It’s not always easy to spot an opportunity.
In 2013, Atlanta-based Top 100 Firm Aprio started work on what may have been the first-ever audit of a blockchain company; when they were finished, they accepted payment in bitcoin, at a time when the cryptocurrency was worth just $300 a coin.
It recently topped $35,200 a coin — but the firm had long since cashed out.
“Unfortunately, we did not have the aggressive mindset to keep our bitcoin,” said David Siegel, a partner who works in Aprio’s blockchain services practice. “We converted those to fiat currencies rather quickly, or we could all have probably retired.”
While the firm missed out on the long-term value of bitcoin (which was then in its infancy, the first bitcoin having been mined only in 2009), the firm did correctly identify the potential of the blockchain technology that underlies it as a potential service area.
“I remember working on that first engagement and thinking, ‘These people are crazy; this thing is going to nothing,’” Siegel recalled. “I think there is a distinction between being a believer in the technology and being a believer in bitcoin itself. We think that the blockchain technology has enormous use cases, and while bitcoin has proven to be a valid use case, back then I’m not sure that was the case.”
The world is being swept by successive waves of emerging technologies, each offering potential opportunities for accounting firms. Spotting those opportunities amid the chaos of disruption can be difficult, but it’s only the first challenge to building a successful new tech-based service. Firms that pioneer these areas often find themselves having to undertake major educational efforts – both externally, to clients and prospects, and internally, to partners and staff – before they can even start their first engagement. At the same time, they have to find or develop the internal expertise needed to staff that engagement, often at a point when no one has a clear understanding of what expertise they’ll need.
Beyond those challenges, accounting firms like Aprio that have successfully launched practices around emerging technologies have learned a number of lessons along the way, from the value of leveraging all of their staff and the importance of change management, to the increasing centrality of data, and the need for an innovative culture.
One of the first lessons, though, is that if a firm is planning to pioneer unmapped territories, they have to be ready to build their own roads.
Blazing trails
Aprio started that first blockchain audit in 2013, but since there were no precedents in the field, it took the firm a couple of years to complete it.
“I don’t want to say that we had it all figured out at the beginning, because we didn’t,” Siegel said. “The first couple of these engagements were learning engagements for us, and for our clients. They had never been through audits before, and we had never done a blockchain audit, so we had to develop those skills as we went, and luckily we had some very patient clients.”
In those first few years, Aprio found itself on the leading edge of offering attest services to blockchain companies. The firm worked with frameworks from the American Institute of CPAs and regularly engaged with industry trade groups as they all felt their way forward, learning how to do things like verifying account balances and transactions on the block.
For that first audit, “We obviously ramped up our risk to the highest level that we could, and we got as many technical people involved as we could, including consultants and whoever else we could to provide input to make sure we were doing this correctly,” Siegel said. “Obviously, there were some disclaimers on our first audit as there was no GAAP on this, and so we’ve taken positions that may or may not end up being GAAP when GAAP is created, but our clients approached us and said, ‘We need help with this; can you do this?’ And we built a practice around that.”
That practice is now thriving, offering a range of attest and business services to companies that operate with blockchain technology and help form the infrastructure of the blockchain ecosystem, such as the companies that mine cryptocurrencies like bitcoin and Ethereum, or the exchanges that help crypto owners exchange those assets for fiat currency, or the developers who are writing the software to enable decentralized finance.
Many of their clients provide blockchain services to non-blockchain customers — enabling a traditional retailer, for instance, to accept digital assets as payments. “So, what does that conventional retailer care about?” Siegel asked. “That the service provider which is becoming a key part of their business has significant security around their service, so that the retailer has some assurance that they’re relying on a trusted resource, So our information assurance practice is probably one of the biggest practices in our blockchain practice, because all of our clients are looking for some kind of information assurance that their systems are built securely.”
That assurance mostly comes in the form of SOC reports, though Aprio also does some ISO 27001 audits for international companies as well.
