Welcome to the fourth episode of under
CTRL.
I'm Paul Bartlett and today's guest is
Jim Rumph from Wipfli, one of the top 20
accounting firms in the US.
Jim is a senior advisor in the financial
services division
and has in-depth expertise in the area
of risk management and IT
compliance. On this episode we will cover
how Wipfli is taking accounting to the
next level
by being a technology and implementation
advisor to its clients.
Also we will touch upon how cyber
security and forensics plays a crucial
role
in this ever-changing digital age.
Hey Jim! Thanks for joining.
How are you doing there? Doing well.
How are you? I'm good thanks. Jim,
I'm really curious about this topic that
we are going to be talking about today
around risk management
and compliance because we get obviously
a lot of questions coming our way
certainly with our solution with how it
does comply
with different regulations within the
European Union but also in the US as well
so I think first of all just get started
with just introducing yourself and
giving us a little bit background about
you and your company.
Yes sir. Thanks. First of all thanks for
having me. I always love to come on
podcasts and talk about things like
risk management
and IT controls, always looking out
for helping our clients and providing
good advice and I know this is a big
topic these days about risk management, as it should be.
We're trying to do things to protect our
clients and consumers,
so always again appreciate the
opportunity to talk about things
such as this. It's all yours. So a
little bit about myself:
I'm a senior manager in our risk
advisory group here at Wipfli.
Just a little bit about Wipfli:
we're a top 20 accounting firm here in
the US
we have about 50 offices, most of those
in the US. We do have a couple overseas
but really we strive to be a little bit
more than an accounting firm.
We think about accounting firms, we think
about traditional audit and tax
but we try to go beyond that and really
be an advisor to our clients.
That includes helping them with things
such as technology consulting,
technology implementations, kind of
digital transformation, that's a buzzword
that
we talk about a lot and I'm sure we'll
dig into in today's
podcast but helping clients in more than just
traditional accounting
areas, such as audit tax.
Other areas we operate in
wealth management, benefits consulting,
for cyber security: fraud and forensics
is a
big part of our practice too and we do
this across many different industries
manufacturing, healthcare, government,
nonprofits. I spend much of my time in
financial services,
banks and companies that do work
with banks and
of course you know which this is all
heavily regulated industries,
so I spend most of my time in that
financial services around realm.
I do have a few other clients but going
back to how you started it, I really help
around IT risk management at a very
high level.
You know we we do that in a
variety of different ways:
penetration testing, stock reports,
risk assessments,
social engineering and other technical
audits. I spend
most of my time in financial services
but have other clients
in other industries as well. And we help
clients in multiple different ways: risk
assessments,
stock audits, IT audits and penetration
testing,
kind of technical audits but at the
end of the day
what I tell people I do is: I try to make
my clients more secure
or make sure they realize how secure
they are.
And what I always tell that's a very
long-winded answer
when I do, but to shorten that up a
little bit, what I tell my mom I do is:
I help my clients be more secure 
because that's what it's all about,
trying to help them make sure they
understand all these risks out there
because
there's a lot of noise about these areas:
cyber security and
compliance and regulations,
so I try to help my clients just be more
secure.
And to that point I think there's a lot
of rattling the cage right about the
things that you
need to comply with and anybody
that's either starting out on a business
or
trying to transition to moving from
filing cabinet online is
overwhelmed with potentially all of the
regulations and
control measures that need to be put
into place and I just wanted to see
how do you see this sector evolved
over your period of time of working in
that specific area of risk management
and helping companies,
let's say, from five six years ago to
today transition with the right
technology stack.
Sure, great question, good way to
start! In financial services
it's a very interesting time.
