8 minute read
Why risk advisory services represent the new frontier of assurance and advisory
By Jin Chang, CEO & Co-Founder, Fieldguide
There’s a big opportunity looming for assurance and advisory practices.
Information security risk has increased in every organization across every industry, especially since the onset of the pandemic. Faced with more customer and regulatory scrutiny, and overall elevated enterprise risk, companies are seeking more audit and consulting services from CPA firms and IT security MSPs – and practitioners are struggling to keep up with demand.
While the assurance and advisory profession has existed for many decades, risk advisory services (RAS) are gaining momentum as a new growth engine for the profession. RAS presents an amazing opportunity for firms who make smart choices to position their practices for success.
Meanwhile, new vendors are seizing this opportunity, raising hundreds of millions in venture capital and private equity, and developing sophisticated tools to assist organizations in complying with different information security standards. Techenabled services are what modern clients expect, so firms who invest in technology are best positioned to address the booming demand for risk and compliance services.
Why is now the time to invest in providing holistic, tech-enabled risk advisory services? And how can your firm compete with the tech-enabled cyber firms backed by big investors?
Let’s look at the opportunities for audit and advisory firms to grow their risk advisory services.
The state of risk advisory in the CPA firm industry
Given rapidly growing demand, RAS represents CPA firms with opportunities to grow revenue faster and with higher margins. Barry Melancon, CEO of AICPA, during his ENGAGE conference keynote address, referenced already billions of dollars in annual opportunity in SOC services alone. RAS encompasses many other popular risk frameworks, including HIPAA, ISO 27001, PCI DSS, NIST CSF, HITRUST, SASB and dozens more. Modern clients have holistic needs
and seek a variety of risk and compliance needs – it's nosurprise why many of the fastest growing CPA firms areones with RAS practices that service needs beyond SOC.Another strong theme at ENGAGE was the need for moderntechnology solutions for CPA firms that solve the industry-widetalent shortage with more technology leverage. In addition,technology automates tedious practitioner work, while alsoenhancing work quality in areas that are prone to humanerror. Both Melancon and Erik Asgeirsson, President andCEO of CPA.com, emphasize that our industry must embracetechnology to unlock unprecedented productivity gains thathelp offset the staffing shortage that audit and advisory firmsface. Innovative firms view technology as part of the staffingequation and are digitizing their services to help clientsnavigate the digital world.
Tech-enabled firms are winning the RAS opportunity
Industry leaders aren’t the only ones noticing the trend.Private equity firms have a big appetite for tech-enabled ITaudit firms. Consider this:
• Florida-based A-LIGN, the tech-enabled cyber auditfirm that performs 3,000+ SOC audits annually, raised anine-figure investment from private equity giant WarburgPincus. They previously raised $54.5 million from FTVCapital in 2018.
• Coalfire, a similarly tech-enabled firm, was acquired in aleveraged buyout by Apax Partners from The Carlyle Group.
Tech-enabled firms are growing at alarming rates compared to traditional CPA firms – and not by accident. With significant funds raised, these firms bring technology to the core of their growth strategy and are investing in software to help them sell more and service more efficiently.
Traditional CPA firms who don't act now are already falling behind in growth relative to the overall market. The truth is, tech-enabled firms are growing rapidly because clients areincreasingly seeking more automated and collaborativeexperiences.
Risk and security are increasingly a board level topic
Research from PwC found risk and security leaders aremeeting more with board members (42%) and the C-suite(50%). That’s generally good news, but this comes withincreased responsibilities and pressure. Of those surveyed,58% saw increased workloads since the pandemic started,and 62% have seen their roles grow.
We’ve seen this before with CFOs being elevated to boarddiscussions. CFOs quickly sought software that best enabledtheir strategic vision. CFOs also sought more expert advisoryservices, and firms adapted with more technology and valueaddedservices. The industry is gearing up to do the samewith risk advisory services.