Another major focus for the practice is blockchain clients that are aiming to go public. “Aprio doesn’t provide [Public Company Accounting Oversight Board] public company offerings,” Siegel explained, “so we’re providing a lot of back office support for these companies that have those public aspirations. That may mean interacting with their PCAOB auditor; a lot of these companies are relatively new, so they don’t have built-out full-scale SEC compliance and SEC reporting groups internally, so we’re doing that on an outsource basis. For some of our clients, we’re actually doing their back-office accounting, and making sure that all the technical matters as it relates to blockchain accounting are accounted for correctly — that’s a very big and growing practice of ours as well.”
While the practice is well-established, Aprio remains ready to blaze new trails. “We’re constantly seeing new technology and new ideas to leverage the blockchain to do new things,” Siegel said. “There’s always something new — a new angle for companies to take.”
Putting digital first
The name EisnerAmper Digital is new — the New York-based Top 100 Firm rolled it out in December of 2021 — but the practice itself is several years old, having previously gone under the name of Process, Risk & Technology Solutions. One of the goals of the rebranding was to emphasize the technology element of the services the practice offers, at a time when technology is top of mind for clients.
“As we brought the ‘Digital’ name to the forefront, we reemphasized our services, and that included the digital solutions that we offered, as well as talking about emerging areas like cybersecurity services,” said Jerry Ravi, a partner at the firm and national practice leader for EA Digital. “And that rang true as people started to see companies and clients focusing attention on technology, even things as simple as what we saw during COVID, and what we still see, with hybrid work environments, and why it’s so important to make sure you have technology doing the best it can to make your company and your people more and even keeping them safe.”
While the digital element is central to the practice, it’s not the only part. “We are business process specialists, and we are risk specialists and we have technology in our background,” Ravi explained, “so we put those three things together because all companies need to make sure that they’re efficient with process and they’re mitigating risk, and they have technology doing what they want it to do, which is effectively helping you measure, manage and monitor what’s going on in the organization, and particularly where we we’re focused, on internal controls.”
The practice includes a wide range of specific services that generally fall into three buckets: risk advisory services, where the firm brings technology to help clients navigate, manage, measure and monitor regulatory risk; digital solutions, which includes advising on and implementing technologies in areas like process and controls and process improvement, primarily for the client’s office of finance; and managed technology services, where the firm can supplement or act as a client’s IT services department, as well as offer security and compliance. It also involves proprietary tools like First Look, a cybersecurity benchmarking and assessment tool that looks at over 20 different areas to help clients create a roadmap for mitigating their risk.
“Think about it in terms of bringing peace of mind for those ‘What’s next’ moments -- and what’s next may be that maybe I need to be more effective, I need to close the books faster, I need to make sure that I’m using less reports, or sending out less in terms of reports to my teams to manage and monitor a particular risk, and I want them to be able to look at it in terms of a dashboard,” Ravi explained.
With hundreds of clients already, he expects growth rates for the future topping 20%: “We’re at a very good growth trajectory and have been at a solid growth trajectory for several years.”
Painting the big picture
With so many new technology opportunities, firms that are early on the scene may find that they need to help create their own markets through education.
For Top 100 Firm Armanino, that means getting clients and prospects up to speed on the idea of digital transformation, according to chief growth and innovation officer Tom Mescall. With technology revolutionizing every aspect of modern life — he cited examples as wide-ranging as digital door locks, smart barbecue smokers, and electronic banking — businesses need to prepare themselves for a world where every company is a technology company.
Three years ago, Armanino launched two initiatives to help clients wrap their heads around this tech-based future: its Artificial Intelligence Lab, which lets clients prototype ideas and experiments around AI, and DataVue, which aims to get them engaged with digital transformation.
“One of the challenges for CEOs is, ‘I’ve read about digital transformation, I’ve read about artificial intelligence, I read about some of the new things that I should be considering, but I don’t really know what any of it means,’” Mescall said. “So we’re trying to align with our clients to help them get out of the starting gate to build confidence and, most importantly, to build knowledge around these capabilities and topics.”
“DataVue is more thought leadership than a service offering,” he continued. “How do you embrace technology to make sure that you’re staying on pace with your industry — or leading it? How do you lean into the technology disruption and be a leader, and not be challenged with relevancy in the future?”
