Listen on Apple Podcasts, Spotify and YouTube
Welcome to AccelPro Audit, where we provide expert interviews and coaching to accelerate your professional development. Today we’re featuring a conversation with Danielle Ritter, VP Internal Audit at Instacart (NASDAQ: CART).
In her early career at PwC in Silicon Valley and now as head of audit at delivery tech company Instacart, Danielle Ritter has had a front row seat to how emerging technologies are changing the audit profession. In this interview she talks about her best tips for collaborating with engineers, her approach to the AI boom, and the need to balance speed and innovation with controls and risk mitigation when working with tech companies who are eager to “move fast and break things.”
We also discuss her career progression from external to internal audit, her experience building an internal audit department from scratch, her approach to hiring, how she built a supportive network of peers to help her through tough transitions, and what it was like to be on the floor of the stock exchange the dayor Instacart’s IPO.
Listen on Apple Podcasts, Spotify and YouTube
Interview References:
Danielle Ritter’s LinkedIn profile.
10:05 | Sarbanes-Oxley Act of 2002, H.R.3763, (2002).
Supplemental Materials:
TRANSCRIPT
I. ON HOW EMERGING TECHNOLOGIES ARE CHANGING AUDIT
Jessica Stillman, Host: You head up internal audit at Instacart, where you were their first audit hire. But previously you were at PwC in Silicon Valley, where you worked with a lot of big name tech companies. So you've seen the impact emerging technologies have had on the audit profession up close. What's the biggest way these new technologies have affected how auditors do their jobs?
Danielle Ritter: I think about this in two ways. There are emerging technology changes that bring new risks that auditors need to audit, but then there's also emerging technology changes that help auditors do their job that I need to learn to embrace so that I can have my teams and my work be more efficient.
As technology evolves, it's really important that auditors stay relevant. We need to be able to understand those emerging technologies and new risks that emerging technology creates. Many technology companies in Silicon Valley actually create these new technologies and they're the first adopters of these new technologies. So it's critical that auditors be able to speak the language with folks that are developing these new technologies, or using those new technologies. If we're unable to stay abreast of all of these changes, it makes it hard for us to be relevant and be at the forefront of considering new risks that these new technologies are introducing.
One example I'll mention is back when I worked at PwC, I had a client that had created a brand new technology for a schema-less database. It was not feasible to lose records in this new technology. And the traditional way that we looked at database management risks and controls was just not relevant anymore. The methodologies that we had and the trainings that our team had to learn in order to look at database risks, just didn't apply anymore. So we had to work with the engineers to understand what they had built, read white papers to understand how that technology worked, and really build questions to ask them so that we could make sure we were at the forefront of that emerging technology. There's not always a training manual for, say, looking at new risks that come along with technology. So being able to speak that language and communicate with folks that are using that is really critical to make sure you're considering the right risks.
JS: Is that just a matter, like you said, of reading the white papers, doing your homework, putting in the effort ahead of time, or do you have any other tips on connecting with engineers and helping to extract the information you need?
DR: I think it's both, right? You obviously have to do your homework, but you have to have relationships with the technology leaders. You have to help them understand that you're here to help them, that the goal is, let's create value for our companies. Let's reduce risk where we need to reduce risk. A lot of it is communication. I'm not the expert in the technology. The technologists are, but you can almost interview them to extract the risks and get their perspectives on, what are we trying to prevent? This is what we're trying to solve for. Help me help you think through what could go wrong. What do we need to be considering here, given this brand new technology that you've either created or adopted?
JS: In the AI space in particular, innovation is happening at an incredible rate, and for auditors that's going to bring new challenges. How are you thinking about preparing to do your job as an internal audit leader in a world where companies are using AI much more heavily?
DR: I think very similar to how I've approached that new database technology that I worked with a couple of years ago, just really needing to understand how companies are beginning to use this technology.
Tech companies build and move fast. Governance around a lot of that is equally as important. So as I think about AI, the questions that I'm asking are really around governance. I'm asking to be plugged into efforts across our organization so that we can share our perspective in a consultative way to raise questions, not to poke holes in things, but to just bring awareness and ask individuals across the company who are leveraging AI what their thoughts are. How are we managing risks around this and just sparking up that conversation that may not always be the first thing to think about when someone is adopting a new sexy technology. They want to leverage the new features, and that's awesome. But at the same time, being able to help people understand, how are we going to manage the risks that may come with this? Should we consider governance around this to help prevent risk?
