Sarah Hansen
Head of Internal Audit at Mongo DBa Leader
a CAE
Tom O’Reilly: Sarah, you're a capable, competent, successful business executive. What in your right mind made you think it was a good idea to pursue internal audit?
Sarah Hansen: Looking back, I never wanted to focus on just one thing—in business school, I studied everything from marketing to accounting. I was drawn to external audit because it would give me insight into a company's foundation—its skeleton. Once I understood that foundation, I figured it would be a springboard for whatever direction I chose next. But after taking the job, I realized I didn't want to specialize in just one area. I loved seeing the whole picture.
I discovered I had a natural affinity for audit work and loved the continuous learning. I quickly transitioned from external to an internal audit role in tech, joining Salesforce where I spent the next decade growing my career.
What I appreciate about Internal Audit is that few professions offer such a broad view of business operations, access to senior leadership, and opportunities for continuous learning while improving processes and managing risk.
Also, the ethical foundation of audit work was especially appealing to me when choosing my career path. I loved that it centered on doing the right thing—that felt meaningful then, and it still does today.
Tom O’Reilly: Reflecting on your interview and recruiting process at Mongo DB, what do you think made you a strong candidate to lead their internal audit function?
Sarah Hansen: One of the key factors (for Mongo DB to hire me) was my exposure to Salesforce’s acquisitions.
During my 10 years there, I worked on eight to ten different internal audit programs across various business lines, including newly acquired companies. That breadth of experience was likely a major advantage in the hiring process.
When transitioning from a large organization to a smaller, high-growth company, it's important to demonstrate that you can thrive in both environments. I could show that, while I had experience in a large, established company, I had also worked closely with smaller acquired businesses—the “dinghies” alongside the “mega-ship,” so to speak. That versatility meant I could help MongoDB navigate its own growth journey.
Additionally,
my time in Salesforce’s second line of defense helped shape me into a more pragmatic internal auditor. It gave me deeper insight into business operations, making me more effective at balancing compliance with practical business needs.
When organizations hire a Chief Audit Executive (CAE), they aren’t just looking for someone who can recite IIA standards—they want someone who understands the business, adds value, and upholds ethics, integrity, and objectivity. My experience working closely with the business at Salesforce helped me develop that well-rounded approach, which I believe was a key factor in MongoDB’s decision to bring me on board.
Tom O’Reilly: What would you say is your superpower in internal audit and SOX 404?
Sarah Hansen: What really catapulted my career at Salesforce was getting involved with the transformation work while in Internal Audit. I actually spent very little time in the core SOX program—maybe just two years when I started—before quickly transitioning into a special projects role. As the company's transformation work (Finance, IT, Enterprise) and acquisitions picked up, I built the program around managing all of that.
This move did several important things. First, it increased my operational empathy for the business because I was collaborating closely with all the project teams. It also gave me significant diversity of experience—I was working on something new every year.
This experience really refined my technical abilities, program management, stakeholder management, and relationship building—there was lots of cross-functional work involved. Interestingly, when you ask about my superpower, I don't immediately think of technical skills, though I am technical—I have to be to do my job. But I don't think that's my differentiator, though my stakeholders might disagree.
I think in everything I do, I try to maintain an undercurrent of empathy. This includes operational empathy for the business—understanding where they're coming from while balancing it with objectivity—and historical empathy for both the business and my team.
As a long-tenured Salesforce employee, I saw how important it was to understand the context behind decisions. I watched people join at different stages who made questionable calls simply because they lacked that historical understanding. So historical empathy became really important. And I believe if you operate with empathy in general as a human, you'll be more successful in optimizing your relationships.
Tom O’Reilly: In the past four or five years, SOX has become increasingly complex. When you think about the SOX program of the future, what are two or three things you'd suggest to other SOX leaders or those aspiring to lead SOX? How do you run a contemporary SOX program that goes beyond just testing?
