The Winning Hand: Q&A with One of Gaming’s Top Internal Auditors

Robert Rudloff, senior vice president of internal audit at MGM Resorts International, has spent 38 years honing his craft as an internal auditor and leads a 100 person team at the hotel and gaming giant. During that time he has seen rapid change in the profession and has led numerous initiatives to contribute to the improvement and advancement of internal auditors through advisory groups and committees. We recently caught up with Bob to chat about those changes, how he got his start as an internal auditor, and where internal audit at MGM is focusing its efforts this year. During our talk, Bob provided some invaluable advice for newly minted auditors—invest in yourself and remain inquisitive—and for veterans of internal audit alike—engage in open, honest, and timely communication. Below are his insightful thoughts on where the internal audit profession is heading and some valuable lessons learned along the way.

Q: How did you get your start as an internal auditor?
A: I became an internal auditor quite by accident. While still in college I interviewed for an accounting position at the Golden Nugget, one of Atlantic City’s first casinos, which was just opening. The person who interviewed me was the vice president of administration for the Golden Nugget, but was also its former director of internal audit. During the interview he asked, “What about internal audit?” To which I replied, “What is it?” He described it, and I was immediately hooked. I’m still an internal auditor 38 years later.

Q: What are your favorite aspects of being an internal auditor? What drew you to the profession?
A: Every day is different. I’ve always liked that. There is no daily, weekly, or monthly routine. We have the ability to drive our own success on our own timelines—within reason, of course. That freedom, and the variety of what we get to do, drew me to the profession and has kept me here for nearly four decades. On top of that, no one gets to see all the inner workings of the organization the way we, as internal auditors, get to see it.

Q: Anything you don’t like about being an internal auditor? What are the cons?
A: It’s always a difficult when our clients take our observations and recommendations as a personal attack, rather than understanding that it’s not about them, it’s about the business. We understand they take a lot of pride in what they do and the departments or functions they lead. But when they take it too personally, they sometimes get defensive about certain comments we make or recommendations we have to offer. Inevitably, their reaction prolongs the process of getting the audit wrapped up and the report completed.

Q: What is your internal audit function at MGM focused on this year?
A: We have several key areas of focus. On the growth side of the business we are assisting in the opening of our new casino resort in Springfield, Massachusetts. In technology we are increasing our focus on cybersecurity and data loss prevention—areas the audit committee is also focused. We started an internal audit analytics team a few years ago, and we are growing that team this year. Our Macau casino operations more than doubled in size as of February 2018, and although we don’t have direct responsibility for auditing the day-to-day operations, we do work with our Macau counterparts, so we are providing them training in several areas. The company is also reassessing its financial systems platform and we expect a decision on new technology by the end of the year. We will be part of the system implementation effort in 2019 and beyond. We also have a controlled REIT, MGM Growth Properties, which is focused on growing by acquisition, so we are participating on pre-acquisition due diligence teams. Last, we are continuously trying to think of ways to be innovative in our internal audit service delivery model, and that will be a key focus for us this year, too.

Q: What’s on the audit plan this year that maybe hasn’t been on the plan in the past?
A: As I mentioned, this year we are getting involved with pre-acquisition due diligence on behalf of our REIT. In the past the company has tended to grow by building new properties—City Center, MGM National Harbor, MGM Macau, MGM Cotai, and MGM Springfield—but now there is an emphasis on leveraging the REIT and growing through strategic acquisitions, so we are involved in that effort.

Q: What are some of the things that internal audit can do (either at MGM or generally) to add value and improve its perception in the organization?
A: Open, honest, and timely communication is most critical to what we need to do to be successful. Internal auditors are sometimes perceived as working in the shadows, but that can be overcome with transparent communication. Yes, we have to keep some secrets in the work we do, but when you have an environment of open communication it leads to trust. And when we have management’s trust, internal audit will always be perceived in a much better light. I have standing meetings with the chairman and CEO, the CFO, general counsel, and other top executives just so that the doors of communication stay wide open.

Q: What would you say has changed the most about internal auditing in the last five years or so?
A: Technology, technology, technology: both for internal auditors and for the business. First, mobile devices have become a great tool for the auditors. Not only can observations be easily documented in photos, but the auditors have become adept at documenting observations in conveniently time-stamped text messages they send to themselves. Second, we have also greatly expanded our use of audit data analytics. Some analytics routines have proven so reliable and insightful we have turned them over to the business rather than keeping them for ourselves. Data analytics is often named the future of internal audit. We believe it, so we are expanding our data analytics team. There is an important side story to this: Our ability to dive into the company’s data is aided by what I said about having a trusted relationship with those whom we audit.

Third, the risk side of technology is all around us and it’s critical to get a handle on it. There have been too many significant data breaches to list here, and we are fortunate that we haven’t been on that list. We are working with IT to dive into areas where they see the most potential exposure. In fact, the internal audit department’s IT auditors work from the IT building, not where the rest of the corporate audit team is based. This allows them to stay on top of what is happening in IT, and adds to the trusted relationship. Furthermore, it’s easier for the IT auditors and the CISO or CIO to have an impromptu conversation when they are right down the hall from each other.

