There’s a big opportunity looming for assurance and advisory practices.
Information security risk has increased in every organization across every industry, especially since the onset of the pandemic. Faced with more customer and regulatory scrutiny, and overall elevated enterprise risk, companies are seeking more audit and consulting services from CPA firms and IT security MSPs—and practitioners are struggling to keep up with demand.
While the assurance and advisory profession has existed for many decades, risk advisory services (RAS) are gaining momentum as a new growth engine for the profession. RAS presents an amazing opportunity for firms who make smart choices to position their practices for success.
Meanwhile, new vendors are seizing this opportunity, raising hundreds of millions in venture capital and private equity, and developing sophisticated tools to assist organizations in complying with different information security standards. Tech-enabled services are what modern clients expect, so firms who invest in technology are best positioned to address the booming demand for risk and compliance services.
Why is now the time to invest in providing holistic, tech-enabled risk advisory services? And how can your firm compete with the tech-enabled cyber firms backed by big investors?
Let’s take a look at the opportunities for audit and advisory firms to grow their risk advisory services.
The state of risk advisory in the CPA firm industry
Attendees at this summer’s AICPA & CIMA ENGAGE know that RAS and System and Organization Controls (SOC) services are a hot topic, representing the next big wave in the industry. Multiple sessions covered the growing importance of cybersecurity and enterprise risk holistically. Environmental, social, and governance (ESG) is also gaining momentum as we know more compliance and reporting requirements are coming.
Given rapidly growing demand, RAS presents CPA firms with opportunities to grow revenue faster and with higher margins. Barry Melancon, CEO of AICPA, during his ENGAGE conference keynote address, referenced already billions of dollars in annual opportunity in SOC services alone. RAS encompasses many other popular risk frameworks, including HIPAA, ISO 27001, PCI DSS, NIST CSF, HITRUST, SASB and dozens more. Modern clients have holistic needs and seek a variety of risk and compliance needs – it’s no surprise why many of the fastest growing CPA firms are ones with RAS practices that service needs beyond SOC.
Another strong theme at ENGAGE was the need for modern technology solutions for CPA firms that solve the industry-wide talent shortage with more technology leverage. In addition, technology automates tedious practitioner work, while also enhancing work quality in areas that are prone to human error. Both Melancon and Erik Asgeirsson, President and CEO of CPA.com, emphasizes that our industry must embrace technology to unlock unprecedented productivity gains that help offset the staffing shortage that audit and advisory firms face. Innovative firms view technology as part of the staffing equation and are digitizing their services to help clients navigate the digital world.
Tech-enabled firms are winning the RAS opportunity
Industry leaders aren’t the only ones noticing the trend. Private equity firms have a big appetite for tech-enabled IT audit firms.
- Florida-based A-lign, the tech-enabled IT audit firm that performs 3,000+ SOC audits annually, raised a nine-figure investment from private equity giant Warburg Pincus. They previously raised $54.5 million from FTV Capital in 2018.
- Coalfire, a similarly tech-enabled firm, was acquired in a leveraged buyout by Apax Partners from The Carlyle Group.
Tech-enabled firms are growing at alarming rates compared to traditional CPA firms—and not by accident. With significant funds raised, these firms bring technology to the core of their growth strategy and are investing in software to help them sell more and service more efficiently.
Traditional CPA firms who don't act now are already falling behind in growth relative to the overall market. The truth is, tech-enabled firms are growing rapidly because clients are increasingly seeking more automated and collaborative experiences.
Risk and security are increasingly a board level topic
Research from PwC found risk and security leaders are meeting more with board members (42%) and the C-suite (50%). That’s generally good news, but this comes with increased responsibilities and pressure. Of those surveyed, 58% saw increased workloads since the pandemic started, and 62% have seen their roles grow.
We’ve seen this before with CFOs being elevated to board discussions. CFOs quickly sought software that best enabled their strategic vision. CFOs also sought more expert advisory services, and firms adapted with more technology and value-added services. The industry is gearing up to do the same with risk advisory services.
Risk audits are the frontlines of a strong cyber defense
The Washington Post, in a story about the ransomware attacks that shut down Colonial Pipeline for several days in May 2021, reported: “After years of repeated hacks, more courts have begun to recognize that cybersecurity lapses can hurt real people in real ways.” The event signaled a turning point in the courts’ sentiment that top management has not taken information security seriously enough.
