Anne DeTraglia

Tom O’Reilly: Anne, you would be successful in any career path chosen. What made you decide to dedicate your career to internal audit? What inspired you to choose this path?

Anne DeTraglia: I was unsure about my career path during and after college and fell into auditing by chance. During my first job after my MBA, I was in a management training program at Home Depot when an auditor came to our store. I had no idea what an auditor did, so I decided to follow him around. I was impressed by his knowledge and helpfulness. He showed me how things were supposed to work. I thought, "Auditors are amazing!" Shortly thereafter, I met the head of audit and he hired me into his team, largely due to that experience.

That first interaction with an internal auditor shaped how I want my teams to work with others—people should walk away feeling it was a valuable experience, that they learned something.

Since then, my curiosity has only grown. I want to know everything—it's core to who I am. On the VIA Strengths Finder assessment, which measures 25 character traits, "love of learning" ranks as my top strength. This trait serves me well in auditing, where every day feels like going to school. While I now do more teaching than learning at this stage of my career, I still enjoy the learning aspects of audit, especially in my current company with its complex operations.

I also love public speaking, which is essential in audit—from kickoff meetings to board presentations to speaking at conferences. I'd do public speaking for free; it energizes me that much.

So auditing has really checked a lot of boxes for me. I know auditors sometimes get a bad reputation, and yes, there are some poor auditors out there, just like in any profession. It's a persistent myth which I wish would go away. "Oh no, the auditors are coming—it'll be terrible!" But that's just not true. Auditors generally provide great value to organizations, and people recognize this when they work with skilled, curious professionals.

Tom O’Reilly: Looking through your LinkedIn profile, I see you've held remarkable positions at prominent companies like United Airlines, Nike, Whole Foods, Home Depot, and Sears. More recently, you've moved to slightly smaller companies, compared to those conglomerates. Tell me about the differences between leading internal audit for a Fortune 100 company versus one outside the Fortune 500.

Anne DeTraglia: In large organizations, you typically have more specialized, focused roles. For example, when I went to Nike, they specifically needed a leader for fraud risk management. In smaller organizations, that responsibility is part of someone's broader role—like at Sabre, where fraud risk management is one of my many responsibilities.

Working in a larger company can mean you focus solely on one area, which has its advantages and disadvantages. It's great for developing deep expertise in a specific competency, but it can limit your view of the broader organization. In contrast, smaller organizations require you to be more versatile—a renaissance person, if you will. You handle multiple responsibilities and get everything done.

Another advantage of smaller organizations is that things move faster. You don't have the extensive networking, pre-meetings, post-meetings, and layers of bureaucracy that exist in larger organizations. In smaller companies, everyone knows each other and understands how things get done. Take Whole Foods, for instance—while it's part of Amazon, it operates more like a small company. In these environments, there's clear visibility into who does what, making everything more efficient and straightforward.

Tom O’Reilly: Following up on that thread: If you're mentoring an internal audit staff member who aspires to be a leader—and considering your experience in both large and small companies—would you recommend a specific career path? Is it better to start at a smaller company or a larger one? What advice would you give about where they should work?

Anne DeTraglia: A specific career path? No. I think the best leaders understand they need diverse experiences and will actively seek them out. When people graduate from university and enter the workforce, they often view their career as a linear path or ladder—"I'll do this role, then this role, then this role." But what no one tells them is that careers are more like a pyramid. You spend roughly your first decade building that broad foundation—learning how to influence, navigate organizations, communicate well, and get things done. Then you start narrowing your focus toward specialized skills until you reach the peak you're aiming for.

My advice has always been: don't fixate on titles. Instead, ask yourself what each experience will teach you. While we're all working in service of our organizations, it's equally important that your job serves your career growth. You shouldn't do something solely for the paycheck—unless perhaps it's your first job out of college and you're still figuring things out. Even then, after six months you might realize it's either your dream job or a nightmare, and that's fine. Early career experimentation is valuable.

Also, I wouldn't necessarily tell someone to choose a large company over a smaller one. In big companies—and this has happened to me three times—you risk being laid off during reorganizations or due to the whims of random individuals. In smaller companies, your presence tends to be more essential and you have more visibility. The size of the organization matters less than the experiences you're gaining and how they help you learn about yourself.

