A little over 20 years ago I started my career at a little firm known as Arthur Andersen. I first was in the mailroom, then a tax clerk, then audit intern, all the way to full-time staff auditor. I was so happy I made that journey. Then, not even a year after I started full-time, Enron happened and I, along with everyone else there, lost our jobs and all of the sudden had to look for new work.
I moved to the DC area, and decided to join up with a regional accounting firm rather than go back to big 4. I wanted to learn the entire accounting and financial statement process quickly, and thought this was a good way to do it. Turns out, it was a great way to do it. I spent over 12 years at that firm, at first learning the construction & real estate industries, before settling into my focus of government contracting clients.
A few years after Sarbanes-Oxley came out, I was at the manager level, and the news came that testing of IT General Controls was going to be required for private company financial statement audits now. My firm was traditional accounting, and this was new territory for them. So, I volunteered to learn about it and what we needed to do, which little did I know would change my entire career path.
I learned all I could about ITGCs, what their objectives were, and how to test them. I developed a testing program for the firm that could be used on all of their financial statement audits, going into different depths based on the complexity of the accounting systems. After helping the firm with that, I learned more, and started to read/learn about SOC audits and what accounting firms were doing there. I knew it was a growing offering for firms, and we needed to get on it.
So, I developed our IT audit/SOC practice. I had policies/procedures, and everything ready to go. One problem - I was too early for the current client base at the firm. The clients weren’t required to do it, so spending the cash wasn’t necessary. And without a lot of experience, getting new clients was proving to be difficult (all at the same time continuing to do financial audits).
I then had a decision to make. Financial auditing or IT auditing? While I was a pretty good (in my obviously humble opinion) financial auditor, I saw tremendous opportunities in IT and SOC auditing as a non-traditional CPA. Most CPAs like accounting, so why not tackle an area where demand is high, but CPA support is limited? As a result, I said goodbye to my firm on good terms and joined up with a cybersecurity/IT audit firm that needed some help developing a SOC practice.
At that firm, I started by learning a bit about how they operate. I participated in some FedRAMP audits, and learned more in-depth strategies to IT audit than I was previously exposed to. Shortly thereafter, I once again established the policies/procedures/setup needed to do SOC work, and now I had the opportunity to leverage other auditors who knew the technical aspects of IT auditing. And because the firm had clients that needed IT audits, I started to get traction on my new SOC practice by combining their efforts with SOC 2 readiness, and even an audit.
During my time there, I was able to find my way into helping the AICPA with a variety of volunteer efforts, including CITP development, and working on the SOC 2 guide. That experience was absolutely invaluable to me, learning so much about SOC 2, while working alongside some of the brightest minds in the industry for it.
Not long after, the firm sold to a larger cybersecurity firm that already had a SOC practice. I was warmly welcomed there, and joined up with that practice in a QC capacity, as well as sales and content development. I was really able to take all of the knowledge I’d accumulated to date and apply it to not only delivering quality reports, but helping potential clients figure out their journey and how to make them successful for SOC 2 and other efforts. It was a growing practice that I felt happy to be a part of.
Like many good things though, that experience drew to a close in 2020. After leaving, I caught up with a former college of that firm in AJ Yawn. I found out he was working on something special. We both knew that there was a better way to do SOC 2, and he was already starting to work on a tool to make it better for BOTH the client and the auditor. He asked if I wanted to be a part of it. I knew the potential here and I had to get in. Thus ByteChek was born. However, AJ said that he also needed a CFO. Given I still had accounting and finance experience somewhere in my brain, I accepted.
And now this feels like the culmination of my career to date. The first half was all finance & accounting, which plays into my CFO role. The latter half in IT audit and SOC, which helps develop our product and the deliverables we make to clients while continuing to meet the requirements of the industry.
I wear many different hats here at ByteChek, and I love it. It’s just all in the journey of a traditional to non-traditional CPA.