The industry itself has been very
conservative in the past in the US,
especially with banks,
I mean kind of those legacy financial
institutions,
it's just a little bit more conservative
industry but really over the past
you know say decade or so we're seeing
so much investment coming in now
so much there's something more
entrepreneur
getting involved a lot more innovation
around these
financial services, so I am seeing a
whole lot of change
over the past few years and again
it's new to this industry because it's
again traditionally just a little bit
more conservative industry
we think about in the kind of
quote-unquote old days
going in and getting a loan you go into
your bank or your
mortgage lender feel like your paperwork
um
you know for a certain type of loan and
go through the traditional process
but these days with all this new
technology innovation
you have a lot more options i guess is
the best way to put it
one of our clients actually partner with
a big box retailer so you know say
you're
you're a construction company you go
into a big box
retailer to buy a bunch of goods you can
get maybe a micro loan
right there at checkout i mean that that
is completely different than the kind of
traditional way of thinking about loans
and
and lending so a lot of new innovation
coming into the sector now and i think
it's great i think it's great for this
consumer
um it's meeting them where they need to
be but
you know it is new for for that industry
so we're seeing
as you would expect challenges you have
to be overcome especially in the area of
compliance and security
um but overall it's it's it's an
interesting time
to be in this in this industry and you
would
traditionally think about um looking
back in the old days that
kind of compliance would have the upper
hand but i can see
personally as well that compliance is
kind of being pushed these days to
to conform to the technology that's
that's available today right is are you
seeing the same kind of thing
yes i think and first of all i always
like to tell my clients
compliance is not really the same as
security and security is not compliant
so there are two different things
um and certainly with all this new
innovation and
new types of companies coming into
regulated environments
what i've seen it's can be a little bit
of a culture shock
you know for these fintechs these
financial technical companies there to
pop enough to solve very specific
problems who may not be used to
the regulations and the laws so it can
be tough for them
traditionally banks and kind of legacy
financial services clients they're used
to regulating information
they're used to the compliance
but you know again with the rapid
innovation of new types of products
it can butt heads a little bit with
compliance and security
so making sure everybody's on the same
page everybody realizing that
appliance is an important part of the
business and and
the ultimate goal is to make it safe for
the consumer for your customers
and i think once people adopt that
approach and
raise the regulations and race lots
aspect of it i think
i think that's the first step and where
do you see potentially
for example you've got fintechs coming
in or you've got existing companies that
are transitioning to
maybe going online or looking at
different technology stack and
with the plethora of different
technologies that are out there
where do you see uh the pitfalls are
with regards to either new startups or
existing companies where does it
they always run into difficulty uh
around regulation and compliance
and another good question what we see
and and i participate
in a couple of incubator type programs
i'm based here in georgia in atlanta and
we have a lot of
these types of companies these types of
fintechs and and what we're
seeing is it's been very good lately
these new fintechs are engaging with
banks and
people in traditionally more heavily
regulated environments and beginning
that dialogue because that piece you're
talking about of
of making sure we're compliant with all
the rules
and regulations i think that's one of
the biggest challenges
i'm certainly we have two products that
people want
that kind of goes well without saying um
but
it's the back end things like those
security issues and regulation issues
that
that are posing the biggest challenge i
think for these new companies but
and it used to be kind of banks and
fintechs were button heads a little bit
you know their banks maybe see fintechs
encroaching on their turf
and the fintechs are just trying to
provide good solutions but
what's happening now and i think it's
great for the industry they're starting
to work together
and and the banks can you know teach
teach these fintechs you know how to
operate in the regular environment
and in return banks are getting access
to new products that their customers
want
but i do think that area is a big
challenge that general
you know kind of risk management area
but the more conversation that takes
place right
between all these parties is the better
and
ultimately the consumers can be the one
that ends up winning
but you know also thinking about
regulations are changing very quickly
um as well so so
something's always coming out new i know
in the us we have a lot of different
states doing different laws
around these areas and it's it's it's
just a challenge
yeah i mean i i tend to agree with that
sentiment as well is that we deal with
companies coming in to us
and they start asking us whether we can