I just had this conversation recently with a friend's son who's a college senior trying to figure out his path. I told him to focus on self-awareness work. I like using the ikigai framework, which examines: What are you good at? What experience do you have? What will people pay you to do? What brings you joy and benefits the world? How do these elements intersect? That's your ikigai. When you're early in your career, mapping out everything you've done and what you're good at—even childhood experiences—can be revealing. 

For instance, I had a snow shoveling business at age 12 with a friend. We split the profits based on who owned the equipment, which taught me early lessons about business, fairness, and partnerships. These experiences, even from childhood, can help you identify which jobs align with your skills and accumulated wisdom.

Tom O’Reilly: Another unique aspect I've observed in your career is that you've consistently had responsibilities in internal audit while specifically focusing on risk management functions. I'm curious - are you actively seeking out these risk management roles within internal audit, or are organizations specifically hiring you for these risk positions? From what I've seen, it seems you're probably more often initiating these opportunities, but it could also be both.

Anne DeTraglia: It's been a mix of both. For example, at United, I was initially hired to map out regulatory obligations and develop audit procedures. Within two weeks, everything changed when a new CAE was named who had zero audit experience. He needed help restructuring the audit function. I jumped in to redesign everything—from audit reports and management action plans to auditor scheduling and risk assessment. It was a fantastic learning experience for me.

At Nike, I started in fraud risk management which naturally expanded into compliance work. Since Nike didn't have a robust compliance function at the time, I handled many compliance responsibilities until they built up that team. Then I transitioned those duties back to them. While managing fraud risk at Nike, I also assisted the Enterprise Risk team with anti-bribery and anti-corruption risks, helping them think through measurement and tracking—though this wasn't part of my original role.

I believe this flexibility stems from my love of learning and genuine interest in helping others. While I may be hired for a specific position, I often shape where that role takes me. If you're at the director level or above and someone's micromanaging your direction, that's probably not the right environment. Good leaders should be scanning the horizon, identifying problems, and taking initiative to solve them—adding new skills and experiences along the way.

Tom O'Reilly: So tell me, with this in mind, how are you thinking about shaping your role at Sabre?

Anne DeTraglia: The great thing about Sabre is that it's my first time as Chief Auditor. While I've managed enterprise risk at other organizations, this is my first time leading the audit function in its entirety. I've loved being able to sit, listen, and observe what's happening, then synthesize that information with the organization's needs to develop an action plan. The timing was perfect because the IIA had just introduced new standards requiring an internal audit strategy with corresponding initiatives that must be tracked and reported to the audit committee. This helped me focus on a crucial question: What do we want to be known for?

I conducted a SWOT analysis after taking five months to observe. When I validated it with my team—showing them what I saw as our strengths, weaknesses, opportunities, and threats—everyone agreed completely. No one questioned where these observations came from. This deliberate approach allowed me to evaluate how our function operated within the organization's context and understand where the organization wanted to go. From there, we could map out the changes needed to support those goals.

The process has been really rewarding. After 10 months, we have our strategy and we're executing against it. We've completely overhauled how we do everything in the function. But importantly, these changes weren't made simply because I said so—they were made because they're what's right for Sabre. This approach has gained strong support from the team, naturally, because everyone wants what's best for Sabre and their own careers. I keep both of these priorities in mind as we navigate these changes.

Tom O’Reilly: For an internal audit leader who doesn't currently have ERM or Risk Management as part of their responsibilities, what business case would you make for taking this on? How should other CAEs think about incorporating ERM into their Internal Audit remit?

Anne DeTraglia: I recently did a webinar for the IIA called "Accelerating Your ERM Program" because many Chief Auditors are getting this added to their responsibilities. When management says "You handle risk, so go do ERM," it creates an interesting situation since you're now in that second line of defense. This raises questions about managing independence and objectivity—you need to separate these functions carefully, which requires technical adjustments to your charter and other documentation. I've discussed this with our audit committee.

The best approach is to leverage your risk identification and assessment experience while thinking at the enterprise level. One key point I stressed in the webinar was keeping your risk universe small at the enterprise level. When I arrived at Sabre, they had 29 enterprise risks—far too many to manage effectively. We rationalized that list down to 16 by ensuring we were covering risks at the appropriate level and thinking about them as they relate to Sabre’s strategic priorities.

At Nike, we had around 18 risks. At Sabre, we have 16. At Whole Foods, we started with 22 and trimmed it to 18. The key is tying these risks directly to organizational strategy.

