Not too long ago, a $1 billion bank hired both a CPA firm and a risk management firm to conduct a security audit, performing penetration tests to determine where the weak links were in the bank's computer systems. Taking an extra step, the bank hired CPA Joel Lanz to conduct a security audit. During his assessment, Lanz noted that the bank had outsourced the storage of its clients' data and that penetration testing should have been performed at the vendor's site.
Like what you see? Click here to sign up for Accounting Today's daily newsletter to get the latest news and behind the scenes commentary you won't find anywhere else.
"What I showed (the bank) was rather than contracting for the penetration test at its facility, vendor management and oversight was their biggest risk," says Lanz.
IT audit and security is a booming business, benefiting from the concerns spurred by last year's Hurricanes Katrina and Rita, concerns that spurred the five-year-old sole proprietorship to $325,000 in revenue in 2005.
Lanz, who operates his consulting firm from Jericho, N.Y., providing IT audit, governance, security, and risk assessment services to clients in the banking community. And perhaps the less that is known about Lanz's work, the better he has done his job. He wants to prevent clients from making the news because of security breaches.
Although Lanz couldn't disclose the name of his clients, citing privacy clauses, he characterized them as community banks and super-regional institutions with assets ranging from $500 million to $30 billion.
"They're too busy running the day-to-day operations of their business," says Lanz. "They can't see the forest for the trees."
That's why they need an independent consultant, such as Lanz, who has the CITP, CISA, CISSP, CISM, and CFE certifications on top of his CPA.
The majority of his clients hire him on retainer at annual fees ranging between $20,000 up to $55,000. Fees for individual services, such as security reviews, range from $1,000 to $50,000 depending upon the size of the company and project scope. And an IT risk management project cost ranges from $12,000 to $24,000.
It is technology that enables Lanz, a one-man shop, to snare engagements with the size of clients he is able to serve. Software provides the foundation for this business. Lanz employs a vulnerability management product called Qualys, which allows him to view his clients' business environment the way a hacker would so that he can test their susceptibility to security threats.
With Qualys, Lanz is able to identify easily guessable passwords; determine if patches are up-to-date, and map the client's network.
"Without it (Qualys)," says Lanz, "it would be hard to compete with a larger firm."
Lanz say financial institutions seek him out because most mid-size firms don't offer IT security services. As a result, he regularly competes with Big Four accounting firms, large regional accounting firms, and non-CPA risk consulting firms. "I'm a former partner at Arthur Andersen," says Lanz, "so coming to me, they get a former partner, rather than the person two years out of school."
During his 25-year career, Lanz was a technology risk consulting partner at Andersen and an information systems audit specialist manager at Price Waterhouse. His financial services industry experience includes tenure as a vice president at Chase Manhattan Bank.
His firm's services include preparing for regulatory exams and bank IT audits; managing information security programs; performing IT security risk assessments; vulnerability and penetration testing; designing controls to reduce the occurrence and impact of fraud, and complying with payment network rules.
One benefit of such a specialized service is that Lanz doesn't necessarily need a staff to promote his firm. In fact, Lanz does not promote the firm and its IT services, other than having a Web site.
According to Lanz, his clientele learns of his firm through word-of-mouth.
"I market the old fashioned way," says Lanz.
JOEL LANZ CPA Snapshot
HQ: Jericho, N.Y.
Annual revenue: $325,000
Riccardo A. Davis is Associate Editor of Accounting Technology and can be reached at email@example.com.