—
II. ON BALANCING SPEED AND CONTROLS
JS: You said that tech companies want to move fast, and it reminded me of Facebook's early motto, “move fast and break things.” Tech companies are always touting their ability to take risks and advance innovation. But obviously that's in tension with what auditors naturally do, which is about mitigating risk. So how do you think about that balance of wanting to support your company's need for speed and innovation at the same time that you're thinking about traditional audit concerns, like controls, like processes, like mitigating risk?
DR: You need to meet the teams where they are. Internal auditors, in my opinion, will not be successful pushing controls that are going to slow an environment down. There has to be a balance of risk with reward. With a lot of technology companies, even the bigger ones that are far beyond that startup mentality, it's important that we help people see that controls are not just a compliance or audit thing, that it's a really good business decision to put things in place because it helps them manage risk. Auditors, I feel, have a strong responsibility to help them see those risks, but find the best solution that manages that risk in an efficient way.
As I was saying earlier, in working with engineers to understand the risks of emerging technologies, oftentimes engineers have better ideas than I do on how to manage their tools and the risks within their technology. It's a matter of interviewing them and conversing with them and collaboratively coming up with ideas on how to manage risk. But also helping them to understand that it's critical to think about how you manage risk.
I'll use an example of age-old code bugs. Most emerging technologies, they want to, as you were saying, move fast and break things, right? But when you have bugs in an environment, bugs require triage. They require an impact analysis once they exist. And if you can catch bugs sooner, then there's an ROI In doing that. You've got less on-call time being reactive to an issue that comes up. You've got less triage time to try to figure out what's happening. So there's an example of, as I'm working with engineers, helping them to understand that maybe a little bit of upfront consideration of risks in the long run actually saves time. Maybe you can't always prevent bugs from happening, but perhaps you could put some monitors in place to identify risks and issues sooner, before there's a real impact.
I found that works really well, sitting with folks in the engineering and technology world to just think about, ‘Okay, where are our pain points and where are we spending a lot of time because we are moving fast. Now, let's try to prevent that,’ and then it becomes a more manageable way to put controls in place.
—
III. ON STARTING AN INTERNAL AUDIT DEPARTMENT FROM SCRATCH
JS: One of the interesting aspects of your career is the technologies you work with, but you also just had this other interesting experience: you started an internal audit department from scratch. Can you talk about what were the biggest challenges you faced when you came on board at Instacart? Do you have any lessons learned for anyone else who might find themselves in a similar situation?
DR: I had a couple different challenges. One, I was new in the role. This is my first time as a chief audit executive but also building a new function. For me it was easy for me to go in knowing what I wanted to build. I didn't have this existing perception of what the Instacart internal audit team was because there was no Instacart internal audit team. I had a vision of the type of department that I wanted to have. But actually how to do that was a lot harder. How do I put that into practice?
I was hired to build the internal audit function, but as a pre-IPO company, the biggest mandate with that was get our Sarbanes Oxley program up and running. I knew that's what we needed to do, but I was very adamant that I did not want our audit department to be branded as a Sarbanes Oxley department. I wanted us to be branded as an internal audit function. So I needed to be able to balance between, here's my vision and here's what we should do, but tactically, here's what I'm focused on over the next year plus. It wasn't easy. But at the same time, it's been rewarding.
Focusing on teaching people what the role of internal audit is supposed to do was a challenge. It was also an opportunity at the same time. I didn't have that preexisting predecessor perception that I had to change. I also was in a situation where many of the executives, myself included, first time in the role, and they didn't have experience with internal audit functions in their role before. So I didn't necessarily have a lot of that guidance from them on what their previous experience was, which was a challenge.
If you think about advice I'd give auditors based on my experience over the last two years building this function is make sure you know what your vision is, know what your brand is, know what the culture of the team is that you want to build. So that everything you do can be rooted in that.