I would caution audit leaders from adding the latest ‘risk of the day’ to their universe. Often these are risk indicators which help you better understand your current risks’ exposure. For example, we saw a lot of noise in the risk management ecosystem in Q3 of 24 regarding elections, not just in the US, but abroad. While we're seeing significant governance changes in Germany, France, Italy, and the U.S., these might better serve as risk indicators for existing risks in your portfolio. If you have a supply chain risk, consider how political changes in your sourcing countries might affect it. Or if you're monitoring macroeconomic uncertainty in the US, the election outcome could impact that due to proposed tariffs, changes to Fed policy, and their monetary independence, as well the possible reduction to the labor pool from deportations. These emerging issues don't always need to become standalone ERM risks—they can serve as valuable risk indicators that inform your existing risk framework.

Tom O’Reilly: That's phenomenal advice. Let me ask one more question. I was chatting with another internal audit leader at a university who also owns ERM. She explained that she's struggling with transition—while they do a lot of risk assessment work, they're having trouble moving from ERA to ERM. I'd be curious about your thoughts or recommendations for her and others in that situation. How do you transition and increase buy-in and ownership of the actual risk management work among risk owners, even while you're facilitating ERM?

Anne DeTraglia: Treat your stakeholders like learners. Most people have no idea what ERM is or could be. When I was at Whole Foods leading the ERM work, my vice president gave me excellent advice: put everything into a capability document. I created a six page document with eight sections which covered what ERM is, why we needed it, and what the overall outputs would be with their corresponding benefits. Rather than just regurgitating the COSO Framework, show people what it is and why they should care. Get them excited. I socialized this document with key leaders, asking if it made sense and if they understood their roles. This approach was essential because when people don't understand ERM, it's difficult for them to engage effectively.

At Sabre, I work directly with the executive leadership team because they are accessible and we are a small company. I meet with them quarterly to discuss how risks have changed and gather their insights. You should also consider your board. If you’re the CAE, think about how much time you want to invest in ERM with the audit committee.  

Lastly, I would tell a CAE who is moving the program from risk assessment to risk management, to start small. At Sabre, I asked the executive team to help select two risks for deep analysis in 2025. Once we chose the risks, I asked them to identify the key risk owners or liaisons who have the subject matter expertise in each risk’s area. We now meet monthly with these individuals to review everything—from risk statements and scoring to risk appetite. We discuss key risk indicators and metrics to track changes to our risk exposure. This has to be done gradually, in small chunks with a focused group, until it gains momentum. I'm confident this approach will take root at Sabre in 2025. Trying to tackle everything at once would be overwhelming. The key is putting the capability framework on paper, including clear roles and responsibilities for risk governance, then starting small with one or two risks and refining the reporting. If something isn't working, we adjust and iterate until it makes sense for everyone.

Tom O’Reilly: And if you keep that base of enterprise risks small—not exceeding 16 to 20 risks at most—then it becomes a manageable initiative.

Anne DeTraglia: Yes, exactly. Even the largest corporations should keep their enterprise risks focused and manageable. When you examine company strategy, you should be able to identify the key risks to execution at a macro level. I like to explain enterprise risk management with an umbrella analogy—it serves as the overarching protection for the company, and beneath that umbrella sits all the risk management activities happening throughout the organization, including internal audit, compliance, cyber-security, etc.

Tom O’Reilly: You mentioned your Internal Audit strategy earlier - I'd love to hear more about your strategic plan and roadmap for the next few years, to whatever extent you can share.

Anne DeTraglia: Our Internal Audit strategy has four pillars, each with specific initiatives. The first is learning and development. This emerged because our team was primarily focused on SOX work—which limited their organizational perspective. We recognized that to deliver more value, we needed to expand beyond SOX, so we developed several learning initiatives.

The second pillar is becoming a trusted advisor to management. Everyone on the team must build business relationships and understand what's happening beyond their daily activities. Risk assessment has been crucial here—we'd never done a thorough internal audit risk assessment before. A member of my leadership team created a methodology and guided everyone through the process of researching, speaking the business language, and understanding management's challenges prior to the risk assessment conversations they had. Interestingly, during this assessment, we discovered that more than half of our stakeholders didn't even know we had an internal audit function—a clear sign we needed to improve our visibility.

The third pillar is modernizing our internal audit function. We lacked basic infrastructure—no audit management system, just scattered files on SharePoint. We had no quality assurance program or other essential elements of a modern audit function. We had not spent dedicated time reassessing the SOX controls and how we were executing that program. And that leads me to the fourth pillar, balancing our plan.

