Tom Sanglier

Tom O’Reilly: Tom, you are an intelligent, competent and capable person, and would be successful with any career you may have chosen. Why Internal Auditing?

Tom Sanglier: Thanks Tom. Interestingly, I fell into this profession by accident. Before moving to internal audit, I was at EY doing external financial audits.  While I did something different every day, I mainly focused on accounting issues and client relationships. Internal audit offers even more variety in terms of areas of focus—from HR to operations to supply chain and beyond. That's why I chose this career path. It's exciting, keeps me thinking and learning, and it's impossible to stagnate in a role that's so dynamic and challenging.

What I also appreciate, and at my level, is that you are part of the leadership team, and you can have influence in the organization. There are very few people who see across the entire organization like internal audit does. Sure, the Chief Executive Officer does, and maybe a select few others. But being able to see the holistic organization and what it's trying to achieve—being truly part of it—that's special. I'm not saying other roles aren't important. But it's the breadth of internal audit and being integrated into almost all aspects of the organization that I love. I want the ability to have an impact, to influence, to network and communicate with executives daily. It's like being part of a sports team rather than just watching from the stands. I absolutely love that.

Tom O’Reilly: Many Chief Audit Executives are seen as leaders in their organization, but very few have the opportunity to attend the highest-level executive meetings in your organization. Can you describe your role, and your CEOs expectations, when Internal Audit is sitting at the table?

Tom Sanglier:

Many departments can offer specific viewpoints, but we have the ability to provide a broad perspective. We can contribute thought leadership on these topics and provide ongoing guidance, not just initial input. Our role is to support management's objectives while ensuring they're fully aware of all risks, opportunities, and controls. For instance, while a salesperson's focus might be on closing the deal—which is their job—they may not consider or be concerned with the hidden compliance costs. That's where we can add our weight to the decision-making process.

Tom O’Reilly: Another aspect I wanted to discuss with you is bringing in experts to help provide that broad perspective and advise on business issues from an enterprise view. Given your experience as a partner at EY and your work at companies that heavily relied on subject matter experts—both at EY and Raytheon—how would you recommend internal audit teams best utilize subject matter experts and co-source partners in their daily audit work?

Tom Sanglier: First of all, there's a role for co-sourcing. When I need surge support, I'll engage at that level. But I find the higher value to be in the expertise. To put it in perspective, I work for an organization with over 45,000 employees. My team is just 25 people—I'd be fooling myself if I thought we could cover all the risks of a multinational organization with different product lines using such a small team.

Partnering with an outside firm expands our ability to tap into expertise for our blind spots. When we encounter areas where no one on my team has sufficient knowledge, we can't simply ignore those risks.

The IIA standards require us to have the competency to address major risks, especially in areas where we lack expertise.

Co-sourcing provides the talent we need to meet these IIA standards while fulfilling our role's objectives. It's really an essential component of modern internal audit.

While we could rely on internal expertise, those resources may not always be independent or objective, and their skill levels can be uncertain. By partnering with professional firms—whether large or boutique—we gain access to proven expertise that perfectly complements our team.

Tom O’Reilly: What advice would you give to Chief Audit Executives—both existing ones who struggle with budget approval and new ones interested in using Subject Matter Experts (SMEs) more in their audits? How would you coach them to effectively sell this idea and secure the budget from their CFO or other reporting officers?

Tom Sanglier: The CEO and CFO face Make/Buy/Partner decisions all the time.  Your CFO and CEO understand the consultant landscape—they know the pros and cons. They typically recognize when external expertise is necessary.  What are the things they (or others) consider when making those decisions?  You need go through the same logic to be prepared for the discussion.  You need to be honest and transparent in your conversation with the CFO or CEO when discussing the need for SME budget. You can start by agreeing on the importance of the project(s), then outline your team's talents and skill gaps.  Make sure you first consider all options including internal resources and their availability.

