Puran Sampat

Tom O’Reilly: Why did you choose to build your career in internal audit?

Puran Sampat: Growing up, I was one of those kids who didn't have a clear answer when asked, "What do you want to be when you grow up?" I'd say, "I want to be a baseball player." But when it came to the business world, I simply didn't know.

When I first heard about internal audit, I had just come out of school doing IT consulting. I had friends in the Home Depot Internal Audit rotational Leadership Program who shared an opportunity for me to be an internal consultant. They emphasized how Internal Audit helps drive process changes and shape the future of Home Depot as an organization. 

That all sounded fantastic to me, so I joined the program, which afforded me the opportunity to work in 15 different areas over my four and a half years at Home Depot. We rotated from retail operations to merchandising to finance to IT. That's what made me fall in love with it—the opportunity to see all aspects of how the business runs, what's effective, what's not, and to grow from there.

While finishing my MBA at Home Depot, my wife decided to pursue her MBA too. We moved to LA where she attended USC, taking an adventure before starting a family. There, I used my Home Depot connections to transition my career to a public accounting firm.  

Tom O’Reilly: So tell me about how you got involved with GE?

Puran Sampat: From a GE perspective, Delta Airlines—where Brandi Thomas was the Chief Audit Executive—was a client of mine at Deloitte. I served as the lead senior manager from the IT side, working with her on numerous projects. She had seen my work from a SOX perspective, and we'd built a strong relationship through traveling together to conferences and other events.

When I left Deloitte and joined Crawford and Company, I took on a director of IT Risk and Compliance role completely outside of internal audit. Though it was a second line function rather than third line, it required similar skill sets. I maintained my relationships with the folks at Delta, keeping in touch with many people there.

When Brandi left Delta at the end of 2020 to join GE, I reached out simply to congratulate her and wish her well. She mentioned she had a Chief of Staff opportunity on her leadership team and thought I'd be perfect for it. That relationship became the foundation for my move to GE and our subsequent building of the GEAR (GE Audit, Advisory and Risk Services) function.

Tom O’Reilly: It's fascinating how small gestures like congratulating someone can lead to unexpected opportunities.

You've been at NCR for about 1.5 years now.  How did you find this role, and what was the interview process like?

Puran Sampat: The process—and I think anyone looking for a CAE role or an executive position within internal audit should understand this—takes considerable time. I remember NCR first contacted me in April or May of 2023, but I didn't receive the official offer until August and didn't start until mid-November.

My first meeting was with the current CAE who was moving on to a Chief Accounting Officer role, so she was interviewing her replacement. The initial focus was on internal audit—discussing the challenges they were facing and what I could bring to the table.

One thing they really appreciated was my experience as Chief of Staff at GE. Having worked on our Internal Audit methodologies, ways of working, technology, and hiring strategies gave them the perspective that I was capable of leading a build and driving change within the organization.

The second round was with the Chief Accounting Officer, CISO, Head of ERM, and Chief Privacy Officer—essentially the peers I'd be working with regularly. This was about understanding their challenges and demonstrating that I could hold my own among these colleagues.

Next, I interviewed with the CFO and CEO before finally interviewing with the three members of the Audit Committee.

Tom O’Reilly: Looking back at the interview process, can you pinpoint any specific moments that you believe were decisive in their decision to hire you?

Puran Sampat: I would say there were a couple of key factors. First, relationship building was my primary focus. During my interview process, I emphasized that modern internal audit isn't just about being the policy police—it's really about driving value to the business. A significant portion of my conversations centered on this philosophy.

I also shared our story at GE, giving them perspective on how we transformed a legendary program like CAS (Corporate Audit Staff) into a more modern internal audit function over the course of a couple years, both through process improvements and technology enhancements. This really drove home that I could be the change agent they needed.

And Tom, as you are obviously aware, you and I have done webcasts together for AuditBoard. My audit committee chair had actually done her own research—she searched for my name and found the webcast we did on benchmarking risk assessments. Her first comment in the interview was, "Hey, I looked you up. I saw your webcast on internal audit risk assessments, and I'm completely aligned with your approach." That made the conversation flow much more smoothly.

Tom O’Reilly: Great point. Reader takeaway: sharing your expertise publicly can have many different benefits.

I'd like to hear about your first 90 days and first year as CAE. How did you set goals, prioritize, and execute your strategy during these periods?

Puran Sampat: I came in with a 90-day plan, but as they say, "Everyone has a plan until they get punched in the face." That's exactly what happened when we had a material fraud about 90 days after I started. We had to shift strategies and focus significant time on addressing that situation.

My initial 90-day plan involved a relationship map. Before I even started, I asked my two directors to develop a map showing where each executive leader worked within our company, how often we'd met with them, and what projects we'd done with them. When I arrived, I added a net promoter score—red, yellow, green—indicating how we were doing relationship-wise with these stakeholders.

It was challenging because internal audit had previously focused more on compliance and was slowly transitioning toward a more modern approach, but I wanted to accelerate that shift. I conducted road shows, met with all our leadership teams, and focused on demonstrating what internal audit could do differently. I explained the difference between assurance and advisory projects, laid out my vision for internal audit, and discussed how they envisioned the function.

This created valuable conversations that helped build relationships across the business and showcase internal audit's potential. But that was just step one. You have to show them the process you'll follow and the results you'll deliver. Working through that material fraud event and subsequent investigations, while delivering high-quality projects throughout the year, cemented our reputation as a value-add organization rather than just a compliance-focused one.

Tom O’Reilly: Looking ahead to 2025, what are your key internal audit priorities?