make them compliant and of course
as an organization we're not there to
make them compliant we can provide a
level of security
which might fit into the compliance
standard or the regulation for a state
or
some other particular sector but we're
not able to
to do that and it's an interesting point
that you raise
because i think what i've seen in the
past that fintech organizations are
typically
straight ahead with building a great
application you know
its customers can basically work from
their mobile phone
do everything online but then suddenly
they can run into issues with data
security for example and how they store
that data and
whether it fits with a regulation or not
is that something that
you typically see as well yeah that's
that's a good point and
what we always encourage any company
really is to make sure to think about
the security risk
from the beginning from the start if you
think about it at the very end
it's going to cause problems i'll use an
example of email
think about email it was never intended
to be
secure from the very beginning it was
intended as a way to share information
and that's
it does it very well to send emails and
to share information
it does that job really well but now of
course we've seen email as
becoming a primary attack vector we're
trying to secure it
so it's a lot harder to do later on in
the game
if you can think about security think
about you know data
early in the process when you're
creating these applications
and and um you know objectives if you
can think about it early
and take security consideration into
consideration from the start it will
help
um so that's one thing i always
recommend to my clients
just to think about it from from the get
go
and i'll just mention one other thing
that you talked about
i thought was pretty interesting your
clients want you know
you to make them compliant with with
certain regulations
and of course you can do that for your
product but that's not
that's not a full you know solution for
them and
it can't be you know that's not your job
so with the um
prevalence of outsourcing you know that
that will continue to be
you know an issue in vendor management
in particular
making sure companies know how to manage
manage their vendors i think this was
also one of the areas
when we talk about vendor management and
we talk about different technologies
there's a trust uh requirement there
okay is what am i procuring what am i
taking
uh from this vendor that's gonna secure
my data of secure the trust
for my particular customers as well is
that where you're also
helping customers as well in in choosing
the right technologies to get them
secure and um working in an effective
and efficient
manner sure we we spend a lot of time
helping clients do that making sure
their vendor management
program is in place and and one thing i
always
preach to my clients is you know you can
never
outsource responsibility so you always
have to
um again make sure you use your trusted
vendors
um i think outsourcing is a great way to
solve a lot of these problems
but just realizing that you're not
necessarily outsourcing risk
you're just it's the risk is a little
bit different right
so you may not be in charge of
you know securing data maybe your
vendor's doing it but you just want to
monitor your vendor you have that
communication and that relationship with
your vendor
uh to make sure you're all both on the
same page and then yeah
as long as you have that communication
and i think i think that's so important
yeah i think as a whole the industry
will continue this trend of outsourcing
because again i mean like your solution
you solve a very specific problem
um and you can probably do it more
efficiently and effectively than
than your clients can by themselves so i
think outsourcing is a
for for these particular problems is a
you know great way
to do it but as you say vendor
management becomes a big piece
when we see some of our clients get
audited by
the examiners and the regulators vendor
management
has has just been the focus on vendor
management has been increasing over the
years and and certainly i think it
continues to do it but
if you have those trust of trusted
partners it can be a
win-win for everybody yeah i mean
because especially under these times as
well there's so much pressure on cost
right there are companies out there
maybe outsource and
try to do things remotely from you know
working with
with other countries um providing their
it services or it management stack but
do you see
that there is potential risks i mean the
rewards are there financially but
the risks as well is that something that
you you also see
do you have any like horrors from from
that because i i know that i've heard
horror stories in the past of you know
basically
things being outsourced to different
countries and then suddenly
you know um they're not in control of
that data anymore
um so they're entrusting people with
that data uh
in a cloud service somewhere remotely in
a far front country
yeah that's a great point and what i see
i don't really have any harsh stories
but here's what i see happening
that causes problems when somebody
in a business unit hires a vendor
without consulting maybe the information
security group
or the composite group or whatever
group's in charge of kind of
monitoring that and then you create this
relationship
and then the vendor comes to this this
and this maybe that's
that's not good maybe you want to share