As much as DataVue involves thought leadership, it’s also surrounded by plenty of services and products, involving everything from process efficiency to empowering a client’s remote employees to large-scale change management projects: The most common elements are a client need and a technology-related solution, often with a strong element of data analysis.
That customer need can be explicit, or it can be fairly broad and unformed, according to Mescall: “It comes in both flavors, where companies are saying, ‘I have a specific need, I really want to solve it; how have you solved it for others or what are your ideas on it?’ That’s pretty targeted. The others are saying, ‘We’re changing, we’re growing, we’re buying companies, we’re expanding globally, we are entering new markets — how can you guys help us think through all that?’”
The solutions can range from introducing robotic process automation to help a client handle its cash receipts more efficiently, to helping municipalities stand up COVID testing and tracking capabilities during the pandemic, to analyzing a client’s sales and customer data to help them predict and prevent customer churn, to creating a customized digital transformation roadmap for an individual business. They can also involve new products that spring from broader industry need, like the vast benchmarking database the firm created by scraping public financial data on 360,000 nonprofit organizations from sources all over the web. A big data project like that would be beyond the resources of most nonprofits, but thanks to Armanino, they can now subscribe to it for $2,000 annually and improve their operations by comparing themselves to their peers.
Armanino’s thought leadership is paying off, according to Mescall: “I do think you have to expose them to some of the things we’re doing, and to new ideas through our webinars and learning series, but the demand for this is incredible. Companies realize that we’re in an incredibly disruptive period of time, and pretty much every company we are working with is leaning in and asking how they stay relevant for the future.”
The firm itself isn’t immune to disruption, of course, and it’s seeing its own transformation. “It’s interesting, because as our clients have to digitally transform, we are digitally transforming the way we service our clients, and it’s affecting how we do audits, how we do taxes, how we do our consulting engagements,” he said. “This is really a disruptive event that’s happening in business today.”
Walking the walk
It’s often suggested that accounting firms don’t follow the good advice they give their clients, but that’s definitely not the case when it comes to Tennessee-based Top 100 Firm LBMC’s approach to cybersecurity.
“Since I’ve been at the firm — a little over 10 years — one of the first things I started doing was say, ‘I’d like to know if our firm is practicing what we preach,’” said Mark Burnette, the shareholder-in-charge of the LBMC Information Security unit. “Generally, of course, we were — we understood the importance of cybersecurity.”
To prove that, Burnette got the partners’ approval to conduct the same kind of security assessment and penetration testing that it offers clients. “We were looking to see what kind of controls we have in place, or if it is easier or harder for our pen testers to get in here than at clients,” he said. “To the firm’s credit, when we would find issues, almost immediately the chief information officer would be commissioned to undertake a plan to address them, and that included buying technology where it was necessary, or investing in additional people or controls.”
LBMC later brought on a dedicated information security officer, and Burnette’s team now advises him on policy updates, as well as continuing to provide annual assessments of the firm’s security posture. (The firm also commissions a SOC 2 assessment of its security controls, which is provided by an independent CPA firm.)
As Burnette said, the firm understands the importance of cybersecurity – an understanding bred from decades of experience. LBMC has offered IT assurance services since the mid-1990s; its Information Security practice sits under the IT assurance services umbrella, and dates back to almost 2004 – though it was “kicked into high gear,” according to Burnette, in 2007, with the addition of a former Big Four partner who brought on board the successful security practice he had built in the Nashville area.
LBMC Information Security has thrived since then, with three key teams: an IT assurance team, which provides IT audits like SOC testing, ISO 27001 testing, and those required for the Cloud Security Alliance START certification, the payment card industry security rules, or the HiTrust security framework; a team of technical security experts who provide services like penetration testing, web application testing, digital forensics analysis, incident response; and a team of consultants who perform cybersecurity risk assessments, security program and policy development, and virtual CISO work.