Sarah Hansen: Let me share a couple of key points. First, from a technical perspective, cross-training across the team is crucial. While this is especially true at technology companies, it applies to most organizations.
The concept of having separate business process and IT audit teams with a clear wall between them is antiquated. On my team, I think about it in terms of primary and secondary competencies. Some people have business process audit or SOX audit as their primary competency, but they must have IT as their secondary competency—that's non-negotiable. The specific expectations for mastery depend on their level. Conversely, those with IT as their primary competency need business process as their secondary competency.
Second, technology is a huge piece of making controls more effective. We can advise the business on ways to make control execution foolproof—whether through full automation, automated reminders, or approval workflows. Internal audit has valuable insights to share with the business in all these areas.
Internal audit is also a culture shaper. Many of the controls we look for in a SOX program are simply good business practices. But if these practices aren't embedded in the culture, SOX requirements will feel like an extra burden—just another regulatory box to check. When you can weave these practices into how the business naturally operates, it becomes less painful and more inherent to daily processes. This reduces the risk that someone will overlook important controls.
Tom O’Reilly: Reflecting on your start at MongoDB, how would you coach others based on your experience? What specific actions in your first 30, 60, 90 days and first year helped you succeed?
Sarah Hansen: The first 90 days are all about discovery. As a new leader, it's crucial to listen and understand. While there might be urgent actions to take, if they're truly critical, you've likely inherited them—your hiring manager probably flagged these "disasters" that need immediate attention. Rather than identifying new issues, focus on discovery and relationship building across your team.
Get on the calendars of all relevant senior leaders—which should include most of the senior leadership team—to establish those relationships. Build connections with your external auditors if SOX is part of your remit, and especially with the audit committee. Sit down with the audit committee chair to understand their focus areas—every chair is different. Leverage your network; many of us share audit committee members across companies. I just had a benchmarking call this week with someone who shares an audit committee member with us. Your network might have valuable insights into what your audit committee member prioritizes.
In those first 90 days, you'll likely identify areas needing deeper inspection—red flags that need investigation. I followed this approach, diving deeper into these red flags during the first six months while addressing urgent issues. Some concerns need investigation, while others are clearly wrong and require immediate fixes. During these first six months, you're also learning to keep daily operations running smoothly while identifying issues that need moderate-term solutions—those requiring one to two years to fix. Action on these begins around the one-year mark.
Frankly, Tom, I didn't develop a three-year roadmap for the function until my one-year mark. This timeline depends heavily on the function's state when you step in and when you join. I started at MongoDB in July—mid-year—so I was focused on getting the team across the finish line rather than three-year planning. I'd advise leaders to take time developing that long-term vision. When you present it, you want it to be right—don't rush it out in three months, but don't wait too long either. You need deep understanding to create a vision that's solid and relevant to your company.
Tom O’Reilly: Looking to 2025, what are your top two priorities? What do you want your audit team to achieve?
Sarah Hansen: SOX compliance and Connected Risk are some of our key priorities. Given the significant transformation ahead at our company—typical for tech companies but particularly relevant in our case—we'll strategically use these transformation projects to update our SOX control framework.
Our SOX focus centers on maintaining, streamlining, and optimizing controls through these transformation initiatives.
We're also emphasizing connected risk management. A major first-year milestone was integrating our GRC function with AuditBoard. Having all risk functions on a unified technology platform is invaluable—it streamlines our data access while strengthening our Enterprise Risk program.
The first priority with the GRC team is building out that common controls framework to ensure it comprehensively covers SOX controls, as well as additional (information technology) certifications we support.
We’re using this project to demonstrate the value that Internal Audit can bring to the business. Once we complete this, we’ll seek to expand our collaboration into other areas, such as security risk assessments, and consider how to integrate these into our broader risk universe.
What's great is that we already have the technological foundation in place. After completing the common controls framework project, we can easily build upon it for other initiatives.
Tom O’Reilly: What are the top two or three competencies and skills your team members need—whether they're staff, seniors, managers, or senior managers—to help achieve your Internal Audit priorities?