that information or maybe you don't but
as long as we really need to again
concentrate on deciding those things you
know before
we sign a letter with you know a
contract with with the client
um that's where the kind of to me the
horror stories happen is
when everybody is not on the same page
going into a relationship
about you know what we have to put in
and what we're going to get out
if we if we solve those problems in the
beginning and think about the security
topic in the beginning then then that
usually leads to
a much better success uh so i think
that's
the big takeaway and of course ongoing
vendor management
around around the companies and and
making sure y'all are on the same page
about how we treat security and how we
treat data security but
uh usually the hardest stories happen is
when you think about that halfway during
the
through the implementation yeah that's
never where you want to be
yeah i had that experience as well with
with a company that
just basically put their line of
business straight into finding a tool
which was ours for evaluation they went
through they said yeah it's great
and the next minute they over overlook
the the whole security aspect of things
they needed to engage with the security
team which they weren't even aware of
which surprised me because you would
think that
internally inside these organizations
that these kind of things would be well
scripted out but
it tends to be in larger organizations
you would think that
yeah that's the yeah behind the you know
the shiny web pages
and advertisements that there are
situations where people are just unsure
about what the process is internally
and is that something that you where you
help them with build that process
out so as well as taking the risk
management what procedure needs to be
put in place
and what's the best way to do that to be
able to get to
an evaluation of a particular technology
yeah we do help with that some
it's interesting he talked about
especially with larger companies
maybe the hands not talking to the foot
this happens
all the time and it's auditors we try to
get in there
and talk to everybody and get multiple
perspectives from the business line from
information security or maybe from i.t
and sometimes when we talk to all these
different groups
we see that obviously not everybody's on
the same page
so where we can we try to help those
clients put in processes
we've got to have defined processes for
how we tackle these things
so if we're hiring a new vendor you know
these people need
need to be involved from the very
beginning making sure we got that
written down
making sure we don't have to think about
it when we go you know to procure a new
solution
that we have those processes in place to
make sure
those things that need to happen do
happen
um so we we do spend a lot of time
talking with clients about that because
that is a challenge
i'm making sure everybody who needs
needs to be involved is involved
but also you know we don't want to slow
down the process we don't want to make
it over
really cumbersome for you know to us to
get new new products because we we need
new
solutions and help from vendors and we
don't want to slow that process down too
much but we do want to provide some
oversight so
a lot of it goes back to just general
business process
i mean you can you can if it's a bad
process in the beginning and you try to
automate it it's just gonna be an
automated bad process yeah so we always
wanted to think about
that kind of stuff from the beginning
yeah and that has happened when we say
about automated processes it's about
again somebody needs to sign something
off i know myself i've experienced it
to the frustration of the customer as
well the amount of steps and stages they
need to go through
to get their hands on on a piece of
technology
but it has to check all the boxes right
so and typically this is where it falls
into
the risk management category um and one
thing i wanted to touch on which i'm
faced
more and more with now we're dealing
with customers is the introduction of
not that it's an introduction but it's
always been there is this this data
residency option
or data sovereignty do you have any
feelings or
or insights on that because it's one of
the things that we
we face with quite frequently can we
store our data within
the u.s borders where's that data being
stored
what kind of regulations in place what's
your view on that
that's a that's an interesting type and
i can and i see it just evolving
almost day to day-to-day especially with
gdpr
being implemented in the u.s
what is happening is california
implemented a similar law or related to
gdpr
new york has had a little bit different
one and
and honestly all the states are probably
coming up with their owns
so it's a very interesting question and
i'm not sure the answer to it yet i
don't think anybody knows but
we have some of my clients have been
trying to just avoid
issues you know like that honestly yeah
just kind of kicking it down the road
because nobody i don't think anybody
really knows the answer yet
gdpr is new and from what i can tell not
a whole lot of fines have been issued so
far
um so everybody's kind of has a grace
period to get you know compliant with
that
talking about going back to the
continual question like data sovereignty
knowing where your data is
it's just going to keep going more and
those types of questions are going to
just continue increasing
yeah and the big vendors will have to
kind of figure that out
