Yulia Gurman, director of internal audit and corporate security at Packaging Corporation of America, has spent more than 15 years honing her craft as an internal auditor, including stints at such companies as OfficeMax and Retail Properties of America. At PCA she is working to improve the use of advanced technology and analytics and keeping on top of the ever-changing risks that all large companies encounter. Along the way, she has sought out new challenges and learned from her setbacks. “I honestly wouldn’t change anything,” she says, when asked about what she might have done differently. “Every experience I’ve had has made me who I am today.” We recently caught up with Gurman to talk about those challenges, how she got her start as an internal auditor, where internal audit at PCA is focusing its efforts this year, and much more.
Q: What are your favorite aspects of being an internal auditor? What drew you to the profession?
A: I took what many would consider a somewhat traditional path to internal audit. I started in public accounting and got a chance to work with several clients. While I was able to get exposure to a diverse group of industries that way, I always felt like I wanted to get to know the companies better. There simply was not enough time for that, however, with so many individual clients. When I learned more about internal audit I thought that it would be so great to be able to focus on one company, learn the business at a deeper level, be part of the team, help make the company stronger, and have an opportunity to get a 360-degree view of the company.
Q: How did you get your start as an internal auditor?
A: My first internal audit job was as a senior auditor at office supply company OfficeMax. I got a call from a former colleague who told me about an opportunity to join OfficeMax’s internal audit team as they were looking to expand. I met with the vice president of internal audit and some team members and instantly wanted to join the group. I was so happy to get a call with an offer. And so my journey as an internal auditor began. OfficeMax was a global company and my first assignment was to travel to New Zealand to audit one of the manufacturing facilities. It was a dream job: I finally got a chance to focus on one company, get to know all aspects of the business, and travel internationally.
Q: What is the toughest part of your job?
A: The toughest part is balancing the right amount of risk coverage for different areas of the business, yet still covering all the basics and “must haves.” The key to strong risk coverage is having a strong knowledge of the business, so I have focused on learning the business as quickly as I can, since I am still fairly new to the manufacturing environment. It’s important to have real in-person conversations with people throughout the company to understand the risk environment. We have a large number of packaging plants and paper mills, and a decentralized environment, so the job requires lots of travel to a number of specific locations to meet the teams and really get to understand how each plant operates. The other equally important challenge is to motivate the internal audit team, challenge them, give them an opportunity to work on interesting projects, and provide growth opportunities for them.
Q: What is your internal audit function at PCA focused on this year and what are the big initiatives in internal audit that you are working toward?
A: We are working to do more to embrace technology and deploy advanced data analytics. We are building up our analytics resources and enhancing tools to help us move to the next level. We are not alone, by the way, in our interest in increasing our advanced analytics capabilities. Data analytics is one of the most talked about topics at internal audit events I have attended. Additionally, we are taking the initiative to learn more about advance technologies, such as artificial intelligence and robotic process automation. Our strategy is to equip ourselves with knowledge first and then decide how to apply some of these technologies internally, as well as to gain a better understanding of how such technologies are used at our company.
Q: What’s on the audit plan this year that maybe hasn’t been on the plan in the
past and how do you keep the plan relevant to the evolving risk landscape?
A: Without going into specific details, we keep our plan relevant to our organization’s risk coverage, and we also use the audit universe to determine areas of coverage. The key is to continuously review and revise the audit plan. We make changes to the plan throughout the year to make sure relevant areas are addressed. If we need to work on a special review or investigation, we would move some audits around. Another example would be any advisory work requested by management. Most of these types of projects would take priority and we will likely have to delay some projects that were part of the originally proposed plan.
Q: You are also head of corporate security at PCA. How does that fit with internal audit? Is there anything you have learned in that role that can influence your role in internal audit?
A: My corporate security and internal audit teams work together on a number of projects and learn from each other, and we leverage skill sets of both teams. Of course, I need to be clear about my oversight role, and if we had to look into the effectiveness of the corporate security function, it would have to be done by an independent party.
Q: What are some of the things that internal audit can do (either at PCA or generally) to add value and improve its perception in the organization?
