Posted in: Audit, DAS, Mark's Insights,

How to Prepare for the Future of Audit 

This week I participated in the Allinial Global Latin America Virtual Conference, which reminded me of a question I’ve been getting consistently from our member firms around the globe: How should they be preparing for the future of audit, and what is the adoption path for US vs. global firms?

Datev: An Excellent Fit for LATAM 

We were fortunate that our key sponsor for the conference was Datev, which has expanded from a German-based audit technology into many other markets, especially in Latin America, as the platform is available in Spanish. Several members were very interested, as they are looking for new and improved options.

The explanation I gave at the conference rings true for many. I offered Datev as a great modern-day solution for those seeking a product in German or Spanish (there is availability in Italy and Poland, but not sure what the translation looks like there). We have several member firms in Latin America using the Datev Spanish version that speak highly of it.

Update on Dynamic Audit Solution (DAS)? What & When? 

But what does the future hold? I’ve been informing our members about the AICPA’s Dynamic Audit Solution (DAS) initiative that is looking to transform how audits are done. The initiative started more than two years ago, and it involves over 35 firms working collaboratively to build a solution. We have a number of Allinial Global members involved in DAS, and we are keeping in touch with the initiative’s progress.

What is DAS? Generally, it’s a platform that provides a way to “right size” the audit using contextual content based on logic to get to the right things. The approach is grounded in a “tailor in” vs. “tailor out” mentality so it can increase efficiencies only on the things that matter, rather than trying to justify the things that don’t matter to the engagement. Finally, data capture and data-driven decisions will reduce human error and let the data tell the auditor a story that can then be shared with the client.

I know our member firms have been pleased with the progress of the project. It hasn’t been without pain, I’m sure, but the focus on truly transforming the audit has made it a success thus far. Some of the feedback has been positive, with the project’s focus on continued audit quality and an effective change management system to make this change work for many.

Regarding the timeline, the first release to a smaller universe of firms will come out in September 2021. It will be limited to commercial audit only. The general release is projected for Q2 2022. After the commercial audit product is delivered, the specialty and industry audit guides will be incorporated, along with International Standards on Audit (ISAs).

What to Do Now 

So how do I answer the question of what firms should do today? For US-based firms, I tell them to look first at the OnPoint EBP audit module that’s already on the market. Pick one client and one limited-scope EBP audit to run on this new platform. This will give you an indication of what’s coming. For firms outside the US, start to look for CaseWare Cloud. When that comes out and you are already on CaseWare, you may want to make the switch. The system should be more intuitive than many of the desktop applications out there today.

Allinial Global plans to help all of our members when DAS is available to implement in their firms. With members who have already implemented DAS to help lead the charge, we will first assist US-based firms with implementation and then help global firms when a global product becomes ready.

If you’d like to learn more about DAS and the future of audit, we will have a panel of Allinial Global member firms presenting at Summit 2021 taking place from November 14–17 in San Diego. Our panelists will share their experiences and insights from participating in the development of DAS, and I look forward to continuing this conversation there.


      
# Tags : No Tag



Posted in: Advisory, Audit,

SOC Services – The Time Is Now

I’ve talked in the past about trending services, and system and organization controls (SOC) reporting is near the top—or at the top—of that list. SOC reporting is a great way to expand assurance services for mid-size firms. Large firms are all in this business, and at Allinial Global we have our fair share of firms that excel at SOC engagements.

While I was at the AICPA, I was involved in strategic discussions as the move from SAS 70 to SOC took place. The issue at the time was that many companies, especially in the tech arena, were using SAS 70 incorrectly and something needed to change. Those who do EBP audits (as I did in my day) were very familiar with obtaining a SAS 70 report to provide assurance over controls over financial reporting for third-party providers. That has now become SOC 1. For those who needed assurance over controls and security, generally, that’s where SOC 2 and 3 come in.

I don’t want this to turn into a technical session on SOC, so that’s as far as I will go. But I do want to highlight some of the opportunities in this space. Recently, I sat down with members at two of our mid-size firms to talk about SOC reporting. Jim McGough is a CPA, CGMA with Wolf & Company in Boston. He grew up in the traditional audit space and is now part of Wolf’s SOC team. Pete Rife is a CISA, CISSP, and Director of IT Audit at Holbrook & Manter in Ohio. Jim, Pete, and I had some excellent conversation around opportunities and challenges in providing SOC engagements.

Opportunities and Challenges

Many current opportunities are focused in the financial institutions, healthcare, and technology sectors. Both Wolf and Holbrook & Manter are involved in SOC engagements in these industries. But it’s not just about the SOC engagement; many companies are asking for HITRUST, PCI compliance, and other certifications to be included. For international companies, an ISO 27001 engagement will be included in the SOC engagement. While US-based companies may be getting the ISO 27001 along with the SOC certification, there are technology companies outside the US who are now looking to add SOC to their ISO 27001 engagement. Having a team that can provide multiple certifications is important.

One common challenge in the SOC world has been finding talent. Of course, talent is an issue for many of our service lines. We are working to push outsource capabilities and finding capacity and capabilities from other firms, as some industries have different busy seasons. For outsourcing, KNAV, MGC Global Risk Advisory, and Ashok Maheshwary & Associates all have opportunities for current SOC providers to expand their services.

Building a Foundation for the Future

What if you don’t currently provide SOC services? Well, our members who do provide the service are happy to help. Both Pete and Jim mentioned that they have helped other Allinial Global members who called when a client opportunity arose, assisting in a variety of ways. Some firms will just let the SOC firm deal directly with the client. Other firms have hired Jim or Pete’s firm to serve as subject matter experts, with the client firm providing the final opinion.

A great way to get started is to have one or two staff members get the SOC certificate, sell the work with the SOC firm as the lead, and use the client firm’s staff to assist and learn. Then after 5–10 engagements, the client firm will have experience to grow the practice.

I also asked Jim and Pete about future opportunities. SOC for cyber and SOC for supply chain are two newer lines of opportunity. Both Jim and Pete stated that as of right now they haven’t had many requests for either, but they could see the opportunity. The Department of Defense, for example, has released the Cyber Maturity Model Certification (CMMC), which they will require DoD vendors to obtain. More and more businesses are asking for SOC reports as part of due diligence in working with their company. SOC is clearly an area of growing need, and we want to ensure that Allinial Global member firms can identify the right opportunities—and remember that there are so many ways we can collaborate.

If you have any questions about SOC and how to start, outsource, or grow, please reach out to me. I am passionate about this and want to see Allinial Global firms truly take the lead in this sector.