Sarah Hansen: I tend to lean more towards soft skills because one of the beauties of the internal audit profession is its constant evolution. It's not about mastering just one technical skill set—you'll need to master another one in two years anyway.
When I think about hiring and about the superstars I've worked with, they all share one key trait: curiosity. They're curious about themselves, about the business, and about their stakeholders. I believe self-curiosity is especially important because it shapes how you show up in your role.
Being relationship-oriented is also crucial—connectedness is a huge part of internal audit. As you work cross-functionally across the business while executing your audit roadmap, your broad view allows you to help stakeholders connect the dots on their initiatives and add real value. The superstars I've worked with have been highly relationship-oriented—they're natural networkers and influencers.
Tom O’Reilly: When hiring, how do you evaluate a candidate's genuine curiosity? What specific indicators in interviews, resumes, and recommendations help you determine whether someone will be a strong fit for your team?
Sarah Hansen: For early-career candidates, I ask "Why internal audit?" to understand what drew them to this profession. Their answer reveals whether these capabilities come naturally or were developed over time. I listen for signs of natural curiosity, enthusiasm for collaboration, dedication to learning, and eagerness to tackle new challenges. These qualities emerge organically during our conversation. This approach is particularly useful for junior candidates who don't yet have extensive résumés.
For experienced professionals, I seek diverse experience that demonstrates adaptability—crucial in our rapidly evolving profession and business landscape. I'm drawn to candidates who've embraced various roles and challenges. While technical mastery is essential for today's needs, I'm also hiring with the future in mind. Both technical expertise and adaptability are non-negotiable.
Tom O’Reilly: When someone has been on your team for a few years, what signals tell you they're ready for more responsibility? What makes you think, "This person should move beyond being an individual contributor—they're ready to manage the team or lead projects"?
Sarah Hansen: In most cases, they've already taken on those responsibilities through their own initiative. They don't need my direction—they identify what needs to be done and take action. At that point, the promotion simply becomes a way to retain this self-motivated talent.
Tom O’Reilly: For practitioners who aspire to be internal audit leaders, what are the key actions needed for them to achieve their goal?
Sarah Hansen: Let me provide three key pieces of advice.
First, master the fundamentals. You need to execute your current work with excellence. If you're not doing that now, figure out how to do it.
Second, never underestimate the importance of relationships in this profession.
Third, don't wait until you're an expert to raise your hand for new opportunities. I remember when I was transitioning to special projects at Salesforce. The hiring leader was recruiting me, and I told them, "This job requires A, B, and C. I'm great at A, but I've never done B or C—I don't know if I'm the right person." I'm so grateful that he responded, "That doesn't matter. I know you can learn it. You'll figure it out." He was right. I took a bet on myself, he took a bet on me, and I figured it out.
This is crucial for internal audit professionals. You're in a profession that's constantly changing. You'll never have everything figured out. That's why relationships are so important. That's why curiosity is so important. So don't wait until you're an expert to get involved with something new. Of course, your leader needs to have appropriate safeguards and quality protocols when you're learning something new. But don't let that stop you from raising your hand for new opportunities.
Tom O’Reilly: Now, let's shift gears. Tell us something fun about yourself - what’s a fun fact not too many people know about Sarah Hansen?
**Sarah Hansen:**Well, here's something that might seem unexpected given my risk-focused career—I'm a trained yoga instructor! What I love most about my practice is that yoga requires you to be present in the moment, not sitting on your mat worrying about everything that could go wrong. I'm deeply passionate about it and try to get to the studio whenever possible.
And here's another fun fact—I'm a twin! I grew up in a large family of four children. My twin sister, who works in education, is the better version of me. I always tell people that if you're ever feeling frustrated with corporate life, just talk to someone who works in education. It'll humble you immediately.
Tom O’Reilly: Well, great Chief Audit Executives are educators too, so its easy to see how much you both have in common.
What a great conversation Sarah. Thank you for speaking with me.