We had been spending an estimated 70% of our resources’ time in SOX, well above benchmark for a company of our size and scale. The program was bloated and recruiting auditors into an audit shop that only performs SOX is challenging. We also had attrition concerns due to the hyper focus on SOX testing.

Streamlining our SOX program has become incredibly important to our strategic priorities. We've evaluated our controls and revised our testing approach for three quarters of our Sarbanes-Oxley program to save time. For example, we identified controls that only need annual testing instead of quarterly. If we have low turnover in an area and the control is stable, why create quarterly work papers? We can assess it annually.

We've also eliminated redundant testing of automated controls. Previously, we checked every application's configuration for segregation of duties, but since we have a change management program that catches these issues, we now monitor changes on the back end. While external auditors may need to do more detailed testing for PCAOB requirements, my team doesn't need to meet that threshold for SOX.

An important aspect of our balanced plan is leveraging technology. We've developed a comprehensive data analytics and automation strategy, led by a team member with a master's in Information Sciences. We're working with the broader organization to streamline control execution for management. One challenge has been collaborating with external auditors on automation and analytics testing—they're cautious about PCAOB requirements. We're trying to find approaches that satisfy everyone's needs.

We're tracking all these improvements across our strategic pillars. I recently presented to the audit committee seven initiatives under the pillar of maintaining a balanced audit plan, four under being a trusted advisor, ten under training and development, and four under modernizing the function. We're showing them our progress with metrics-based reporting.

Tom O’Reilly: What's the hardest part about being a Chief Audit Executive that aspiring CAEs should be aware of?

Anne DeTraglia: That is probably dependent on the individual. For me, the hardest thing is empathizing with the external auditors' perspective. Throughout my career, I've generally found it easy to put myself in others' shoes. However, I've never worked in public accounting, never dealt with the PCAOB, and haven't overseen a SOX program in 20 years.

When I last oversaw a SOX program, Sarbanes-Oxley was only a couple years old, and everyone was still figuring things out. Now I'm back overseeing a SOX program on behalf of management and the challenge comes when trying to understand the external auditor's perspective, especially when they say "the PCAOB expects this." I don't disbelieve them, but I wonder: Are they interpreting it that way because their head office says so, or is that truly what the PCAOB requires? I've had to spend considerable time understanding this ecosystem because it's unfamiliar territory. 

For instance, the PCAOB recently announced they'll focus on technology companies for inspection in 2025—which affects us since we're a tech company and has caught the attention of our external auditor. The PCAOB is also saying they expect to see more analytics and tools being used, but the external auditor’s interpretation of that differs from mine. We've been having productive debates about this, though it remains challenging to fully understand their perspective. That's probably been my biggest challenge so far. 

I would imagine most new CAEs might have a learning curve with managing the board and senior leaders. Sabre is the most open, transparent company I've ever worked for, with genuinely good people. They've made that part of my job incredibly easy, which I'm really grateful for.

Tom O’Reilly: You're definitely not alone when it comes to partnering with external auditors. It's a theme that's come up repeatedly over the past two years. I can certainly appreciate what you're saying, sitting across from me right now.

Anne DeTraglia: Yeah, and I really feel for the more junior people in external audit right now. Since COVID, they're missing out on that crucial in-person development they used to get. Pre-COVID, they'd be sitting in a room with the partner, senior manager, tax person, and everyone else—getting real-time mentoring and guidance. Now everything is remote, working in little boxes on computer screens. They can't just pop their head into the audit room throughout the day to ask "Hey, how are things going?" or bounce questions off senior team members. They're definitely not getting that same level of care and mentorship they used to get. All the firms are struggling with this challenge, I imagine.

Tom O’Reilly: Any parting words of advice for aspiring internal audit leaders? What insights from your career would you share with those aiming to reach the highest role in our industry?

Anne DeTraglia:

Tom O’Reilly: What a wonderful analogy! One last unscripted question: Tell me something unique or fun about Anne DeTraglia that most of your colleagues don't know about you.

Anne DeTraglia: Oh wow, I'm such an open book. They know everything about me—probably more than they should! But here's something people might not know: I've been an endurance athlete for decades. I've completed four Ironman competitions, six or seven regular marathons, and countless half marathons—we're talking dozens. Same with Half Ironman competitions—I've done dozens of those over the years. 

Tom O’Reilly: What a great conversation. I’m so thankful for the opportunity to speak with you today.

Anne DeTraglia: Thanks Tom. This was great.