Once you receive that budget, you’ll then need to deliver on your promise. Our CEO has a saying: "Promises made, promises kept." When you promise better results by engaging an SME, ensure you select the right expert—not just randomly choosing one.

Consider this scenario: you're conducting your first international anti-corruption audit in a new country. If no one on your team has relevant experience.  Remember, your Executive Team doesn't want legal troubles either.  If you're asked to handle something beyond your team's competency, follow the (IIA) standards: inform your governing body about the associated risks. If you consistently face demands beyond your capabilities without support, you're being set up for failure.

‍Tom O’Reilly: Great point. So you've been a CAE for a while. You've worked with very prominent CAE’s in our industry. On top of that, when you were at EY, you worked with countless CAE’s, and also during your time as a significant leader at the IAS North American board.

You have a very good perspective on what would constitute good CAE performance from great CAE performance. What are those factors that really would push well-functioning CAE’s to be great and to accomplish their goals and objectives to the best degree possible? ‍

Tom Sanglier: I have met so many great CAES, many of whom I thought were much better than I. I hesitate to label anyone as merely "good" once they've reached this role, since getting here means they already possess the necessary skills.

You need to be a great communicator.  You must lead your team effectively, demonstrating courage, innovation, relationship-building, collaboration, technical skills, critical thinking, courage and integrity—continuously. The list of required qualities goes on and on.  These are all essential components.

What I've observed in great CAEs is that they excel in all these areas. While everyone has weaknesses—and I'm not suggesting they're perfect—when you look at their overall performance, they demonstrate mastery across all these essential skills.

But having strong technical skills alone isn't enough—without a vision to drive the department forward, you'll struggle to succeed.  Always focus on continuous improvement in every aspect.  What do you envision your department will look like in 5 years?  It won’t be the same as today.  Are you networking, attending learning events, taking advantage of resources like the Internal Audit Collective?  So the great CAEs are never content with status quo.

Which leads to innovation and change management as also being essential skills. Being innovative means finding creative ways to do more with less.  But I've seen brilliant innovators who weren't strong leaders; they had fantastic ideas but couldn't rally their team behind their vision. And without the ability to bring your team along with you, how can you possibly succeed?  Hence the need for good change management, and that is never as easy as one would think.‍‍

‍Tom O’Reilly:To the extent you can discuss it, what are you looking to accomplish from an internal audit perspective in the next one to two years or beyond?‍

Tom Sanglier: We've developed a comprehensive 2028 strategy by starting with our end goal in mind. We asked ourselves what we want the department to look like in 2028, determined the metrics to measure our progress, and then worked backward to create our roadmap.

One major consideration is artificial intelligence—whether it's just hype or here to stay, including tools like Copilot. We've set an ambitious goal: by 2028, we aim to develop 50% of our annual audit plan through AI-driven continuous auditing. While we're still figuring out the exact path—understanding the tools, upskilling our team, and determining requirements—we're taking measured steps forward. Some approaches will work, others won't, but we're committed to the end goal.

For continuous auditing specifically, we're targeting 50% of all routine company processes. We've mapped out the incremental steps needed over the next three to four years, starting with analyzing company dashboards, data sources, tools, and personnel requirements.

We're also working toward robust combined assurance, aiming to report holistically on company risk—not just what we've audited. We've already mapped other assurance functions in the company and identified key personnel. Now we're moving into the collaboration phase.

Tom O’Reilly: In your opinion, what is the hardest part about being a Chief Audit Executive that new or aspiring CAEs may not be aware of?

Tom Sanglier: The hardest part, in my opinion, is that our word carries significant weight. When we're good at what we do, it's like those old E.F. Hutton commercials—when the Chief Audit Executive speaks, everybody leans in and listens. That's a lot of power.

