Listen on Apple Podcasts, Spotify and YouTube.
Welcome to AccelPro Audit, where we provide expert interviews and coaching to accelerate your professional development. Today we’re featuring a conversation with Chanpreet Singh, Director of Internal Audit and SOX at Ouster.
An accomplished risk and control leader, Singh provides valuable insight on how artificial intelligence and automation is improving the audit space, as well as what auditors need to know to keep up with these technological changes. Staying up to date on new resources, honing the skills needed to use those resources, and adapting to a ‘what if’ mindset can go a long way towards making technology work for you.
As an example, Singh says, “If you think about the revenue cycle, every deal is going to have a sales order. Now, if all of that is digital, you can set up an analytics tool, which can throw exceptions. If an order doesn't meet, for example, a customer purchase order, you can catch it even before you fulfill it.”
Listen on Apple Podcasts, Spotify and YouTube.
Interview References:
Chanpreet Singh‘s LinkedIn profile.
3:53 | Kahneman, D. (2011). Thinking, Fast and Slow. Farrar, Straus and Giroux.
13:30 | The Institute of Internal Auditors. (2024). Global Internal Audit Standards.
14:00 | H.R.3763 - Sarbanes-Oxley Act of 2002, 107th Congress (2001-2002).
TRANSCRIPT
I. RISK AND REWARD IN UNPRECEDENTED TIMES
Alizah Salario, Host: You are currently the director of internal audit and SOX at Ouster, which is a tech company that manufactures cutting-edge products, particularly in the automotives, robotics, industrial, and security sectors. I want to focus on some of the challenges and opportunities of working in this audit space. Talk to me about how you approach risk in this rapidly evolving technological landscape.
Chanpreet Singh: There is no doubt that we are in unprecedented times. It is very easy to get overwhelmed, but I'd say all the more reason for all companies to become more focused and regular on assessing their risks. The advantage or opportunity that emerging tech companies often have in their DNA, especially the ones which are successful, is negative capability.
This is a phrase that, I think, was first coined by the poet John Keats, and what this means is the ability to deal with ambiguity and unknowns. Whenever I've thought about risk assessment before the how and the approach, I go back to the question of ‘why.’ Why do we do a risk assessment? We do it so that the organization can identify and evaluate the impact of the most important sources of potential exposure for the company.
We do it so that the leadership's key business decisions factor in the existing and emerging risks impacting the company. Therefore, the starting point of a robust risk assessment is the information and knowledge utilized as an input to prepare the risk register. It starts with how well we understand the world within which the company operates, and by world, I mean the economy.
The second aspect is how we think about risk assessment and risk management in general. And this is where I'm going to lean on Daniel Kahneman's concept of fast and slow thinking. Use fast and intuitive thinking to identify and address known risks, and for products which are new and not yet fully understood by the world, use slower, more deliberate thinking to evaluate what could be the potential impact of the product, not only for the customer, but society in general. Generative AI is a prime example, today.
The third aspect relates to answering the ‘what if’ question. And this is an evolution I've seen in expectations from internal audit. Historically, most internal audit functions answer the question, ‘what is.’ In other words, talking about what happened in the past and reporting those findings.
This further evolved into the question of, ‘so what.’ In other words, what was the root cause of these issues and what happened in the past? Today, the expectation is to answer, ‘what if’ That is, risk sensing by evaluating various scenarios and their impact on business. And when I think about an organization like OurStore, that mindset and approach helps us keep the risk assessment more dynamic.
AS: I want to pick up on something you mentioned about fast and slow thinking, because as an auditor, your job tends to be very methodical and thorough, but you're often working in an industry where agility and innovation and speed are valued. How do you balance the tension between those two things? How do you have both a thorough risk assessment, and produce efficiently and meet the needs of your stakeholders?
CS: When I think about the balance between keeping pace with fast-moving business and the fact that an auditor has to step back and think about all that can go wrong, that balance, first of all, it's not easy. There are multiple challenges that one has to address. One is adapting to the emerging technology.
Auditors have to stay abreast of these changes and advancements. One not only has to understand these new products and technologies, but you have to give assurance on whether you can place reliance on their output. The other aspect is how well do we understand the data that the organization is generating? How well is the data governed? Ensuring integrity, accuracy, and security of the vast amounts of data is a significant challenge. Especially for an organization which is not as large and doesn't have the resources to build capabilities which can handle that large amounts of data in a short span of time.
Historically, it was sufficient to have the functional knowledge or the technical knowledge, whether it's the accounting standards or the auditing standards, and lead with those to carry out the audit work. And that skill is table stakes. That is still needed, but the audit talent today requires specialized skills and understanding and acumen for the business that they're serving. More so for internal audit because while external auditors have to give an opinion on the financial statements, internal audit scope is much wider, not just looking at financial reporting, but looking at operational, compliant, and other strategic risks that impact the company.