A: Where do I begin…? I think there is no single answer for how all internal audit functions can increase the value they provide. However, we should really focus on understating the strategies of the companies we are working at and help management identify critical risk areas. Audit plans should be tied to the Enterprise Risk Management programs so that direct correlation is evident to management. We should also spend enough time with management to gain an understanding of their specific needs and preferences, and when executing individual audits we need to keep relevant stakeholders informed and avoid surprises. Auditors should also set aside enough time for advisory work and make sure we are engaged in some projects as strategic advisors. It’s vital that internal audit helps management identify risks and suggests controls to ensure success in executing the strategy.
One of the things I always do is to ask for feedback to make sure I understand what our strengths are and also what areas we should be improving on in our future audit work. It is also helpful to get involved in different groups (a diversity taskforce, for example) that companies have, even if those have nothing to do with internal audit.
We also help develop employees who are coming into audit from other areas as guest auditors or joining the team permanently, and we feed quality employees back out to the business. As I mentioned before, internal audit allows an employee to get exposure to the entire company and all of its locations which allows them to help clarify their future career path outside of audit (for those who want to use audit as a stepping stone to get in the business or operations in the future.)
Q: What are the two or three biggest challenges for internal audit leaders and executives?
A: The first is remaining relevant and adding value. We need to stay relevant as a profession in terms of our companies’ strategic plans, understand emerging risks, and have upfront discussions with management and the audit committee. It’s important to educate ourselves and others in the organization on what those risks may mean to the company.
The second biggest challenge is getting the right talent. We are currently in a highly competitive market for resources, so we need to make sure we engage and retain our employees. We also need to understand what skills are needed in order to have a strong internal audit team and retain the ability to address critical risks.
Q: Internal audit has worked hard to change its perception as the police force of the organization. Do you see that perception changing? What can internal audit do to continue to change how it is viewed at many organizations?
A: I certainly hope the perception of internal audit is changing, but a lot also depends on what individual internal audit shops do and how they interact with their customers. In my experience, I always get a mixed reaction from different clients, even though we all work for the same company. This reinforces the importance of developing positive relationships and having clear and effective communications with your audit customers, as well as internally with the team, to ensure we communicate accurately and with a consistent message.
Q: What advice do you have for young internal auditors who are looking to advance in their careers?
A: Be very proactive in managing your career path and develop a clear idea of what you want to do. Consider getting a mentor, or even a few mentors, to help you make the best decisions and learn from your successes and missteps. Also, communicate your needs to your manager and make sure that your work place helps you achieve the next milestone in your career, of course without any sacrifice of the quality of the work that you do. Look for opportunities to help others as well.
Q: What is something you did in your career that you are glad you did and wouldn’t change?
A: I was glad to join the internal audit profession and that I got involved with professional groups, such as the local Chicago chapter of the Institute of Internal Auditors. I met a lot of colleagues, mentors, and friends, and we support each other as we progress in our careers. I am glad that I made a few career moves that put me out of my comfort zone and made me (I hope) a better auditor and strategic partner to the business. Complacency is our worst enemy. I enjoy taking on new experiences and figuring out how to overcome any challenges I encounter along the way.
Q: What’s something you might have done differently, knowing what you know now?
A: I honestly wouldn’t change anything, every experience I’ve had has made me who I am today.
Q: What would you say has changed the most about internal auditing in the last four or five years or so?
A: The expectations of stakeholders have changed the most. The old days of when auditors were thought of as financial auditors or accountants are long gone. We are now expected to be strategic partners. With that in mind, risk coverage is very diverse and we must ensure we have the adequate skills available to address those risks, whether acquiring those skills on our own teams or using co-sourcing. Not covering some risks because there is no in-house expertise is simply unacceptable.
Q: Where do you think the internal audit profession is heading in the next five years or so? What are the issues we will be dealing with in the future?
A: If I could only predict the future…. However, certain changes are coming our way and we don’t need a crystal ball to predict what some of those are: technology evolves so rapidly and we need to stay on top of all the changes to ensure our relevancy as a profession. With technological advances and applications, talent needs are changing as well, and we should continue evaluating what skills are becoming more critical for internal audit. For example, we used to prefer hiring out of public accounting firms, but they are not really the only sources anymore. We are hiring individuals with diverse backgrounds. We are also cross-training our team members to make sure everyone has some knowledge of technology and our IT team gets opportunities to work on operational reviews and learn the business. So it’s a challenging time to be an internal auditor, but also a very exciting one. 
Yulia Gurman is director of internal audit and corporate security at Packaging Corporation of America.
More Internal Audit Interviews: