Robert Taft

Tom O’Reilly: Let me ask you something Robert. Given that you're clearly successful—capable, confident, articulate, and thoughtful—what made you choose to excel and build your career in internal audit? 

Robert Taft: Let me go back to my college years. I majored in government and international relations with a minor in business, thinking I'd go to law school. After graduation, I worked at a law firm briefly to get a feel for it, but it didn't resonate with me. So I decided to pursue a Master's in accounting—partly because I knew it would lead to good job prospects, and accounting provides valuable fundamental skills for any career path. Interestingly, my government and international relations background proved quite useful, as diplomacy and negotiation are essential parts of what we do—showing tact, understanding different perspectives, and finding compromise. 

After that, I went the Deloitte & Touche route. Then I had the opportunity to move into internal audit. The variety of work really appealed to me—from preparing work papers to improving operations, working with management, understanding business models, and even being involved in organizational culture. I've stayed with it ever since, though I once thought I might leave internal auditing. Changing industries has given me fresh perspectives and new challenges, allowing me to absorb new information and provide significant value. 

Tom O’Reilly: In your LinkedIn description, you highlighted being a trusted advisor to senior management, the audit committee, and the board. That's a term many internal audit leaders use. I'm curious—how do you personally internalize and define what it means to be a trusted advisor to these key stakeholders? 

Robert Taft: To me, there are a couple of key aspects. First is the ability to be trusted with confidential information and maintain that confidence. People often come to you—almost like a father confessor—to bounce ideas off you, share concerns, or seek your perspective on possible actions. Sometimes they just need an independent ear to listen. We serve that role quite frequently. 

Another crucial element is our focus on industry knowledge and benchmarking. For example, I just sent an article this afternoon about the University of South Florida's new stadium and their sustainability initiatives. I shared it with our athletics department and sustainability group to help them explore potential improvements. USF is pursuing LEED certification for their stadium—an interesting approach. This kind of sharing, collaborating, and demonstrating understanding of the business goes a long way. 

I also think it's essential to develop recommendations that are mutually agreed upon—ones that we both consider valuable, reasonable, and achievable. We often face discussions about "unfunded mandates," where we suggest ideas without addressing how to fund them. We need to be mindful of this and offer both short-term and long-term funding strategies. These factors make me confident in our approach, which was validated by positive feedback from our most recent QAR. 

Tom O’Reilly: I see, so let me summarize those key points you mentioned. First is maintaining confidentiality while creating an environment where people feel comfortable sharing sensitive information. Second is leveraging industry knowledge and benchmarking—providing insights about what others are doing rather than just pointing out problems. And third is developing mutually agreed-upon recommendations and actions. This reflects a more collaborative approach, where instead of working in isolation and presenting fixed solutions, the team works symbiotically with the business to develop effective plans. 

Robert Taft: Absolutely. The fact that people are actively reaching out to us for projects and engagements is a great sign. It's especially gratifying when they want us to come in, and we're getting enough requests to keep us busy and then some. While we can't always respond as quickly as we'd like, having an open pipeline of work is very encouraging. 

Tom O’Reilly: How do you strike the right balance between assurance projects and management-requested engagements? 

Robert Taft: That's a good question.

Tom O’Reilly: I like that approach. I haven't heard of that before, and it really resonates with me. Instead of just giving a binary yes-or-no response, we can say "Thanks for the request. Let us incorporate it into our risk assessment process that determines how we allocate time. Based on the risks we identify and your needs, we can provide a more thoughtful response about whether and how we can help." 

Robert Taft: We have a rolling quarterly plan. We aim for 90-day audits  (and occasionally hit our target 🙂), and we maintain a watch list of about 20-30 potential projects. We pull these projects in quarter by quarter as timing works best for the university. For instance, we want to look at academic advising, but they're going through a major strategic and organizational initiative. So we'll wait a couple quarters on that and look at something else, like auditing a college. 

The next thing we're trying to do—which aligns with where the industry and CIA trends are heading—is expanding our mix of advisory work. When we select an entity from our audit universe, we work with them to determine what would serve them best: a standard assurance audit or advisory work. We want to understand them and provide the most valuable service for their needs. 

One of our goals is to leverage AuditBoard and incorporate their templates. After completing the risk assessment, we'll determine whether to pursue advisory or assurance work based on their needs and our assessment of risks and opportunities. Then we can use these templates to clearly outline the deliverables they'll receive based on specific criteria. That's the vision we're building within OpsAudit—creating these template-driven processes. 

Tom O’Reilly: And you're giving the audit customer a choice between a traditional assurance project or an advisory project? 

Robert Taft: Exactly. It will be a mutual agreement. If we see it's not a mature environment and assurance is necessary, we'll have to go that way. But we might find areas that are more developed. For example, we're looking at technology transfers right now—patents and licenses—and they're doing a lot of good things. It will probably be a standard assurance audit since we haven't been in there for a while. However, I could easily see that becoming an advisory audit or supplemental project down the road, based on their maturity model.  

Tom O’Reilly: So when you think about 2025, beyond just executing the audit plan, do you have any major goals or initiatives that you'd like to accomplish? 

Robert Taft: Looking ahead to 2025, we'll hope to be fully staffed for the first time in at least three years. Our main focus will be strengthening our internal processes and team collaboration. Since we often have audits, investigations, and IT projects involving the same stakeholders, improving communication and coordination between teams is crucial. We're also implementing the new Internal Audit standards, which we are incorporating into our strategic plan for the December Board meeting.  

We'll continue refining our reporting process, including a new requirement to rate individual items—something we'll need to clearly explain to our clients. So our two main priorities for 2025 are enhancing internal coordination and implementing these new standards. 

Tom O’Reilly: Interesting, so your audit reports, you would just provide an overall rating. 

Robert Taft: Yes, we do that now. 

We use a residual risk scoring model with color coding—red indicates concerning or critical levels of residual risk, while green shows well-controlled areas. Currently, we assess the overall risk without rating individual items in our formulas.  

However, we're moving toward listing individual ratings, which presents some challenges. For instance, if you have two yellows and one orange, how do you determine the overall score? I've never been a big fan of scoring because people often focus more on the score than on making improvements. Still, this seems to be the direction we're heading, so we'll implement it as effectively as possible while trying to keep the focus on what matters most—improving controls.

Tom O’Reilly: What’s the hardest part about being a CAE that most non-CAEs don’t appreciate?  

Rober Taft: I was thinking about that question, and one of the main challenges is prioritizing and time management. While everything can be analyzed and risk-assessed, we try to focus on projects that will have the greatest impact. Still, day-to-day issues come through—like access badges not working or other relatively minor issues—that we must address even if they're not strategic priorities. 

“I think the key is maintaining our focus at the strategic level while also managing the small but necessary tasks to achieve operational and process excellence like proper documentation, system access, and reconciliations. There will always be a place for process-level assurance work, regardless of our advisory and strategic consulting aspirations. This is especially true for non-public companies without internal control offices—if we don't do it, who will? “

Tom O’Reilly: When you reflect back on your 18 to 23 years of leadership experience, what attributes do you look for when promoting team members? Specifically, what qualities tell you that someone at the staff or senior level is ready for advancement? What are the common themes you've noticed among successful candidates? 

Robert Taft: You know, it's interesting—I presented at the ACUA annual conference with Agnessa Vartanova from the University of Colorado. Our presentation was "Five Easy Ways to Wow Your CAE," where we discussed key factors like written and verbal communication skills, proficiency with audit software, and being proactive. These qualities really stand out when considering promotions. 

On a smaller staff, promotions can be challenging because opportunities are limited and you want to avoid becoming too top-heavy. I've found it's easier to manage span of control in larger organizations. I often tell people they need to be ready when opportunities arise, since they may not come every year. For staff to senior promotions, the criteria are straightforward: taking on responsibility, showing curiosity, developing communication skills, and getting positive client feedback. These demonstrate both competence and confidence. 

I struggle with how to keep these skilled individuals engaged when they don't want to pursue the traditional management track or lead a function. I don't know if you have any thoughts on this, but that's where my mind goes with this. 

Tom O’Reilly: One final question—when evaluating written and verbal communication skills, especially in audit reports and presentations, what specific qualities do you look for to assess someone's effectiveness? 

Robert Taft: On the written side, one of the main challenges is that people often don't keep their audience in mind. I have to remind them to focus on the executive summary—that's for the Board, President, and Provost level, so we need to be concise and direct.  

We recently surveyed our stakeholders about what they like and don't like in our reports. They prefer graphs and charts, with visuals becoming increasingly important. Interestingly, about 55% of respondents said they read reports cover to cover, which surprised me. Given this high readership, we're aiming to create focused eight to nine-page reports, including appendices. 

For verbal communication, it comes down to observation. We watch how they handle exit and entrance conferences and their interactions overall. Recently, we've been discussing as an organization that we need more phone calls—we rely too heavily on MS Teams chat and email instead of talking directly with people or using video.  

Direct communication gets things done faster and with more clarity. We emphasize this with our team: don't just hide behind text and keyboard. I know I sound like the old guy yelling at the rise of modern technology, but younger generations aren't always as comfortable with face-to-face or phone interactions! Having these personal connections builds stronger relationships and improves efficiency. As I said, I'm channeling my inner Abe Simpson from The Simpsons, but that's how I feel about it. 

Tom O’Reilly: Alright, let's shift from talking about promotions to discussing how to join your team. When you're interviewing candidates, especially for internal audit staff or senior positions, what gives you the confidence to say "Yes, let's make this person an offer?" 

