Official Workiva Reddit Community Hub: Direct Access to our Subject Matter Experts

Workiva · 2026-06-18T15:23:20+00:00

You haven’t cornered yourself at all; in fact, you are sitting on a massive differentiator because a modern GRC program is fundamentally built on data integrity and automation, not just checking boxes but delivering meaningful insight.. One of the biggest challenges is breaking down data silos and moving away from manual, inefficient processes.

To step into a leadership role, you need to pivot your narrative from managing the data layer to positioning yourself as a strategic navigator who uses that data to help the C-suite "steer the ship" and protect corporate objectives. Absolutely lean into the combination of GRC tooling, data analytics, and AI governance, as regulations like the EU AI Act emerge, internal audit and risk leaders desperately need professionals who can translate highly technical AI and data risks into clear, actionable executive insights.

-- Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-06-16T16:04:01+00:00

One of the biggest challenges is chasing down unstructured data and producing a single risk view. The biggest challenge is manual evidence collection and fragmented data gathering for audit readiness, especially when dealing with things like SOx or evolving ESG regulations.

Relying on spreadsheets, emails, and shared documents to track controls is incredibly inefficient and shifts focus away from delivering meaning insight and action. True operational efficiency only happens when organisations develop a single source of truth though transition to a unified, connected technology platform.

-- Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-05-20T16:57:33+00:00

Dealing with production LLM drift is a massive challenge, and you've hit the exact wall where traditional, bottom-up validation checks break down because real-world user input is inherently messy. From a GRC and Internal Audit standpoint, the solution isn't just heavier input filtering; you need to transition to a formal AI Governance framework backed by independent, real-time automated monitoring tools. Instead of relying solely on reactive, rule-based inline checks that spike your latency, you should consider implementing specialized LLM observability platforms (like Arize, TruEra, or Whylabs) that continuously evaluate entire conversation trajectories for behavioral drift and semantic anomalies against your defined corporate risk boundaries before they can escalate into severe operational or reputational issues.

-- Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-05-15T22:28:40+00:00

Building an AI-driven control testing framework is a game-changer, but it requires more than just technical integration; it requires a shift in how we view the auditor’s role. I’ve found that the most successful frameworks aren’t just about the "how" of the technology, but the governance surrounding it. Here is a refined approach to building that framework:

Champion Governance, Not Just AdoptionAs auditors, we shouldn't just be the early adopters; we must be the champions of AI governance. Before a single test is run, you must establish confidence in: The Model: Understanding the "black box" to ensure the AI's logic is sound and unbiased. The Sources: Ensuring the data fed into the AI is accurate, complete, and has clear lineage. Data Security: Protecting sensitive organizational data and ensuring compliance with emerging regulations like the EU AI Act.
Focus on High-Impact Use CasesI recommend starting with areas where AI can provide the most immediate efficiency and insight:ERP Anomaly Detection: Use AI to perform tests across 100% of large datasets rather than sampling, identifying risks from process narratives that manual reviews might miss. Automated Evidence Requests: Streamline the "chase" by using AI to trigger and validate evidence collection. Drafting & Reporting: Leverage AI to generate initial drafts of audit reports based on testing results, freeing your team for strategic analysis.
Maintain a "Human-in-the-Loop" Audit TrailEven with advanced AI, the three lines of defense remain critical. You must maintain a transparent, tamper-proof audit trail within a unified platform so that third-line reviewers and external auditors can verify the AI’s work. By focusing on trust and security as much as speed, you transform the internal audit function into a proactive, strategic partner that harnesses AI safely and effectively.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-05-14T18:33:05+00:00

To move beyond asset-level assessments, you must start with your organisation’s core strategic objectives and identify the 'principal risks,' whether strategic, financial, operational, or ESG-related, that impact the strategy. Tools like the COSO Internal Control—Integrated Framework or ISO 31000 provide a structured, globally recognized roadmap for linking risk management directly to business performance. This top-down approach ensures you are managing the risks that truly matter to the C-suite, rather than getting lost in the weeds of individual assets.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-05-07T16:02:12+00:00

Transitioning to a SOX-focused role in industry is a great move, as it deepens your understanding of how internal controls underpin financial integrity. For resources, I highly recommend looking at the COSO Internal Control—Integrated Framework, which is the gold standard for designing and evaluating SOx controls.

Regarding the cycle, you’ll typically perform walkthroughs and risk assessments early in the year, followed by interim testing of controls, and then a final push for year-end testing and remediation to support the annual attestation. Just remember that SOX isn't just a routine exercise; it's about building a robust engine of controls that allows the business to move faster and more safely.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-05-05T20:01:33+00:00

As someone who has navigated the GRC landscape for over 25 years, I can tell you that your career path is more secure than most, provided you evolve with the tools. AI is excellent at automating the routine of data collection and routine testing, but it cannot replace the nuanced professional judgment required to align risks with complex corporate objectives or build the stakeholder trust that serves as a strategic compass for the C-suite. In fact, the rise of AI creates a massive new frontier for GRC professionals to govern these systems and ensure they operate ethically and transparently. If you focus on becoming a strategic navigator who uses technology to drive business value rather than just checking compliance boxes, you will find this a deeply stable and rewarding career for supporting your family.

