Tony Munns: Controlling IT


Three years ago, Tony Munns was the only person employed in what has become the risk management services practice at the St. Louis firm of Brown Smith & Wallace. Now, the unit employs 16 and Munns, a CISA who once worked for Arthur Andersen, would hire three more "if I could find the right caliber of people." Business is booming.

"We've closed about $400,000 of work this week," notes Munns, a member of the 140-person firm.

The firm recognized the growth, giving Munns his Founder's Award for 2004, in recognition of exceeding in areas of teamwork, excellence in leadership, and contributions to firm growth.

Partner Insights

A non-CPA, Munns, who was born in England, has a strong technology background. He was a systems analyst and later a systems designer for the Prudential, and headed the IT audit team in Kraft for two-and-a-half years before the company convinced him to move to the United States. He ended up at Andersen, where he took over the technology risk consulting team, which grew from four to 20 staffers, also leading the Great Plains regional business systems audit practice. He was one of a group of six redesigning technology for Andersen worldwide when the firm's end came. He went with Brown Smith, a $13 million-a-year firm because the family decided not to move again.

Munns began the practice at the right time, performing technology audits for private mid-market firms. Brown Smith is able to offer fees half the rate of the Big Four, which have turned their attention elsewhere.

"It's a combination of work from traditional internal IT audit to helping people with Sarbanes-Oxley and performing vulnerability assessments," says Munns. The group went beyond merely auditing clients' systems on site; it constructed its own laboratory so it could perform testing. The lab, a roughly 10-foot-square facility, is stocked with high-powered, specialized servers, dedicated T-1 lines, routers, and sophisticated software to enable the team to probe client Internet sites, looking for weaknesses and attempting to sign onto unprotected Wi-Fi networks.

The need to understand technology underlies the approach to providing processing analysis.

"You can't audit a system or a process without understanding the underlying technology," notes Munns, who shares leadership with Ted Flom, a CPA and CISA who spent 12 years with KMPG, where his responsibilities included managing SAS 70 reviews for third-party service providers and hosting facilities.

That business-building process has included hiring consultants with hands-on experience with Great Plains and MAS 90, business process and IT auditors with multiple disciplines. Right now, Munns is looking for an auditor experienced in systems such as SAP, Oracle, and PeopleSoft, and targeted industries such as banking and retail.

One reason for providing third-party audits is that the firm can simplify the life of businesses such as Internet Service Providers who undergo AICPA SAS 70 Type 2 audits. The firm provides the annual reports on control infrastructures to customers and potential customers. "That saves them from being deluged with customers' auditors." he says.

The SAS 70 audits require an investment in time. "You have to have established policies and procedures. For a full type two SAS 70, we take a period, often a year, and test if controls are operating," Munns says.

Audits include making sure that proper security is in place for systems. Physical security is also studied, to make sure that computers and servers with financial information cannot be stolen.

"It's physical security, logical security, trouble reporting, systems development life cycle," says Munns, rattling off a string of technology issues probed by the auditors.

The IT audits result in two reports, the attestation of controls in the organization, and the management letters that detail what controls need to be fixed and recommending improvements and best practices. Since the accounting firm cannot perform that work, it often helps bring together other service providers that can.

Work for the first year of SOX-compliance is very much a one-time large project; many of the engagements that Brown Smith has undertaken produce recurring revenue.

"In a lot of work, we are going into the second and third year," says Munns.

Robert W. Scott is Editor of Accounting Technology and can be reached at

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Register now for FREE site access and more