“They all fall under the same umbrella, but there are different types of expertise that’s needed for each of them,” Burnette noted. “For example, a penetration tester is typically very technical, and to do penetration testing well you need to be constantly honing and refreshing your skills. … The group that does the cybersecurity risk assessments typically are more of what I would call your traditional consultants — their strengths are that they’re very good communicators; they may have a little bit of a control background like an IT auditor might, but they’re focused much more broadly on the cybersecurity program elements, and being able to derive conclusions between a company’s cybersecurity and reasonableness.”
Apart from auditing, many of the skills needed to offer LBMC Information Security’s offerings aren’t necessarily specific to accountants, which highlights an important factor to be aware when looking at building a service around emerging technologies: The potential pool of competitors can be much larger than a firm is used to.
“If you look at traditional audit and tax services, in most cases, those groups are competing with other accounting firms, because they’re the only firms that are qualified and equipped and certified to provide those services,” Burnette said. “But in the cybersecurity world, we might be competing with other accounting firms, but we’re also competing with cybersecurity boutiques that aren’t accounting firms … as well as technology companies that might sell things like firewalls or servers, and then they bundle services with it, and they give the services away as kind of a freebie to get the deal on the technology.”
That depth of competition hasn’t kept the firm from becoming a top provider of IT security services – to the point that when the AICPA was looking to educate CPAs on how to provide these kinds of services, it turned to LBMC to provide a roadmap. The firm’s experts created a number of resources, including a white paper, a service implementation checklist, a client assessment template and a client communication template. (All are available to AICPA PCPS members on the
Data is everywhere
One theme that tends to repeat itself in many service lines built around emerging technology is the centrality of data.
“One of the things that I tell clients is that data is an asset, and assets either depreciate in value, or they appreciate in value,” said Armanino’s Mescall. “When I put it in those terms to our clients, they raise their head and their eyes open up and they say, ‘I want mine to be appreciating in value, not depreciating.’ Then there are certain things you need to do. Data becomes very powerful when you bring machines into it. Humans can only do so much. The computer advancement around data and data analytics, predictive capabilities, machine learning, big data – we have the technology now to really make your data an appreciating asset.”
Similar thinking led LBMC to buy a data analytics company called Think Data Insights two-and-a-half years ago.
“Our data analyst experts can build dashboards that take the mounds of data that these companies have and help them get their arms around it and then put it in a format that can be consumed quickly by leaders in the business so they can make important business decisions,” Burnette said. “That is a very needed service [for] nearly all of our clients. So, since acquiring that company, we have been focused on getting those experts out to our clients and understanding where they are in their data journey, and then working with them to help them collect that data, get it into a manipulable format, put it into a dashboard, and then craft those dashboards so they can make important management decisions.”
And at Aprio, Siegel has found that the tools and skill sets the firm has developed around blockchain have applications elsewhere. “One thing that we’ve learned from working with blockchain is the whole concept of big data,” he said. “Our clients aren’t just doing one or two transactions a day; they’re doing hundreds of thousands of transactions, so in order for us to work with them we’re having to harness these large datasets and data analytics, and so we have developed some technology that we use to work with our blockchain companies that we have found has utility among other industries as well.” He noted potential applications in the broader fintech space, as well as in health care and elsewhere.
(See
Culture first
A final key idea for firms looking to leverage opportunities around emerging technologies – or, indeed, looking to build new service offerings in any area — is the importance of having an innovative, entrepreneurial culture.
“One of the hallmarks of our firm for years has been its entrepreneurialism,” said LBMC’s Burnette. “It’s been a focus of our firm all along, and it’s resulted in us building a nice family of companies that allows us to offer a number of business services to our clients, so it’s a natural extension for us when a client says, ‘Hey, we have a problem,’ for us to say, ‘Do we think we can we solve it?’”
EisnerAmper’s Ravi echoed that sentiment: “We’re constantly looking to innovate, transform and improve. It really is all about team and culture first. Innovation doesn’t happen without a really good culture, and I believe we have an amazing culture to be able to innovate and continuously improve and also bring technology to the table to enable and even transform our current services. Other firms would need to look at that first as they’re exploring different areas.”
(See