especially in these regulating
industries and i think there's a push to
do that
i mean in the old days you know we put
it in the cloud and it could be
anywhere depending on you know whose
cloud it is but
but i have seen vendors uh become more
cognizant of that question
especially in areas such as financial
services which are regulated
and i i get it i mean i would want to
know where my my data is you know from a
business standpoint
if only just to make you sleep better at
night right yeah i don't have a
fully fleshed answer for you because i
think it's still evolving
but i think yeah those are the types of
questions that we need
you know need to keep asking fleshing
out yeah because
i mean i i typically tell my my
customers they say well
where's the data being stored and we
have a default location
but we give other options as well um and
usually
if you're dealing with an educational
institution it's the educational
institution
that's saying right you've got to have
that data within the u.s borders and
then you want some justification for why
that's the case and
really there's no justification for it
was based on some
it was based on some policy that was
created
you know 10 years ago and it's never
been changed um
and for example you know these days
people are saying well as
long as it's fully encrypted or the
regulations as stringent or as strict as
what they
are for here in the us for example we're
okay with that
but one of the things that's been sort
of niggling away at me personally
when i'm asking these questions is how
does that affect cyber
insurance cyber security insurance for
example which
more insurance companies are willing to
do and offer out there
um you know does it have any impact on
the policy that they're
procuring from these insurance companies
so yeah those are all good
good questions um that i'm also
challenged with
on a regular basis to find out so if
there's any listeners listeners out
there that can help us
address those questions then you can
drop me a mail by any means
i just want to come on to the current
situation right now with
um with kovid how have you guys been
dealing with it personally as an
organization and even as individuals
because i think it's called everyone
else
and it's a topic that can't be ignored
and more importantly what do you see
your customers going through right now
as someone mentioned to me earlier on
the previous podcast
it's kind of caught everyone off guard
out of balance
and yeah people are still trying to come
to terms and figure out
business processes different ways of
managing risk because people are working
remotely now
so what is it you see it's the topic of
the day
or at least the topic of the past four
months it's interesting time at strange
times um you know i'm sitting here in my
basement
where i have them you know my home
office that i've been for the past
basically three or four months for our
firm
you know we have a little bit different
business model because we are constantly
going to see clients
i usually spend a lot of time at my
clients locations
visiting with them and working working
there so that
has pretty much gone away but our kind
of business model we were
built for this to be able to work from
from anywhere
so it hadn't really been much of a
disruption for us in
in at whipley we're doing a whole lot
more
online meetings when we share screens
but really we've been able to to kind of
get our job done
but a lot of our clients a little bit
different because it's a different
business model
such as our bank clients and they
they're on the front lines they're
essential
you know people need access to to their
funds and and
need access to their banks so so it's
been more of a challenge for them and
we actually had a i hosted a round table
yesterday actually for a few of my banks
uh to talk about this
this very issue um because you know when
when
coveted first hit a couple months ago it
was all about hey we got to get work
done we got to send everybody home
but we have to get the work so i think
what what we saw was the risk
kind of tolerance you know for cyber
security went up a little bit
because it had to because we had to get
our job done but now
as this thing is stretching out and we
see that hey maybe there's not an
end in sight at the end of the year or
end of you know next summer we don't
know
how long we do this habits are changing
and for some people realizing that hey
maybe that's better than having a
two-hour commute every day
so now we're starting to think about
okay
this being a more longer term issue
how do we manage those risks because you
got people
working at home yeah we don't know how
secure their home network is
we don't know how do they have
encryption over their wi-fi
yeah you know who else is in the house
so it's introducing new risks
that we really hadn't focused on
that much anymore so and and people are
still trying to figure out
you know how to do that yeah how to how
to kind of manage those risks and
luckily there's a lot of good solutions
out there that that are specifically
um geared to you know help these types
of issues in
including um what y'all's product does
so it's an interesting time around this
i think
a lot of change has happened and will
happen and and one other point about
this
that we kind of talked about with my
clients the other day is
what we have shown is how fast we can
really pivot
if we need to to digital products to
remote workforce
i mean people not just financial