Robert Taft: We look for several key things. First is their track record. When we see resumes showing someone leaving jobs every one to two years multiple times in a row, we have to consider: Are they seeking growth opportunities? Are they not working out? Or do they get bored easily? We prefer candidates who show upward mobility, even early in their careers—whether that's moving from staff to senior level or taking on increased responsibilities. 

We typically start with Teams or Zoom interviews to assess how candidates present themselves. Do they appear composed? Have they researched our organization? Do they ask thoughtful questions? Have they reviewed our website or looked us up on LinkedIn? These factors help determine who moves to the next round. 

Then we conduct case studies. We give candidates 45 minutes alone with a real scenario we've handled. They can ask questions as they work through it. We evaluate the finalists based on their understanding, questions asked, documentation quality, and conclusions drawn. The case study often becomes the tiebreaker in our selection process. 

We used to assign take-home cases, but with Gen AI and internet resources readily available, we've shifted to in-person assessments. While using these tools is valuable, we want to see candidates' independent thinking and experience in action. We intentionally give them more than they can finish in the allotted time to see how they handle pressure. Do they get frustrated? Do they demonstrate eagerness to share additional thoughts afterward? That drive to go the extra mile is exactly what we're looking for in the case study. 

Tom O’Reilly: Speaking of Gen AI, and thinking about your strategic plan—are there any specific skills or competencies you're looking to hire for now because you anticipate needing them in the next two to five years? 

Robert Taft: One of the key things I look for is curiosity. While it's not technically a skill set, I believe we're constantly learning new things in this field. Take college athletics, for example—with name, image, and likeness rules, we're all learning together about its impact on department profitability and NCAA compliance. We're constantly facing new challenges, so having that willingness to learn, ask questions, research, and grow is crucial. 

Another important factor is how you organize knowledge. This includes everything from structuring workpapers coherently to connecting the dots between interviews, invoices, and documentation to identify trends and see the bigger picture. These skills are especially valuable for data analytics and pattern recognition when working with large datasets. It's always impressive when someone can take disparate data from various sources and synthesize it into a coherent hypothesis. 

Industry expertise and credibility are also essential. I've been doing this job for 25 years, and that experience matters. Building credibility and knowledge becomes easier the longer you're with a company and industry, but what's most important is demonstrating curiosity and eagerness to learn while understanding your stakeholders' perspectives and challenges. 

Tom O’Reilly: There are some great insights here. I think the biggest takeaway is that you didn't mention technology at all. This shows that the core needs of internal audit leaders remain consistent across all eras: curiosity, industry expertise, critical thinking, and the ability to organize information and recognize patterns to understand the bigger picture. 

Robert Taft: You know, technology comes and goes. When we upgrade to a new system, we're all learning it together. But those core factors—they're timeless and will serve you well no matter what profession you're in. 

Tom O’Reilly: We've covered a lot today, but I'd like to get your advice for the internal audit community as we head into 2025. Specifically, what would you recommend for anyone who's looking to advance their career in internal audit? 

Robert Taft: To grow in your career, I recommend seeking roles that give you broader visibility across the organization. We try to get on as many committees as possible—I'm on the IT Systems Governance Committee and attend the University Budget Committee meetings. This exposure and knowledge beyond just audits goes a long way. Agnessa and I are actually planning to cover this in our next presentation which will cover how to become a CAE. I'll probably borrow some of your insights and attribute them, since you've been discussing this topic recently. 

Here's another example: in one of my first CAE jobs, my boss told me to read the Wall Street Journal every day—and I still do. The content I post on LinkedIn isn't just about higher ed or audit; it covers broader trends in the economy, climate change, and other big-picture topics. Reading resources like the Wall Street Journal, Bloomberg, and the Chronicle of Higher Ed (which we get free as university employees) will help you advance in your internal audit career path. 

Tom O’Reilly: Alright, let's put the work stuff aside. Imagine we're sitting at a bar - when you think about the nine or ten people on your internal audit team, what's one or two things they might not even know about you? Any unique interests or hobbies? 

Robert Taft: Though they probably know me pretty well since I've been here at UCF for a long time, and I talk about what I do a lot, but here's something I probably haven’t told them: I love grocery shopping. I enjoy looking for good values, discovering new products, reading nutrition labels and ingredients, and getting the most value for my money. It's been a lifelong interest—when I was growing up, my mom told me I used to love going to the grocery store, pointing out items like cereal or Quaker Oats.  

That fascination has stayed with me throughout my life. Sure, nowadays you can hire services to do your shopping, but I prefer to pick out my own produce and discover new products. I particularly enjoy browsing the clearance section to see what deals I might find. Sometimes I think if I had the opportunity to work for Publix, Safeway, Albertsons, or Whole Foods as a CAE, it would have been a perfect fit for me. It never worked out that way, but who knows? Maybe there's still time. 

Tom O’Reilly: I love it! What a great answer and great conversation. Thank you for the opportunity to speak with you.