And the last challenge I would probably add to that is the expectations from the regulators. If you think about PCOB, every year there’s more scrutiny and more rigor in their inspections, which indirectly impacts the companies being audited. And the SEC is also increasing their scope. It's not just financial reporting; they're talking about ESG, they're talking about cybersecurity, and I think it's a matter of time before they will start talking about, use of data for generative AI, use of generative AI for the internal operations and use in financial reporting.
AS: I want to shift a bit and talk a little bit about collaboration and communication, which are essential to success in your field. How do you collaborate with cross functional teams, whether that's IT, finance, and legal, or the people at the top of the chain who might not understand the nuances of developing discipline controls, but nonetheless are impacted by them?
CS: That's an interesting question, and I wish I could give you a definite answer on that, but I would say it's more an art than a science. I think step one is to change the perception of internal audit. An internal audit function does not exist to find mistakes and errors in what people do in their day to day jobs. They are there to add value to the business. They are there to build trust for the organization so that all stakeholders who work with that organization can place higher levels of trust in what they do. Trust in their products, trust in their behaviors, trust in terms of what they disclose to their investors and other stakeholders.
And the key is to position the function as a strategic risk partner for business. Effective communication is the foundation of successful collaboration. Establishing clear channels and protocols for information sharing ensures that all teams are on the same page. Setting common goals, aligning with all teams towards common organization goals, helps in mitigating conflicting priorities and focusing efforts on shared objectives. One of the common pitfalls that I see in early stage companies is that they do a great job in defining OKRs for the company, but how do those OKRs translate into individual team goals and even goals for employees who get measured on performance?
Establishing that connection brings more harmonization in the thought process in driving towards a collective vision. Trust is crucial for collaboration. Creating opportunities for team members to interact and understand each other's roles can really foster a culture of trust and mutual respect. Leveraging diverse expertise.
Technology can really aid collaboration. Think about shared platforms that allow real time updates, access to information, and the ability to use a common source of data for making decisions. Instead of using your individual ponds, you can use a collective lake where you can draw water from.
—
II. WHAT SOX AND ESG CAN TEACH US ABOUT THE FUTURE OF AUDIT
AS: That's really interesting. I want to switch gears and talk about the future of audit. You mentioned that audit, in the traditional sense, is becoming obsolete. We know that the emergence of generative AI has completely upended many aspects of tech, particularly with data collection, data processing, and other tasks that can be easily automated. What do you think auditors can do to remain relevant in a time of such change?
CS: That's a question that's really close to my heart, Alizah. I always wake up every morning and think, Am I relevant today? What can I do to become more relevant? I think there are a few areas where I anticipate change will be happening very soon. In fact, some of that change is already happening.
The first is how we collect data and how we process it. There are existing automation tools and there are more tools emerging that streamline the collection for large volumes of data, reducing the time spent on doing this manually. That’s how we currently do risk assessments. Leveraging machine learning algorithms to identify patterns and anomalies can really aid risk assessment and fraud detection.
And there are large companies with big teams that are just focused on leveraging data for fraud identification across the organization. How do we do compliance checks? There are automated systems that we currently have, many systems with workflow capabilities that can enable continuous monitoring of transactions and make sure that we comply with laws and regulations.
Think about journal entry posting and testing of those transactions. The traditional approach is you look at the journal entry population. Generative AI can assist in drafting audit reports, it can convert structured data into written narratives, it can provide preambles and summaries of reports, so all of that work is going to be substituted to a great extent through these emerging technologies that we are seeing today.
Now, the second part of your question is how do we keep abreast with these changes? I would say there are a few things that we really need to start focusing on now. One, emphasize judgment and insight. While automation handles routine tasks, auditors can focus more on professional judgment and evaluating reasonableness of estimates and assumptions.
The next is enhancing skills. Focusing on skills around data analytics, cyber security, design thinking, storytelling, those are the things which are really going to help the auditors to keep pace with what is being expected from the function in general. Focus on advisory services. How can internal audit work and support businesses in making their risk management programs more robust, thereby reducing the need to do traditional audit?
Then there is absolutely a need to revisit the standards of auditing. The IIA has recently come out with new internal audit standards, which I think is great. But I think we will still need to keep pace with how the landscape is changing. There is so much unknown about generative AI right now.
AS: I want to make sure we address SOX because that's part of your expertise. What steps do you think are needed to adapt to the changes in the industry in order to continue to comply with Sarbanes Oxley?
CS: Over the years, the methodology has really been standardized. If an organization doesn't have significant control gaps, Socks 404 methodology is pretty standard. You have defined phases, you know what and how you need to do testing.
That is really repetitive to my mind. And that's where there is going to be, and there should be, more automation so that the skill of internal audit can be utilized to solve better business problems. It baffles me that even mature companies today spend hours and hours doing testing and all of that is human led effort.
There's definitely a scope for driving more automation in the overall testing portfolio. Then I think over time, ESG will get integrated into SOX compliance because in terms of its nature, they're quite similar. Both are enterprise wide programs. They require cross-functional participation.
You require control ownership across teams, so you can definitely use a similar foundation to drive both the programs together, doing more technology enabled auditing while relying on technology to perform continuous monitoring. There are so many business cycles which have repetitive transactions.
If you think about the revenue cycle, every deal is going to have a sales order. Now, if all of that is digital, you can set up an analytics tool, which can throw exceptions. If an order doesn't meet, for example, a customer purchase order, you can catch it even before you fulfill it. There are a lot of low hanging fruits where one can really do more tech enabled auditing.
—
III. THE ART OF CREATIVE PROBLEM SOLVING
AS: I want to spend some time talking about your career path. Prior to working at Ouster, you were at PricewaterhouseCooper for quite a while, and I'm curious why you ended up pivoting and what you bring from your time there to your current role at Ouster.
CS: If I'm right, I think I was at PwC for close to 14 years, and Ouster is my second job in my career. The switch was a very thoughtful decision for me. I've been fortunate while I was at the firm and I've such gratitude for the opportunities that I got there.
I started my career with a firm in India. I was there for about six years, and in the initial years, I was doing a lot of regulatory compliance work. A lot of my projects used to be helping companies by interpreting laws which apply to them, and helping them define compliance registers for various requirements resulting from these legislations.
And then it was within the firm where I started doing a lot more internal auditing and doing a lot more work around business processes. And then I came to the Valley back in 2014, and by this time I was mostly doing work for the tech sector. I've been doing work in the tech sector for about three years.
And when I came here, that gave me an opportunity to see how big companies work in a mature market versus a developing economy where I'd initially started my career. And so during my time at the firm, I saw projects which were very functionally focused, and worked with clients who either operated globally or had focus on specific regions and companies of different sizes.
But all of this was on the consulting side. I wanted a chance to be on the other side and see what it feels like when the buck stops at you. When I came to Ouster and I saw what problems we have to solve here, many of those problems were familiar, so that gave me the confidence to be successful.
AS: Can you tell us a little bit about any peers that you might turn to either as a sounding board or somebody just to offer some guidance when you're faced with some of those really tough challenges?
CS: It's a great question. I'm a firm believer that no one can be successful alone. Again, I go back to the amazing connections that I got a chance to build at PwC and all the set of clients that I worked with. Some of those relationships are still fresh to this day.
I always call them my professional network family. Not just for talking shop, but I've made so many friends. We stay in touch and talk about all that's happening in the world and our lives. And I have a few mentors during my career who I reach back out to just to get their thoughts if it's a complicated project or an issue that we are dealing with or something.
Some of the old partners that I've worked with, a couple of them are retired now. Some of my peers who are still at PwC, I reach out to them just to hear from them. And then I have friends across other firms as well. It’s something that I'm grateful for and I definitely reach out to them.
AS: In the beginning of our conversation, you referenced Keats and, as an English major, I have to ask about your accomplishments as an actor and a writer. Can you talk a little bit about finding, balancing, and pursuing these other passions outside of your professional life, which is very demanding. How do you do it?
CS: I think, for me, indulging in creative projects is a necessity. That's how I was raised as a child. My parents were very encouraging of any activities or creative pursuits that we wanted to take up as kids. I always felt more joyful whenever I had something going on alongside what was necessary to do during the day.
But that doesn't mean that our work is just necessary work for me. I really enjoy my work. And I think balancing comes from not separating the two worlds, but looking at both of those as things that you enjoy. There are things that I love at work, like problem solving, that I'm always game for. And problem solving requires creative thinking, using your left and right brain at the same time.
It's the same faculties which helps when I'm writing poetry or I'm writing fiction or if I'm performing a scene. There are things which are more like chores in both those jobs. For example, if I'm preparing for a scene, I have to memorize lines and sometimes that can be very painful. At the same time, when I'm auditing, sometimes I have to do vouching, which can be very painful. But telling the story of the outcome of an audit is a lot of fun. That's the engaging conversation, and then performing the scene in front of an audience or being on stage and performing a play—the exhilaration is similar.
What I'm trying to say here is that there are things that you borrow from each and take to the other. I think I'm more successful at my work if I'm doing more creative projects outside. And at the same time, I'm more successful and more effective in my creative projects when I'm also focused on my work.
Listen on Apple Podcasts, Spotify and YouTube.
This AccelPro audio transcript has been edited and organized for clarity. This interview was recorded on April 5, 2024.
AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your day-to-day job performance and make your career goals achievable.
Send your comments and career questions to questions@joinaccelpro.com. You can also call us at 614-642-2235.
If your colleagues in any sector of the audit field might be interested, please let them know about AccelPro. As our community grows, it grows more useful for its members.