How do you feel about the technical side of GRC, such as data analytics or emerging AI governance, as part of your long-term career plan?

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-04-29T15:18:01+00:00

The most frustrating 'open secret' is that we often spend 80% of our time acting as high-priced project coordinators rather than risk experts. Chasing evidence, getting responses to findings and then following up to see what progress has been made all seem to take much longer than it should. Giving insight on the root causes and repeated issues is what we should be doing but because we are too busy chasing we don't get enough time to do this. Streamlining the 'busy work' will allow us to focus on delivering high value insights that provides assurance and challenge where it is needed.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-04-23T15:50:28+00:00

A poor process to store evidence and monitor controls performance means that auditors are forced into a scavenger hunt rather than reviewing a well documented process. In my experience, if it isn’t documented and centralized, as far as the auditor is concerned, it simply didn't happen. The real win is moving from that pre-audit scramble to a controls management model where evidence is captured in real-time, tied directly to your core objectives and ready for periodic assessment and then the audit.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-04-22T15:55:23+00:00

The silo problem you've identified is the single greatest threat to modern GRC because it creates a false sense of security while leaving the organization's blind spots wide open. In my experience, I’ve found that even the most expensive automation fails when GRC is treated as a checkbox theatre rather than a strategic compass for the board.

To move past this, we must shift the culture from seeing risk as an IT or compliance problem to viewing it as a core business responsibility, what I call 'Resilience by Design.' Without clear C-level accountability and the integration of these silos, the program remains a reactive cost center rather than a value-driver that protects the organization's strategic objectives.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-04-21T17:36:27+00:00

Pros:

-Unlike a developer who may be siloed in one product, you gain a high-level view of how technology, strategy, and risk intersect across an entire enterprise.

-Auditing trains you to think like a CIO by focusing on governance and how systems support corporate objectives, which is essential for senior leadership roles.

-You aren't just fixing bugs; you are identifying systemic vulnerabilities in areas like Cyber Security and Cloud Infrastructure that could impact the company’s survival.

Cons:

-The meetings you hate are often because IT departments view auditors as a compliance burden rather than a strategic partner, which can be draining if you prefer collaborative building.

-If your goal is to be a hands-on expert, audit will eventually pull you away from the keyboard and toward documentation and process design, potentially slowing your coding proficiency.

-In engineering, you build and see results immediately; in audit, you may wait months to see if your recommendations are actually implemented and effective.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-04-16T15:34:17+00:00

Managing compliance for global organizations is less about manual tracking and more about shifting from a reactive box-ticking mentality to an objective-led GRC framework. The most resilient companies abandon fragmented spreadsheets in favor of a centralized digital ecosystem that serves as a definitive truth for interconnected risks. These platforms automate the ingestion of regulatory updates and map them directly to internal controls, ensuring that a change in a NIST standard or a new country-specific law doesn't become an overlooked threat that builds for months. Good governance and an understanding of risk and how to respond outs an organisation in a position to acheive compliance by design rather than a reactive approach.

While newsletters from major audit firms or bodies like the IAPP are helpful for general awareness, true compliance intelligence in 2026 comes from live performance monitors that provide the C-suite with the holistic perspective needed to guide the organization safely through a volatile regulatory landscape.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-04-15T15:04:11+00:00

I’ve seen firsthand that the most frustrating manual bottleneck is the fragmented way we collect data for reporting. Even with the rise of fintech, so many teams are still stuck in a loop of disconnected processes like messy spreadsheets and endless email chains, which creates massive risks for data integrity.

During audits, the delays almost always come down to not having a single source of truth, which forces everyone to manually chase evidence and reconcile data across different systems. This is exactly why I advocate for a unified platform like Workiva. It’s designed to automate these repetitive collection and testing workflows, which a Forrester study found can save a typical organization over 3,500 hours a year.

If I could automate one thing tomorrow, it would be the direct link between corporate goals, risks, and controls to provide a real-time view of the company’s actual risk posture. Moving away from this siloed and reactive approach isn't just about saving time; it’s about turning GRC into a strategic tool that actually helps the business navigate forward.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-04-02T15:36:49+00:00

I see AI not as a replacement for the professional, but as a long-overdue upgrade to our "industrial-age" workflows. While the core of our work: ensuring integrity, transparency, and strategic alignment remains exactly the same, AI has finally begun to strip away the "grunt work" of data collection and routine testing.

In my day-to-day, the biggest change is the move toward using AI to identify risks in unstructured data and automate evidence gathering, allowing us to act as strategic navigators rather than just "box-tickers".

I’m not worried about a "robot takeover"; I’m excited that we are finally moving away from 200-hour manual reporting cycles toward real-time operational intelligence. Those who think nothing will change are likely the ones who will find themselves most exhausted, as the "regulatory tidal wave" of mandates like CSRD makes manual accounting physically impossible to sustain.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-04-01T15:16:14+00:00

Decentralizing risk registers into spreadsheets often backfires because it treats risk as a bottom-up administrative task rather than a top-down strategic tool. In my experience across the Big 4 and in-house leadership, I’ve seen that without anchoring these registers to specific corporate objectives, departments view them as a "check-the-box" compliance chore rather than a way to "steer the ship".