And ask about people's experience. What has been your experience in working with internal audit? Knowing your business stakeholders perception or experience of working with internal auditors will really help you frame the next conversation. Some may have experience, some may not. How you communicate and interact with them will be very dependent on what their experience is and how you bring them along for learning what the role of internal audit should do.
JS: How did you think about hiring? Obviously you wanted certain technical competencies, but beyond that, was there a particular mindset or kind of values that you were keen to bring into the team?
DR: Yes, having folks who could technically do the work, whether it was technology specific or just technical knowledge of accounting and finance process or business, that was a non negotiable. But I also wanted to find people on my team that had a similar cultural mindset. I wanted my team to be able to buy into the vision of the audit department that we were building because I needed them to help build the brand. I wasn't going to build the brand of our internal audit department individually, as every single one of my team members interacts with stakeholders every day.
JS: You said that you wanted it to go beyond SOX compliance , but can you talk a little bit more about what you mean by the brand?
DR: I wanted our audit function to be viewed across the company as a trusted advisor. To me, if I build a successful department, in a couple of years, there will be people knocking on our door for help, whether it's related to a new business venture that we are undertaking because they have seen the value and the perspective that internal audit can bring in risk considerations; or preparing for how business processes are going to operate and what controls are going to get put in place. Really it’s the coaching and the mentorship that comes with an audit team that can help the business solve problems, see risks, validate that those risks are being managed and operating as intended - that was really what I wanted this audit function to be. So the people that I was looking to hire were folks that I knew could provide some of that mentorship to other folks in the business around how do you think about risk controls and compliance.
I also really wanted folks that were going to be agile. Technology companies, Instacart included, from my experience, move pretty fast. What we were going to plan to focus on yesterday may not actually be the priority tomorrow. I needed to find folks that were willing to appreciate and accept the fact that priorities may change and we need to shift because we want to focus on the highest priority risks of the business at that point in time.
JS: I want to circle back to something you mentioned earlier, which is the Instacart IPO, which must have been an interesting experience to go through as an internal audit leader. Can you tell me about what it was like for you and your team?
DR: It was a cool experience. We knew that we were trying to go public. It had been long on the horizon. So my team played an instrumental role in helping the company make sure that we knew what risks exist in our environment, and that we could begin to work to manage those. I did not want to have any surprises after the IPO. As part of that process I was personally involved with providing insight to our underwriters and all the teams and advisors that were supporting the actual IPO process.
The day of the event was actually fun as well, just being able to be there as the bell was ringing with the leadership of the company was an experience career-wise that I didn't know if I'd ever have again. I'm definitely happy that I got to have that at least once.
—
IV: ON MAKING THE SWITCH FROM EXTERNAL TO INTERNAL AUDIT
JS: I want to rewind the tape for the last section of this interview. Can you just give me a quick sketch of, how did you end up in audit, and how did you end up focused in technology specifically?
DR: If I reflect back, I think it really came from interests I had as a child. My grandmother had one of the first Apple Mac computers that came out in the early 80s,
JS: What a cool grandmother.
DR: Yeah, that was fun, right? Just learning how to use a mouse and the interface was something that I enjoyed, or just doing clip art designs and things. In high school, I would take apart computers and swap out memory cards and try to build things.
I also had a love for math. So when I ended up in college, I ended up majoring in accounting and management information systems. I think accounting because it applied that logic of math, and the math classes I started taking in college were too hard for me, so I gave up on that. And then, my interest in technology led me to major in management information systems.
It was a natural progression for someone with those undergrad majors to land at a public accounting firm, because I was able to get my CPA license, was able to learn audit from an external audit mindset. And my interest in technology living in San Francisco, in Silicon Valley, and having grown up here, it was just a natural ask for the types of clients that I wanted to work on. It worked out such that I've been able to build my career for the majority of the last 20 years focused on technology.
JS: As we've spoken about earlier, you were at PwC and now you're internal at Instacart. So you moved from external to internal, which is a career move a lot of auditors consider at some point. Can you talk about how you thought through making that change, your motivations for it, and if there were any surprises after you made the jump?
DR: Absolutely. I had made the decision that I was ready to leave public accounting. I thought to myself, what is the type of role that I could have where I could really leverage my skill sets, and naturally internal audit was one of those places.
