you meet during the selection process are typically the ones you'll work with daily.

It's also crucial to understand if internal audit is their core focus. For us, it's a key differentiator—we're not a CPA firm, but dedicated internal audit professionals. This is our year-round focus, not just outside busy season. Our commitment is evident through our partnerships with the IIA and other organizations. We've been leaders in Sarbanes-Oxley since it became law, demonstrated through our thought leadership and various activities. Ask potential partners about their day-to-day focus, their passion for the work, and their investments in resources, training, and enabling technology.

The feedback we consistently receive from clients highlights our unique engagement approach. We strive to become indistinguishable from the internal client team—in fact, we often hear that people didn't realize we were from another firm. That's the highest compliment for us, as it shows we've successfully integrated into their culture.

While many global firms offer broad capabilities, what matters is how they invest in and apply these skills. These are the key considerations I'd share with any buyer, whether they're considering us or another firm. It's the same advice we give our clients when they're evaluating third-party partnerships.

Tom O’Reilly: I want to emphasize both your team members and your thought leadership. The quality and depth of your internal audit-focused thought leadership is remarkable. I don't understand why other firms aren't producing content at this level. While I'm trying to do similar work, I can't match your scale. It's an excellent North Star to aim for. Thank you.

Andrew Struthers-Kennedy: Thanks, Tom.  This is what we do—it's core to our identity. Look at the websites of Big Four firms and you'll see where internal audit sits in their service offering hierarchy. It's not a top-level service, often buried under categories like cyber risk and resilience. That's not particularly logical for someone seeking internal audit services. In contrast, visit Protiviti's website and you'll see internal audit as a headline practice and service offering. This positioning is very intentional. We're also one of the few firms that still explicitly calls it "internal audit services" rather than rebranding it as something else. This aligns with the Institute of Internal Auditors—the global authority for professional standards, certifications, and advocacy—which maintains "internal audit" in its name. Our internal audit consulting practice fits naturally with this framework. I believe this explains why it's not as much of a top-level focus for others as it is for us. And that's not changing.

Tom O’Reilly: One final question before we wrap up. We've covered a lot of serious business topics, so let me ask you something more personal: What's something fun or interesting about Andrew Struthers-Kennedy that too few of your colleagues know?

Andrew Struthers-Kennedy: First of all, I love to spend time with my family.  That’s the #1 way I like to spend time when not working.  Both my wife and I coach our kids’ sports teams and that’s a huge exercise in patience but also a great reminder of how kids view the world – so much more focused on the process and enjoyment than outcomes – it’s immensely rewarding.

I don't know if this is unique, but I enjoy challenging myself physically.  Exercising helps me clear by hard and a challenging workout takes both mental and physical effort.  I do most of my exercise at home and centered around high-rep calisthenics workouts—that's my thing. For me it’s about doing something challenging, maybe even something you aren’t sure you can complete.  Not many people get it, including my family, but getting through 1,000 burpees or 1.000 push-ups and squats, pushing through the moments where you want to quit and telling yourself you’ve “done enough”, I find that quite rewarding.

I think it’s important we push ourselves periodically to show and prove what we can do – and that doesn’t have to be a physical test, it could be going with electronics for a weekend for example, something that requires a bit of focus and willpower.  

A phrase that sometimes gets thrown around is “get comfortable being uncomfortable”.  I think the ability to operate in uncomfortable situations has to be trained and learned and that’s a key component of resilience, that also gets talked about a lot.  It carries over and also applies in a professional context – practicing dealing with difficult situations will make you way more likely to be able to handle them effectively when they inevitably arise.

I also love to cold plunge and that definitely falls into the category of doing something difficult and, in the moment, not particularly enjoyable and there is something pretty honest and humbling about getting in a tub of frigid water and staying in for a few minutes.

Tom O’Reilly: You're the David Goggins of internal audit!

Andrew Struthers Kennedy: Ha! Not sure about that. He’s a totally different level but I do channel Goggins in my head sometimes when I'm ready to quit. Really enjoyed this discussion, Tom and want to thank you for all that you have done and continue to do for our profession and practitioners.