This story highlights the scrutiny that will be placed on the entire cyber and risk compliance ecosystem. Cybersecurity is a complex issue and SOC, ISO, HIPAA, and other risk audits are the frontlines of a good defense as a forcing mechanism for clients to build their security posture – making risk assurance and advisory services more important than ever.
Risk audits are more affordable than data breaches
Here’s another story that has businesses eager to invest in risk advisory services. According to IBM, the average cost of a data breach in 2021 was $4.24 million, the highest in 17 years. In the U.S., that average spikes to $9 million. These costs include detection, response, and notification, but the majority of that figure comes from lost business.
Now compare this to an average cost of a SOC II audit, which ranges from $20,000 to $100,000, depending on complexity. It should be easy for businesses to decide which to invest in. Is your audit practice ready to capture that value?
SOC is the BBB for enterprise risk
Do you remember seeing the famous Better Business Bureau logo posted on every eCommerce shop of the 1990s and 2000s? We all recall seeing the blue and white BBB stickers on the doors of quaint main street businesses like the local café.
SOC and other popular risk frameworks will be the new trust identifiers for businesses that electronically manage information and do business with sophisticated organizations. That’s data across customers, transactions, financial/accounting, operations, health and patients, HR, IP, strategy—pretty much everything that runs businesses today. This will result in millions of businesses requiring such certifications and reports.
Modern RAS practices utilize modern solutions
In today’s dynamic landscape, organizations across industries are realizing the need to focus attention and resources to ensure compliance across a wide range of information and cybersecurity frameworks. Whether clients are broadening coverage into the federal space or simply expanding from a SOC 1 to a SOC 2, the growing need for security and compliance attestation services is not going away anytime soon.
Consider these two case studies—
Similarly, BerryDunn followed a traditional audit approach, corresponding with clients for four to six weeks to gather materials, traveling on-site to conduct the audit, and manually compiling final reports. This labor-intensive process was highly taxing on employees, and pulled management away from more strategic initiatives.
Adopting an end-to-end workflow solution enabled BerryDunn to make quantifiable improvements to their business, including margin growth, human capital optimization, and increased engagement capacity. BerryDunn realized 30–50% efficiency gains, more than doubling their engagement capacity and allowing them to grow RAS.
Perkins & Co.
The engagement team at Perkins & Co. faced many of the issues common in audit firms: their engagement workflows spanned many platforms. Data had to be constantly updated and reconciled against each other, and performing these reconciliation rituals was both time-consuming and mind-numbing.
When they adopted a modern workflow management tool, the team was able to automate manual tasks and end the reconciling rituals in their audit workflows. Eliminating these tedious tasks from the team’s workload would enable them to spend more time engaged in thoughtful analysis and creative value-add activities for clients. They are now well-positioned to continue growing their RAS.
Becoming a tech-enabled RAS firm
Firms that deliver tech-enabled RAS will be best positioned for growth in the digital era. Modern software automates manual processes, increases efficiency and unlocks more capacity for practitioners to provide the strategic advice that clients need.
To deliver these services to your clients, firms need intuitive software that help with:
- Project management: Plan, visualize, and assign work across teams so practitioners can focus on completing high-priority tasks.
- Client collaboration: Bring clients into a more collaborative service experience. Instead of back-and-forth emails, ask questions and request information in context—all from one end-to-end project workspace.
- End-to-end workflow automation: Instead of managing work across multiple systems,, integrate all engagement phases and collaboration touch points onto one, cloud-native platform. Eliminating manual work increases productivity and enhances work quality.
- Automated reports and deliverables: Modern technology can automate previously tedious assembly of end deliverables and auditor reports.
At Fieldguide, we’ve built these features (and more) into the market’s only end-to-end platform that is purpose-built for risk assurance and advisory practices. Learn more about why Fieldguide is quickly gaining preference among the best RAS practices and how Fieldguide is powering the future of trust, by scheduling a demo at fieldguide.io/demo.
Fieldguide is an automation and collaboration platform for modern assurance and advisory firms that digitizes the end-to-end engagement workflow on a single platform. Built by former Big Four practitioners and experienced technology leaders, Fieldguide is trusted by top CPA firms to improve margins, win new business, and build stronger client relationships. Fieldguide is backed by top venture investors such as 8VC, Y Combinator, Floodgate, and AICPA/CPA.com, and many more. For more information, please visit fieldguide.io.
This article originally appeared in the Boomer Bulletin.