This power can be misused. If I incorrectly identify an unimportant issue as significant, the company will waste time and resources addressing it. Even worse is when I fail to emphasize a truly important issue—in that case, I've exposed the company to risks that could have dramatic effects on everyone's wellbeing and livelihoods. It's like being Goldilocks—we must find what's "just right" in every situation: the right audit plan, the right timing, the right scope, and the right assessment of issues. While I can collaborate with others, ultimately, the final decision rests with me. That's what makes this role so challenging.

The most sobering example is the Cynthia Cooper story, where she demonstrated tremendous courage and integrity in exposing the WorldCom fraud and its far-reaching impact. It was the right call, but it's a situation I hope I never have to face. Still, it reinforces the importance of having the courage and integrity to make the right call at the right time—that's what makes this role both challenging and great.

Tom O’Reilly: Having worked with you and been on your teams in the past, I know you're really passionate about developing internal auditors, whether they're current audit leaders or those just starting their careers with your team.

When you're recruiting and interviewing internal auditors to join your team, what qualities make you feel confident about extending an offer to a candidate?

Tom Sanglier: I prioritize attitude over aptitude. While many look for candidates with auditing experience, I focus more on competency and attitude. I seek people who are curious, courageous, and willing to ask questions—those who are comfortable being uncomfortable. After all, you're always working with people who know more than you about specific topics, so you need to be comfortable asking basic questions. I want team members who are eager to learn and hold high standards for themselves.

I also value diversity of experience since we audit everything from programs to cybersecurity to modeling. I like team members who have worked in the business. For instance, my Director of IT/Cyber audits has no audit experience but was previously a programmer and has held the roles she now audits. I prefer this background over someone who's been solely an auditor their entire career.

Having said that , I do recruit core auditors for balance—they bring essential skills to the table—I don't want to be 100% one way or the other. I aim for a balanced team with both auditors and non-auditors. And I find ways to get my auditors business experience.  Shadowing, temporary assignments, surge support, etc.  But ultimately, attitude trumps aptitude. I can teach people to audit and develop soft skills, but it's much harder to teach attitude, curiosity, and courage.

Tom O’Reilly: What positions someone to be promoted on your team?

Tom Sanglier:

They certainly won't advance with me because they've demonstrated a lack of ownership and accountability.

The flip side is those who embrace feedback. They say "Great point" and take action to improve. Even when they've performed excellently and I tell them so, they'll say "I think I could have done this better." These self-aware individuals are the ones who get promoted. They'll advance beyond me because they have that desire to continually improve rather than deflect responsibility.

That's my golden rule. It's easy to spot someone who rejects feedback they clearly need—they've essentially capped their own ability to grow.

All feedback is valuable. Even if it's not delivered perfectly, don't focus on the tone. Instead, assume positive intent and take action.

Tom O’Reilly: What are the skill sets and competencies that you're seeking in your team and building your team to achieve your vision?

Tom Sanglier: They need to be curious and willing to lean forward. They need to be willing to fail. They need to ask questions. I need that good attitude, that willingness to try, that willingness to fail, because we are going to fail, we'll take two steps forward, one step back. But overall, we took one step forward. I have a lot of that on my team.

I heard somewhere that in any given grouping of people, there will be 10% or 20% who are going to lean really hard into new things. There will also be 10% or 20% who are going to resist it for all their worth.  Then you have the remainder who are fence sitters who will wait and see how this plays out.

I'm not going to spend much time with the resistors, because that's who they are by nature. I'm going to take full advantage of those who are leaning in. For those on the fence, I'm hoping that they will be swayed positively by those that lean in.  Often they will join in once they start to see the positive results and how that benefits them and the organization.  Those that resist will become further and further distanced from the team. They will be replaced.  So it's just Darwinian, but it's true.  One of my favorite sayings, although I do not know who to attribute it to is and is probably not quite accurate is:  “Resist Change, You Die.  Accept Change, You Survive.  Lead Change, You Thrive.”

Tom O’Reilly: If your best friend is planning for an interview for a Chief Audit Executive role, what advice would you give them to help prepare?