Risk audits are the frontlines of a strong cyber defense
The Washington Post, in a story about the ransomwareattacks that shut down Colonial Pipeline for several days inMay 2021, reported: “After years of repeated hacks, morecourts have begun to recognize that cybersecurity lapses canhurt real people in real ways.” The event signaled a turningpoint in the courts’ sentiment that top management has nottaken information security seriously enough.
This story highlights the scrutiny that will be placed on theentire cyber and risk compliance ecosystem. Cybersecurity isa complex issue and SOC, ISO, HIPAA, and other risk auditsare the frontlines of a good defense as a forcing mechanismfor clients to build their security posture – making riskassurance and advisory services more important than ever.
Risk audits are more affordable than data breaches
Here’s another story that has businesses eager to invest inrisk advisory services. According to IBM, the average costof a data breach in 2021 was $4.24 million, the highest in 17years. In the U.S., that average spikes to $9 million. Thesecosts include detection, response, and notification, but themajority of that figure comes from lost business.
Now compare this to an average cost of a SOC II audit, whichranges from $20,000 to $100,000, depending on complexity.It should be easy for businesses to decide which to invest in.Is your audit practice ready to capture that value?
SOC is the BBB for enterprise risk
Do you remember seeing the famous Better Business Bureau logo posted on every eCommerce shop of the 1990s and 2000s? We all recall seeing the blue and white BBB stickers on the doors of quaint main street businesses like the local café.
SOC and other popular risk frameworks will be the new trust identifiers for businesses that electronically manage information and do business with sophisticated organizations. That’s data across customers, transactions, financial/ accounting, operations, health and patients, HR, IP, strategy – pretty much everything that runs businesses today. This will result in millions of businesses requiring such certifications and reports.
Modern RAS practices utilize modern solutions
In today’s dynamic landscape, organizations across industries are realizing the need to focus attention and resources to ensure compliance across a wide range of information and cybersecurity frameworks. Whether clients are broadening coverage into the federal space or simply expanding from a SOC 1 to a SOC 2, the growing need for security and compliance attestation services is not going away anytime soon.
Consider these two case studies:
BerryDunn BerryDunn followed a traditional audit approach, corresponding with clients for four to six weeks to gather materials, traveling on-site to conduct the audit, and manually compiling final reports. This labor-intensive process was highly taxing on employees and pulled management away from more strategic initiatives.
Adopting an end-to-end workflow solution enabled BerryDunn to make quantifiable improvements to their business, including margin growth, human capital optimization, and increased engagement capacity. BerryDunn realized 30–50% efficiency gains, more than doubling their engagement capacity and allowing them to grow RAS.
Perkins & Co. The engagement team at Perkins & Co. faced many of the issues common in audit firms: their engagement workflows spanned many platforms. Data had to be constantly updated and reconciled against each other and performing these reconciliation rituals was both time-consuming and mindnumbing.
When they adopted a modern workflow management tool, the team was able to automate manual tasks and end the reconciling rituals in their audit workflows. Eliminating these tedious tasks from the team’s workload would enable them to spend more time engaged in thoughtful analysis and creative value-add activities for clients. They are now well-positioned to continue growing their RAS.
Becoming a tech-enabled RAS firm
Firms that deliver tech-enabled RAS will be best positioned for growth in this new digital era. Modern software automates manual processes, increasing efficiency and unlocks more capacity for practitioners to provide the strategic advice that clients need.
To deliver these services to your clients, firms need intuitive software that help with:
• Project management: Plan, visualize, and assignwork across your teams so practitioners can focus oncompleting high-priority tasks.
• Client collaboration: Bring clients into a new collaborative services experience. Instead of back-andforth emails, ask questions and request information in context – all from one end-to-end project workspace.
• End-to-end workflow automation: Instead of managing work across multiple systems, integrate all engagement phases and collaboration touch points onto one, cloudnative platform. Eliminating manual work increases productivity and enhances work quality.
• Automated reports and deliverables: Moderntechnology can automate previously tedious assemblyof end deliverables and enhance work quality.