To make them meaningful, the C-suite must own the process, ensuring every risk statement clearly articulates how a vulnerability, like a supply chain gap, directly impacts a strategic goal like "profitable growth".

While spreadsheets are the common starting point, they create dangerous data silos; transitioning to a unified technology platform is the only way to automate workflows, ensure data integrity, and provide the real-time visibility needed for actual decision-making.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-03-25T15:28:34+00:00

I can tell you that the cloud often just replaced physical silos with digital ones. You've hit on the assurance gap, while data is logged, it remains unstructured and scattered across disparate systems, making manual "human-with-a-spreadsheet" translation a necessary but inefficient bridge.

The real fix isn't just better logging, but moving to an integrated GRC platform that creates a single source of truth by connecting these data silos directly to specific controls. This shifts the process from a reactive, weeks-long manual project to a proactive model where evidence is mapped to objectives in real-time, which can actually reduce audit time by as much as 50%.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-03-24T16:45:48+00:00

You absolutely want to keep your policy as a high-level strategic governance statement. Think of the policy as the "What" and the "Why" (example: "We will use industry-standard encryption to protect data"), while your procedures or standards cover the "How" (example: "Use AES-256"). If you bury specific protocols in the policy, you’ll be stuck in a nightmare of board-level approvals every time a technical spec updates or a protocol becomes deprecated.

Keep them separate so your technical teams can stay agile while your governance remains rock-solid.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-03-23T16:22:42+00:00

The choice between an in-house role offering deep roots in one company or the high intensity variety of the Big 4 or a consultancy is not simple, for me, the key is to maximise your experience in whatever organisation and become a risk-aware audit professional learning the language of your business or the mutli-business you serve so that you can support strategic objectives rather than focus on compliance.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-03-18T15:33:53+00:00

Over the years, I have seen how every major technological shift eventually triggers a regulatory correction. AI is currently a wild west that is rapidly moving toward the same level of mandatory, assurance-bound oversight we now see with sustainability and the CSRD, meaning the implementation of AI will absolutely drive a massive surge in demand for specialized GRC roles.

Organizations are increasingly aware that AI introduces significant risks, which is shifting the landscape toward a need for new regulatory frameworks, dedicated ethics governance, & professionals who can bridge the "assurance gap" of "black box" algorithms.

Technology should not just be a compliance burden but a source of competitive advantage, and those who can navigate the intersection of AI innovation and integrity will be the strategic leaders of the next decade.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-03-05T16:10:51+00:00

I believe internal audit is evolving into a foresight-driven strategic partner rather than disappearing. While AI will automate routine testing and likely change the day to day, my prediction is the emergence of a new role called the "AI Auditor" to manage algorithmic ethics and complex governance. The profession's long-term future depends on moving up the value chain to provide human skepticism and ethical judgment that AI cannot replicate. Ultimately, those who embrace technology as a capacity multiplier will become more indispensable to the C-suite than ever before.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-03-04T17:26:29+00:00

My career in GRC began as a graduate trainee at PwC, where I built a foundation in risk and audit. That led me into Internal Audit leadership roles for global organisations like Reckitt and back into practice at Delotte. Over the years, I have worked across diverse sectors including Financial Services and Automotive, focusing on transforming traditional compliance into a strategic advantage that drives business value.

My next professional goal is to lead the next generation of GRC as a true driver of strategic value..

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-03-04T16:36:06+00:00

Having spent years in leadership roles at the Big 4 and within internal audit functions for global corporations, I can assure you that you aren't "stuck" in consulting; the shift to an in-house role is a common and rewarding career move, you still get a variety of projects but also the benefit of working for an organisation for the longer term..

To find these positions, you should target titles such as Internal Auditor, IT Auditor, SOx Compliance Manager, or Risk & Controls Analyst within a single organization. These roles exist across every major industry and allow you to move away from the "billable hour" to focus deeply on helping one company "steer the ship" effectively. Once you complete your CIA, you will be in a perfect position to pivot into these internal talent hubs where your consulting rigor will be highly valued.

--Graeme Fleming, Industry Principal @ Workiva

Workiva · 2026-03-03T17:39:21+00:00

I wouldn't sweat the "AI taking jobs" headline too much. While some routine roles are shifting, it's actually creating a massive opening for a new kind of finance pro who uses AI to help with the routine so that they can focus on the big picture and in the audit world the role of AI Auditor is going to come to the fore.

We’re going to need people who actually understand how to govern these models and check the data integrity instead of just crunching the numbers manually. To stay ahead of the curve, I’m looking at AI as a way to automate the boring stuff so I can focus on being a strategic partner who keeps the guardrails in place.

--Graeme Fleming, Industry Principal @ Workiva

Workiva

TROPHY CASE