Casey Atwater

Tom O’Reilly: Casey, your team's vision statement is "to be a strategic partner to ZoomInfo, providing proactive assurance and advisory services based on data that mitigate risks and enable ZoomInfo to accomplish our strategic objectives." Where did you get the inspiration for that?

Casey Atwater: The inspiration came from two main sources. First, I drew from the IA standards, which emphasize aligning our plan with strategic objectives. Second, as a data-driven professional working for a company that emphasizes the importance of high quality data for GTM professionals, the team believes in making decisions based on concrete data rather than just conversations. This shaped our vision of providing risk-related data in an automated way to enhance both our audit planning and the ZI’s risk-based decision making.

Tom O’Reilly: I've been researching how people define their team mottos, vision statements, and mission statements. There are three common themes this year: we're more than just compliance, we're objective and risk-focused, and we're data-driven. You've directly addressed two of these themes, and by focusing on risk and data, you've indirectly suggested that you're more than just compliance. That's great. Now, we've known each other for several years, and I've gotten to know you better recently. You seem like someone who could succeed in any career path. So what is it about internal audit that made you want to dedicate your professional career to it?

Casey Atwater: I think it's the overall impact on organizational success through building a culture of continuous improvement. Take SOX compliance, for example—our recommendations evolve with time because the control environment, organizational maturity, and technology are constantly changing. We can leverage market insights and emerging technologies to drive improvements. In fact, I believe this is the best time to be in internal audit because we're at the forefront of new technologies. We can truly add value to the business by transforming compliance and risk analysis from an onerous process into a seamless, scalable one.

For example, SOX compliance has traditionally been a burdensome process with numerous manual activities. At ZoomInfo, we've leveraged new tools and technology, particularly AuditBoard's Analytics module, to automate many of these manual tasks.

For instance, we automated user access reviews by streamlining excel processes and enabling direct comparisons of user access listings between periods. By improving efficiency this way, we demonstrate tangible value to the organization. This allows the business to focus on more strategic activities that advance their core objectives.

Tom O’Reilly: Speaking about SOX in particular, you're one of the people who are truly pushing the boundaries. Having met many internal audit leaders with SOX responsibilities, I've noticed you're expanding what's possible with a SOX program. As you reflect on your career—the work you've done and what you've seen from your peers—what do you think separates good SOX programs from great ones?

Casey Atwater:

Training is also crucial. I'm a big advocate for both formal and one-on-one training for control owners and SOX internal audit staff, particularly for specific controls. Both types of training are vital for the SOX environment.

Another key focus is building infrastructure for continuous control capabilities. We're currently identifying requirements for setting up a data warehouse for all compliance-related data. Though we're in early stages, this will support continuous control capabilities by connecting with our AuditBoard technology. This investment in the data warehouse will unlock true continuous control monitoring.

It's also essential to understand your control weaknesses and implement compensating controls that operate quarterly to reduce risk. You'll never have a perfect control environment—controls won't pass every time. But having critical compensating controls that align with your quarterly filings helps prevent deficiencies from becoming significant.

Deficiency analysis is another crucial element. The business often needs support in this area, and helping them analyze and articulate deficiencies to external auditors adds tremendous value. Finally, bringing all business units together to champion an effective control environment is vital. These elements together are what truly separate good SOX programs from great ones.

Tom O’Reilly: If I asked most SOX leaders, they would say they spend 80-90% of their time on testing. Yet not one of the eight things you just listed had anything to do with control testing.

Casey Atwater: That’s fair. But in my opinion, the quality of testing isn't what defines an exceptional SOX program. What truly matters is collaborating closely with the first line and simplifying their work.

When you make the first line's job easier, you ultimately make your own job easier too. That's precisely why I didn't emphasize testing—while the business values testing, they place even greater importance on these other elements.

Looking ahead to next year, our goal is to be well positioned to support our external auditors through a direct reliance approach. Since our IPO in 2020, we've concentrated on building our SOX compliance foundation and training programs. Though we'll need to ensure rigorous testing standards, implementing these other elements first naturally streamlines the testing process.

Tom O’Reilly: Can you explain how you're currently using analytics to improve your SOX program's efficiency, and what are your goals for analytics over the next 6, 12, and 24 months?

Casey Atwater: When we rolled out analytics using AuditBoard's Analytics module, our key goal was to streamline manual controls that involved extensive excel work and file combining. We conducted a return on investment analysis to identify which controls took significant time for control owners to perform manually and could benefit from automation. User access reviews emerged as a prime candidate - they're manual, quarterly processes that serve as important compensating controls across many areas. We focused heavily on automating these reviews since they're critical to our control environment. Through automation, we can now easily compare user access data to identify administrator accounts, terminated users, and role changes all through automated routines.

We also used these analytics to examine critical risk areas from a change management perspective by having control owners perform lookback analyses for high rated risk areas. These were some classic use cases this year. For the next 12 months, our short-term data analytics strategy focuses on building robust analytical testing procedures. This includes performing analysis to independently test all material revenue contracts and evaluate journal entry populations through data analytical routines.

Additionally, we'll build our SOX data warehouse to support the foundation of all our analytics. Looking at long-term strategies, we're focusing on using analytics for continuous risk assessment to monitor risks automatically and guide our audit planning process. Currently, our analytics and planning primarily focus on SOX, but we're expanding to incorporate ERM risk as well. We're developing a roadmap to consolidate this data, measure these ERM risks, build relevant dashboards, and use this information for continuous risk assessments to inform our internal audit plan for upcoming years. This represents our long-term strategy.

Tom O’Reilly: Your work with data analytics is quite forward-thinking. How have you gotten your external auditors comfortable with this approach? Are they relying on your team's work, and if so, how did those conversations go?

Casey Atwater: We were transparent with external auditors and involved control owners throughout this process. First, AuditBoard is now an in-scope system for us with a SOC 1 certification, which covers all our analytics operations. Second, we collaborate closely with control owners during automation development, ensuring they perform User Acceptance Testing with full documentation. Third, control owners run the analytics themselves through their workstreams.

We've shared these three key elements with our external auditors. We also have dedicated business owners responsible for future workflow development. My approach to gaining auditor comfort is straightforward: the control performer must be the one executing the control and reviewing exceptions. These analytics simply make the business's existing manual controls more efficient. By engaging control owners throughout the process—from testing through implementation—we've successfully created a process that has the necessary guardrails from an external audit perspective.

While this isn't a black-and-white issue, I believe the focus on independence in internal audit can sometimes hinder our ability to add value. What matters more is objectivity. To maintain this objectivity, we ensure that the person building workflows isn't the same person testing them from an internal audit perspective.

In many cases, objectivity proves more valuable than strict independence.

Tom O’Reilly: We've discussed Sarbanes-Oxley extensively in terms of your team's daily work and how you're adding value to the company. Could you share your team's goals and vision beyond SOX compliance?

Casey Atwater:

By year three, we aim to build what I call a "connected risk data moat." This involves leveraging ZI’s ERM risk assessments, conducting interviews, and collaborating with functions outside internal audit to develop comprehensive assurance mapping. This helps determine our strategic focus and priorities from an internal audit perspective. As we move through years two and three, we'll gradually decrease our time spent on 404 compliance while increasing collaboration with information security, legal, and compliance teams to enable a continuous risk assessment process. This process will map to our various assurance activities and shape our internal audit plan and strategy. Ultimately, we're building the foundational pieces to evolve beyond being strictly a SOX-focused operation.

Tom O’Reilly: Many of your peers are asking how to reduce SOX 404 work to spend more time on internal audit. What I'm hearing from you is different, though related.

You're focused on maximizing value while decreasing time spent on 404, then using that foundation to build infrastructure for coordination and collaboration across all risk functions. The output of this collaboration creates a more focused audit plan. You're adding an intermediate step with this connected risk approach.

First, you architect the framework. Once that's established, you can focus on areas that bring significant value to the company. That's the future—I'm going off script here, but that's truly where things are headed. Many internal auditors try to minimize their SOX time without getting it right first. They push into strategic areas where they might add value, but they haven't built credibility by mastering the fundamentals. Without earning that opportunity and authority to direct audit focus, they struggle. Their efforts fail because they lack management buy-in. Then they wonder why internal audit doesn't "have a seat at the table," to use that overused phrase.

You're on the opposite end of the spectrum—you've built credibility by modernizing and maximizing SOX value while minimizing time spent. Then you've doubled down, applying this approach to the organization's overall risk perspective and driving synergies across different teams. Only then do you pivot to investing more time in internal audit, providing risk-based assurance and advisory services for key risk areas.

Casey Atwater: Yes, that's exactly the approach I'm taking. While it might differ from others' approaches, I know that having continuous risk assessments will help justify our decisions. Since they're all data-driven decisions, no one can argue with the data.

I'm still in the early stages of implementing this connected risk strategy. Though we've mainly focused on SOX compliance so far, that's definitely where we're heading.

Tom O’Reilly: Like, what's the hardest part about being a Chief Audit Executive that many aspiring audit and SOX leaders may not appreciate?

Casey Atwater: I would say the biggest challenge is the sales aspect of internal audit.

Tom O’Reilly: When you're interviewing candidates for staff and senior positions on your team, what qualities do you look for in someone who will be a good fit?

Casey Atwater: It really depends on what the position is. For instance, last year we needed SAP expertise on our team, so I hired someone who was a subject matter expert in SAP. While they weren't necessarily a perfect auditor, they brought specialized knowledge we lacked. In general, when reviewing resumes, I look for concise presentations that demonstrate how candidates have added value in their roles. For senior audit positions, I expect candidates to have certifications like CIA or CPA, or at least be actively pursuing them. I also want to see what technologies they've used, both from audit management and analytical perspective. Candidates should explain how they've leveraged these technologies to benefit their business or internal audit team. Cultural fit is equally important. To assess this, I have both my team and people from the accounting department interview candidates. Finally, I look for candidates who ask insightful questions during interviews - this shows engagement and proves they've done their research beforehand.

Tom O’Reilly: What are those key skill sets and competencies that you believe your team will need in the future?

Casey Atwater: Understanding AI is going to be the biggest priority, along with systems and foundational IT controls. You can't truly understand AI without grasping these controls, since they're the foundation for AI inputs. Every auditor, even those focused on business processes, needs to understand general IT controls, security, change management, and computer operations. As organizations evolve—especially in tech companies like mine—automation is becoming universal. The days of separate IT and business process specialists are ending. You'll need both mindsets to succeed.

For AI specifically, it's crucial to understand how to leverage it for efficiency. While I'm still learning this myself, researching and testing proof of concepts is essential. For example, I just learned today that AuditBoard Analytics now includes Python integration, allowing us to connect with AI services and feed that information back into our analytics tools. Staying current with these technological advances is vital for building efficient, scalable audit processes.

Beyond using AI, we need to know how to audit it. Within three to five years, most business processes will incorporate AI elements. This circles back to why understanding foundational IT controls is so important—these same principles apply when auditing AI systems. You'll need to understand application controls and IT fundamentals. Most critically, you must understand data controls, since data quality determines AI output quality. Understanding data flow and system inputs is essential for verifying that AI produces reliable results.

Tom O’Reilly: Do you have any other advice or wisdom for professionals looking to advance their careers and drive positive change in their organizations?

Casey Atwater: Yes, the key is curiosity. Ask thoughtful questions about whatever you're reviewing or auditing. Build your ability to learn new technologies—this will be essential going forward. Strive to understand the root causes of business process issues and system errors. Keep asking "why" until you truly grasp the underlying causes. All these valuable traits come from maintaining genuine curiosity.

Tom O’Reilly: Tell me about a fun fact that your colleagues or those who have worked with you might not know about you, but should.

Casey Atwater: I'm very transparent with my team and colleagues, but one thing they might not know is that I played high school football for a couple of years. Though I wasn't a star athlete, I enjoyed the sport. I even had the chance to play against future NFL quarterback Alex Smith and managed to sack him for a safety during his sophomore year. He probably doesn't remember it—we've never kept in touch.

Tom O’Reilly: I’ve never met anyone who’s been so proficient at both sacking deficiencies and NFL quarterbacks.

I really appreciate you sharing your expertise and experiences with me.