Puran Sampat: My priority is to continue evolving our technology capabilities.

This approach is saving us hundreds of hours—considering 80 meetings times a couple hours per meeting for transcription and review. While AI isn't perfect—it was about 75-80% accurate—I'd much rather spend 40-50 hours correcting those issues than 200 hours doing everything manually.

Moving forward this year, I'm focused on taking this to the next level: How can I further leverage technology to make my team more efficient? How can we complete projects faster?

Additionally, since we've taken over the SOX program, my goal is to revamp it to be less time-consuming and more stable. We need to refine our control language and descriptions, create a RACI matrix, and define our standard processes. Though this isn't easy work, it's certainly manageable. Once we have these baseline standards in place, we'll be able to operate much more efficiently.

Tom O’Reilly: Can you elaborate on your risk assessment approach? How do you structure these stakeholder meetings, and how do they influence your audit strategy?

Puran Sampat: Our approach to risk assessment is real-time and dynamic, moving away from traditional annual audit plans that can quickly become outdated. Rather than conducting risk assessments once a year, my directors and IA data analytics team members engage in ongoing conversations with business leaders to stay aligned with emerging risks and strategic priorities.

Each quarter, my team and I meet with executives across the organization, adjusting our focus based on where the business is evolving and where challenges are emerging. These conversations help us refine our audit scope and ensure we provide insightful, forward-looking assurance rather than just historical reporting. And the on-going nature of these conversations have helped us develop better relationships and have more fruitful conversations.

When I first joined, I told the audit committee, “I don’t believe in a rigid three-year audit plan or even a fixed 12-month plan.” Risks shift too quickly. Instead, I present a six-month plan and revisit it mid-year based on new insights. This approach allows us to be more agile and value-driven, ensuring that our work aligns with the company’s evolving needs.

Tom O’Reilly: Are there any additional initiatives you have in place for 2025?

Puran Sampat: Another priority is investing in my team from a people perspective. I want to enhance our training and really drive continuous improvement. 

I'm working to allocate my budget to ensure we have resources for training, travel, roundtables, and similar development opportunities. My philosophy is that you need to engage with the broader community—see what other professionals are doing, have conversations with peers at other companies in Atlanta and around the country, and participate in training so we can continue to evolve. The business environment is constantly changing. If internal audit doesn't evolve alongside it, we'll fall behind and lose our relevance.

Tom O’Reilly: Let’s transition to discuss more about your team. What qualities do you look for when hiring? During interviews, what signals tell you someone belongs on your team?

Puran Sampat: I look for candidates who are personable, adaptable, and comfortable with technology. Internal audit is evolving beyond a "check-the-box" compliance function, and I need auditors who bring innovative solutions and a collaborative mindset.

Being able to build relationships is critical—internal audit is a partnership, not an adversarial function. I also value candidates who think differently and look for ways to improve processes, rather than just following existing procedures. Lastly, as the function becomes more data-driven, auditors must be comfortable leveraging technology—those who struggle with analytics or AI will face challenges as these skills become increasingly essential.

Tom O’Reilly: For those you've promoted throughout your career, what have they done to prove they’re ready?

Puran Sampat: I look for people who take initiative, actively contribute beyond their core responsibilities, and are open to feedback. In a previous role, we promoted a team member who volunteered to lead a Center of Excellence for our audit management system. They built dashboards and automated processes while balancing their regular workload—demonstrating both leadership and innovation.

Transparency and communication are also key. I appreciate when someone identifies challenges and proactively works to solve them, rather than holding back concerns

Tom O’Reilly: What are the skill sets and competencies needed for the Internal Auditor of the future? 

Puran Sampat: I would say, the more we explore what the future of internal audit looks like, the more I'm convinced you need people who can play both roles—finance/operational auditor and IT auditor.

As we move forward, the old days of "we've got just a finance team, we've got just an IT team" are becoming obsolete. You're going to have integrated audits where you're engaging with stakeholders who understand the people, processes, and technology. You can't just rely on siloed expertise anymore. You can't have an IT auditor who doesn't speak the business language, and you can't have a business auditor without at least basic IT knowledge.

I also believe the internal auditor of the future will be more focused on assessing the impact on the broader organization in their audits. Having company knowledge and approaching conversations with an understanding of strategic risks—as opposed to merely citing what our policy says—is crucial. People have been saying this for years, but it continues to be the case. You still see this mindset within our industry, though I see this changing for the better.

And lastly, as mentioned earlier, you cannot be afraid of technology if you're a mid-career auditor, manager, or young senior manager. You've got to embrace technology, because your stakeholders are going to embrace it, and you're going to fall behind if you don't.

Tom O’Reilly: Any parting words of advice for those who aspire to make a positive impact in Internal Audit?

Puran Sampat: Raise your hand. I think that is the one piece of advice I would give people. The CAE, while he or she wears that leader hat, doesn't know everything.

Tom O’Reilly: I know we've focused entirely on business, so tell me one fun, unique thing that most of your department colleagues or industry peers don't know about you. 

Puran Sampat: I enjoy a rather unique hobby. During COVID, like many people, I discovered mixology and cocktail making—an interest I've maintained since then. I've created Indian-inspired versions of Old Fashioneds and developed several distinctive martini variations.

For example, my Indian version of an Old Fashioned features a saffron-infused simple syrup. I found some tart cherry bitters with a saffron base that, when combined with the saffron simple syrup, created something truly phenomenal—essentially a spiced bitter perfectly complemented by the aromatic saffron sweetness.

Tom O’Reilly: Well I can cheers to that. Thank you for your time and a great conversation.