Q: What are the two or three biggest challenges for internal audit leaders and executives?
A: The primary challenge is talent. I know I’m not alone in this, but it’s hard to find the right talent. Good internal auditors with the right attitude and the right skills are scarce. We can’t do all the things we recognize we need to do without the right talent. A second challenge is technology. As I already said, technology has changed more than any other area in the recent past, and the pace of change isn’t slowing. How do we, as auditors, as business people, stay up to date when the pace of change is so fast? The pace of change becomes a breeding ground for risks, and those risks are often not even visible until it’s too late. The third challenge is adopting a culture of innovation. Sometimes as auditors we get too comfortable in what has been successful for us in the past. It’s not just about fearing change, but sometimes we don’t look for it in the first place. If we are going to remain relevant, we have to innovate.

Q: Internal audit has worked hard to change its perception as the police force of the organization. Do you see that perception changing? What can internal audit do to continue to change how it is viewed at many organizations?
A: Collaboration and communication go a long way in changing clients’ perceptions. I’ve had the opportunity to interact with many auditors from a variety of organizations, and the perceptions—positive and negative—usually stem from the chief audit executive’s approach to internal auditing. Even today, some CAEs remain secretive. They stand off to the side without engaging well with the rest of the business. They too often play the “independence” card. But I really feel it comes from a place of discomfort, if not fear. It’s easy to preserve our independence while doing what’s right for the organization. We should use every bit of our business acumen to help the business, to work with the business, yet still maintain our ability to be critical of the business. When we can do that the perceptions will change.

Q: What advice do you have for young internal auditors who are looking to advance in their careers?
A: Auditors, both young and old, have to invest in themselves. If they want to get anywhere in their career they have to be willing to put in the effort. Study and become certified. Read. Be inquisitive about what the organization is doing and why.

Also, get involved with the organization and the profession. At MGM Resorts, we launched a series of Employee Networking Groups about four years ago. There are groups for veterans, working mothers, Latinos and Hispanics, Asian and Pacific Islanders, the disabled, the LGBT community, interfaith, and others. I encouraged my team to get involved in them and from the outset internal audit is the single largest group in the company in leadership roles in these networking groups. That’s how they can develop themselves and set themselves apart. But it takes work, effort, and commitment. As I said before, you can’t remain in the shadows. You have to be out there networking, connecting, and taking an active role in the organization.

Q: What is something you did in your career that you are glad you did and wouldn’t change?
A: There are two key things. After 18 years as an internal auditor in the gaming and hospitality industry, I needed a change. One, the ethical climate in a prior company had deteriorated and I was being asked to cross a line I didn’t want to cross. I had to get out, and I did. At the same time I was leaving that company, I had several opportunities to do more of the same in the gaming and hospitality sector, but instead, I moved my family across the country and took an opportunity with PwC. I was still an internal auditor, but in a different way. While sticking with my gaming and hospitality roots, I had the chance to work with organizations in pharmaceutical manufacturing, high tech, food and beverage service, museums, and more. I was also exposed to businesses in Europe, the Middle East, Asia, Australia, Central America, and Canada. This broad frame of reference was what I really needed to be able to succeed at MGM Resorts International for the past 15 years, as we have become a truly global and growing organization.

Q: What’s something you might have done differently, knowing what you know now?
A: I am not as well versed in technology as I think I should be, so it would have been smarter if I had spent more time and effort building my technology-oriented skills. I am very fortunate to be able to place a lot of faith in my technology auditors to keep me up to date on what the risks are and why we think they are risks, and to interpret “technology speak” for me, but I wish I had a better direct understanding of technology and technology risks.

Q: Where, generally, do you think the internal audit profession is heading in the next five years? What are the issues we will be dealing with out on the horizon?
A: In the mid-1990s, internal auditors were at risk of being outsourced—and many were outsourced—because they failed to stay relevant. Nothing has changed. We have to remain relevant to the organizations where we work. Last year’s audit plan won’t work this year and it certainly won’t work next year. To remain relevant we have to be engaged. And to be able to be engaged we have to collaborate and communicate. Audit plans are merely a guide and the CAE has to be willing to cast the audit plan aside when the business changes. One place we are going is that we can’t remain in the shadows. That said, the constant evolution of technology, including the internet of things, is part and parcel to every one of our organizations and demands our continued focus. Technology is going to change how we do our jobs, how we engage with our customers, how we drive new or modified revenue streams, and do business in ways we haven’t even thought of yet, so we have to develop in lock step with how our companies are changing.

We are also going to need to address data privacy in a more critical way. From the adoption of Europe’s General Data Privacy Regulation (GDPR) to the news that surfaced about Facebook’s use of data, global privacy standards are going to only become more stringent, more complex, and more costly. Customers will very likely choose whether or not to do business with our organizations based on our privacy protections. Also the use of data analytics will continue to drive how we do our jobs. Our organizations are more data-driven than ever, and we need to be more data driven, too. It’s not just about doing more, but doing more of the right things. Lastly, assessing ethics and culture is going to grow in importance. An ethics policy and training is not going to be enough. As internal auditors, we are going to have to brave and be willing to criticize the company, its culture, its leaders, before problems show up in the Wall Street Journal or the New York Times. 

Robert Rudloff is senior vice president of internal audit at MGM Resorts International.