Tom Sanglier: Start with a thorough self-assessment. Even if you don't have a specific role in mind but think you'll be ready in 12 months, conduct a realistic self-assessment and be open to feedback. Consider all the qualities a Chief Audit Executive needs.

Get evaluated on each of these qualities. If you identify areas needing improvement, focus on developing them. Remember, at the Chief Audit Executive level, technical skills are a given.

The interview questions won't focus on "How would you audit this?" Instead, they'll ask questions along the lines of "How can I trust you?" and "How do you collaborate?" They'll want to know about your board presentation experience. So first, understand where you stand and develop these leadership skills, including relevant experiences. This way, when faced with behavioral questions, you can share specific situations and outcomes.

Interview preparation goes beyond researching the company's website and public information. Think deeply about the role and ensure you have the necessary experiences—and can articulate them well. If you lack certain experiences and have time, actively seek them out. For instance, Larry Harrington (Former Raytheon CAE, whom Tom reported to) gave me opportunities to present to the Audit Committee. So when asked, "Have you ever presented a difficult issue to the Audit Committee?" I could confidently say yes. If you're missing these experiences, start asking for them now—you'll need them.

Tom O’Reilly: Any parting words of advice for anyone who may read this interview?

Tom Sanglier: Yes, I would say pay attention to the small things.

Do you ask follow-up questions, or do you just stop with the initial answer? Do you speak up in meetings, or remain silent? Do you sit in the front row or hide in the back at important meetings and conferences? Do you refer to your customers as "auditees" or "clients"?  

Focus on identifying root causes correctly. When you get the root cause right, you can have a bigger impact with any finding.

This was drilled into me long ago: don't just talk about risks—talk about risks and opportunities. Get in the habit of seeing both, because we're responsible for helping with both.

Do you have lunch with people outside your team? Are you networking? That network becomes incredibly important. You can do this every single day—it's easy. There are 47,000 people I can ask to lunch.

These small choices, when practiced consistently, become powerful habits that transform how you think and work.  Through these habits, you naturally demonstrate curiosity and respect for others. You develop relationships and strengthen your listening skills.

Every day presents an opportunity to practice. Eventually, good listening isn't something you have to think about—it becomes automatic because you've trained yourself to do it.

Tom O’Reilly: What is a fun fact about Tom Sanglier that many people that you may work with may not know about you?

Tom Sanglier: I don't do it anymore, but here's something obscure you probably don't know about me. In my early 20s, I was what you might call a professional hitchhiker—I covered thousands of miles across the eastern United States. My longest journey took me from Michigan to Iowa, then to Georgia, and back to Michigan.

I was quite efficient at it too. When I calculated my average speed mathematically, I was covering about 50 miles per hour.

There's a reason I'm sharing this story—it relates perfectly to the Internal Audit profession.

First, to get rides, I positioned myself strategically where people could see me—on entrance ramps where drivers were slowing down.

Second, I made sure to be cleanly dressed and clean-shaven, making myself non-threatening.

Third, I always had a sign showing my destination.

Finally, I made sure I listened.  Most people who picked me up were driving alone, trying to stay awake. I kept them engaged by asking questions. I met fascinating people—including a pilot who fought in the Battle of Britain.

These principles directly apply to our profession. Let's talk about positioning:

Are you visible? Are you up front? When you're on camera, can people see you—or are you hiding in the background? It all comes back to positioning and visibility.

Then there's professionalism: Are you approachable? Respectful? Non-threatening? These qualities are crucial.

Just like my destination sign, when I meet with people now, they know exactly what we'll discuss and what we aim to achieve together—our shared goal for the meeting.

And finally, there's listening. "Audit" comes from Latin, meaning "to hear." Internal auditing, at its core, is about being a good listener.

So hitchhiking, as it turns out, prepared me remarkably well for my future profession.

Tom O’Reilly: I'm so happy I asked that question. What a great story and interview. Thank you.

Tom Sanglier: Thank you Tom. This was fun.