Several years ago when Tony Munns decided against pursuing a career that would keep him on the corporate road-literally and figuratively-he joined Brown Smith Wallace, becoming a one-person operation. Today, there are 26 staff members in the risk management department at the St. Louis-based firm, and Munns, who once led the worldwide technology risk consulting team at the former Arthur Andersen, runs the growing business, along with another former Big Six refugee, Ted Flom, a CPA and CISA, who spent 12 years with KPMG, where his responsibilities included managing SAS 70 reviews for third-party service providers and hosting facilities. Munns runs the IT audit side of the business, Flom the financial end. And a year from now, 30 to 35 people are likely to be working in the unit.
Like what you see? Click here to sign up for Accounting Today's daily newsletter to get the latest news and behind the scenes commentary you won't find anywhere else.
It's not hard to discover that risk management, including its critical technology component, is a hot business. Fueled by regulations such as Sarbanes-Oxley, Basel II, HIPAA, the need to control financial and non-financial data has fueled the need for people with talent and experience.
Job sites such as Monster.com have been flooded with ads for positions with titles such as IT auditor, internal control specialists and units such as risk advisory services groups, Internal Audit, IT Audit and Regulatory Controls.
It is not just the era of new regulations that is driving the need for the services of groups such as Munns'. With the Big Four concentrating on larger clients, those firms have become less likely to negotiate fees.
"So the cost is getting out of the reach of mid-market companies," says Munns.
What do mid-market clients need? A lot. With Munns' group serving companies with about $500 million to $1.5 billion in annual revenue, clients want Big Four levels of training and project discipline applied to their risk issues.
Those services also span a wide range including internal audit, SOX compliance, FAS 70, business process re-engineering and data analysis. A security team will also provide infrastructure services and perform vulnerability testing.
It may be those latter services that represent the big change in providing controls and security. Instead of discovering what has gone wrong after the fact, the emphasis has switched to prevention, making sure controls are in place and data is secure.
Brown, Smith performs vulnerability assessment and penetration studies of technology systems, and in particular is receiving requests to test Web-based applications. Increasingly the vulnerability assessments are not optional.
"Regulators are expecting banking institutions to have testing done," says Munns. "It is now becoming a requirement rather than a differentiator."
What is a differentiator is that the accounting firm has its own laboratory and tests out applications.
The firm also utilizes a variety of commercial software products, including Approva, ACL, CaseWare Idea and Monarch, and recently hired a senior trainer from ACL to head up data analysis operations. The firm has also developed a set of templates that can adapt to client requirements. Munns says these are needed, "once you get into some of the more specialized kinds of work, such as if we are helping a company manage the access control for individuals and establishing separation of duties."
The different services provided also require a range of skills. In fact, Munns says having the combination of technology skills and financial skills on staff-although usually not in the same person-is an essential element in running the business.
"We bring in two kinds of trained auditors. There are financial or operational auditors that have an IT awareness or interest, he says. "They have the understanding of a control approach and how to put together the audit."
Then, there are the seasoned technologists, such as network and security administrators, who can be trained to understand what a control infrastructure is and the audit approach.
"In my experience, the best team is the one that has a good complement of the two skills sets; practical technology experience, understanding what risk is and an understanding of a control approach," says Munns.
The market may be experiencing a new wave of regulation, but a lot of the issues are not new, segregation of duties for example. But what is new is the extent to which these issues are increasingly handled by features in systems, networking and application software.
"A lot of what is required is not innovative new processes, per se," says William Burke, president and CEO of Merit Solutions, a Wheaton, Ill.-based company that develops and markets a Sarbanes-Oxley Suite for clients that use Microsoft's Dynamics GP financial software. Burke continues, "What is innovative is to use these systems to enforce procedures and controls."
Microsoft acquired a number of Merit's modules in March 2006. But the company continues to market Audit Trails, Electronic Signatures and Enhanced Security as part of the SOX suite.
Merit serves a broad range of companies that have an equally wide range of needs for providing controls and it markets software for compliance management, whether providing traceability for ingredients in processing food or financial controls for accounting systems.
"Most of the regulations have similar language," Burke continues. "You need to be able to create the history of a certain transaction."
That need includes ensuring data integrity, so the management can make sure that data or a transaction has not been tampered with by viewing a history and preventative controls to keep things from going wrong in the first place. And in the area of segregation of duties, software needs to enforce divisions of tasks to "make sure a person can't cut checks and add vendors that are to receive checks" in the financial software, he notes.
One of Merit's goals has been to make establishing controls and monitoring performance much less cumbersome. Historically, companies have found themselves generating a stream of printouts to provide documents. A user would print out information before a change was made and then do another print after implementing a change, all of which adds time and expense.
Merit provides an audit trail that makes this process much simpler and cheaper. Burke refers to it as a "VCR button" that lets a user go into Dynamics GP and "run the tape backwards" in order to see the history of any changes, capturing them at the transaction level.
Burke notes that Merit sees a variety of homegrown applications as competition. But he says that many of them cannot provide the kind of performance that Merit can through the use of Microsoft technology.
The features of business applications increasingly reflect many of the concerns that are addressed by risk management practices. Since its operating and networking systems, and business applications are used by so many businesses, it is drawn into the discussion.
"It's quite clear that software is an enabler and something that can make a company compliant," says David Coulombe, general manager of the Microsoft Fargo Development Center. Microsoft has been studying the combination of applications and systems in the context of security and controls. "We have been looking at it from a product line perspective and a corporate perspective."
Coulombe's group is looking at ways that software can be enhanced to provide greater control and security. That means making it easier for endusers to get audit trails and electronic signatures.
One change has been the philosophy Microsoft has followed in providing security features in applications. It has gone from an "optimistic view," in which all security features are turned off, to a "pessimistic one," in which all features are turned on and it's up to the appropriate personnel at an enduser company to determine which it doesn't need.
Microsoft also offers a product specifically for the SOX market. Known as the Office SOX Accelerator until recently, the product has been renamed the Compliance Manager, and is designed to tie many of the tasks together.
Integration of the larger number of tasks, that are often spread through different parts of an organization, remains a major challenge for organizations.
"It's a huge issue in the mid-market as you get to the enterprise space.[Bringing it all together.] You have the Big Four who are working with the enterprise companies, who have a chief compliance officer and a compliance department to deal with all the issues," says Coulombe. "As you start to get into the mid-market and smaller companies, it is a bigger challenge for the CFOs and controllers to figure out 'where do I start?'"
From a Microsoft perspective, the issue is "whether we can provide a 'compliance home page,' for lack of a better word, that pulls together all of our products," Coulombe continues.