I think it is valuable to have had that external audit experience because I brought that audit mindset. But one of the surprises was that I left PwC as a pretty senior director, and I thought I knew a lot about how business operated. And in my first company, before I got to Instacart even, I realized that I just really didn't understand how businesses operated because I had been a consultant for so long. That was a big surprise and a learning of just, okay, how does FP&A interact with the different business units from a P&L standpoint?
More specifically to the audit profession, a lesson I've learned over time is really how management could leverage an audit report. As an external auditor, I spent so much time making reports look pretty. Every single detail was perfect, but I realized internally that's just not necessary, nor is it wanted. Management wants to know the biggest business issues, and they want help in how to solve them. The little details can absolutely be discussed offline, if at all, and learning that art of being able to produce an audit report that was impactful to line management and also senior leadership and the board is something that needed to be learned as I transitioned from external audit to internal audit.
JS: Do you have any other words of wisdom for someone who's sitting on that fence thinking, maybe I'm going to make the jump to internal from external?
DR: I would recommend making sure that you understand what your business partners care about and what keeps them up at night. If you can understand that and you can bring value to the biggest risks across the organization, that's a win for the audit department. Business stakeholders don't care about the fact that you sampled 30 items and two of them didn't have a signature assigned to them. They care about, ‘oh my gosh, there's this brand new compliance regulation that's brewing in Europe, and we have never considered this. What do we need to do about it?’ So just thinking big picture.
JS: One of the animating ideas driving AccelPro is that peers learning from peers can be really valuable. So I'd love to ask you about your experience relying on peers to deal with tough situations or manage tough decisions. Can you think of a time when advice from a peer was really critical for your career?
DR: Like I mentioned, when I took this role, I was new in the seat as a head of internal audit. This was my first time attending audit committee meetings, reporting to audit committees. The support that peers of mine gave me through that transition and still to this day has just been outstanding. I think that auditors stick together. They're supportive. The network of technology and audit leaders that I have provided me so much advice, whether it's, how do you present your audit plan to the audit committee? Or how do you get this difficult stakeholder to be less difficult? We've got a network of audit leaders that we're conversing with literally daily in our Slack group where we're sharing information. That has been so valuable to me that I honestly think without that network of folks, I don't think I would have been able to be as successful in my job at Instacart,
JS: Do you have any advice on building that network? Did you just accumulate folks over time through the natural flow of work, or did you have any particular strategies for building such a valuable network?
DR: I think it's both, honestly. LinkedIn is very helpful. As I took my role, I did a search in LinkedIn, like ‘who in my network is a head of internal audit or a chief audit executive?’ And I actually knew quite a few people that have been in this role, many of whom I hadn't spoken to in five or ten years. Reach out to those folks. ‘Hey, I'm taking this role. I'd love to share perspectives. Can you give me any advice?’ The willingness of people to say yes to that ask was incredible. So there’s tapping into old networks, but I think also attending networking events is helpful, and through my network I learned about different groups that exist and attended IA conferences. Leverage the network you already have, but also don't be afraid to get yourself out there at events.
I think the audit profession is very willing to share experiences, and you just have to put the proactive effort in to find that network to help you.
JS: What other advice or learnings for folks in the audit space of technology companies do you want to get out there?
DR: Be yourself as you're talking to folks. Be humble. Be open and willing to learn. Ask a lot of questions. That will help individuals be even better auditors. It's okay to ask. It's okay to not know everything, especially in the world of technology. There's no way that us, as auditors, are going to know the ins and outs and risks of all these emerging technologies. Quite frankly, the people building them and using them probably don't know and consider all of the risks. Know that there's risks out there and figure out what those risks are in collaboration with management.
This AccelPro audio transcript has been edited and organized for clarity. This interview was recorded on December 5, 2023.
Listen on Apple Podcasts, Spotify and YouTube
AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your day-to-day job performance and make your career goals achievable.
Send your comments and career questions to questions@joinaccelpro.com. You can also call us at 614-642-2235.
If your colleagues in any sector of the audit field might be interested, please let them know about AccelPro. As our community grows, it grows more useful for its members.