services but
very quickly and showing that we can do
rapid change
to meet our customer needs and i think i
think that's great you know for
for for all industries to show how fast
we can adapt and circumstances
but of course making sure demands
there's risk in the process because
i was looking at the fbi report they put
out some
threat reports every year and i was just
looking at their website and
you know the number of of cyber security
kind of cases that they handle
you know through may of this year is
already greater than all of 2019
so there's a lot of people trying to
prey on all this new knowledge and all
this
work from home situations
yeah so it's it's it's interesting times
for sure
yeah yeah and i i also think
there are some businesses out there it's
for them regardless of people working
from home it's business as usual
you know pre-financial results need to
be reported to auditors
i've got one customer who came to us
saying hey
we need a solution and we need it fast
because we didn't assume that we would
not have
auditors on site you know doing the
books
um we need to do the preform still would
release the pre-financial results
um so they're all working remotely and
for me that was a use case that i didn't
even
think of that suddenly the idea of
auditors and finance teams not being
able to meet anymore
due to the covet situation was yeah hey
you know
there's a new space up there basically
in the cloud for a secure data room
where these third parties or regulators
and
and independent uh auditing teams need
to work
um so that really uh opened my eyes up
as well
and also made me consider about the
risks um
of working remotely so it was uh it was
good to
um get your insight on that i'm just
moving ahead now to the future because
i've been
conscious of time um what do you see
happening from now on
um from the aspect of regulation
risk management where is
the finance industry heading i mean is
there a future for
bank branches for example or is it going
to be all fintech in the future
are we going cardless what was what
potential risks is there
there's a whole abundance of questions
in there so but what do you see for the
future
sure i think we will continue rapid
innovation
um the amount of processes that will be
digitized will keep increasing
as a result of that data security issues
and concerns and challenges will keep
increasing as well and to me in turn
that means
regulations are not going to be lessened
they're going to be
more and more especially when we
consider all the data breaches that have
that have happened and will continue to
happen none of that is going to go away
you know
anytime anytime soon i don't think
going back to when you're you mentioned
about bank branches i don't necessarily
think they will go away but they will
change and they will evolve
to customer demands you know as
consumers
we're used to kind of have everything we
need maybe on our phone or on our
tablet or laptop and those types of
products continue to be high in demand
so
i do expect a lot of rapid innovation to
continue to happen
and and of course again as a result we
will continue to collect more and more
data
and then we can have to secure that data
and have to show others that we're
securing that
data because you know we talked about
outsourcing and
vendors the more you know vendors we
have the more we have to monitor
those those vendors and
and to make sure we know where our data
is and then make sure it's secured
um but i'm very excited about the future
you know some people you know get
worried that maybe technology is going
to take their jobs away
and and whatnot and i totally understand
that but
i try to look at from the perspective of
you know that's gonna
maybe some doors will be shut but a lot
more doors will be opened
um in in the technology space so
so i've got i've got really good hopes
about
technology and how it can make make our
laws better in the end of the day
technology is just a tool and yeah
should be a tool used to
make people's lives better i think it
has the capability to do that and i'm
i'm really looking forward to
know how you know the industry evolves
yeah i mean i think at the beginning of
the the show
you mentioned uh digital transformation
and what does that mean
um all we can say potentially for some
organizations that that's come early
some people are being forced to change
now because of the situation
but i'm just always a little bit
confused about the digital
transformation
uh terminology because companies are
constantly
you know adopting evolving so it's a
continuous process right it never
ends and i'm also thinking about
is it something that we'll see in the
future where i'll be on a zoom call with
my bank manager rather than going in and
facing them
because it's not because of the covid
potentially but because now if we found
a more effective way efficient way of
working and we're actually maximizing
the benefit of technology
which i believe in the past has always
been uh maybe
under utilized for our own product for
example it was just used
um basically for a file repository but
now it's being used for
for many other things as well because it
always had that capability there
but now other people are finding other
use cases and applying it
to the maximum potential so
yeah okay jim great discussion
really happy to have you had you on the
show today i wish you all the best and
hopefully talk to you soon in the future
i'm gonna call it a day uh for today
thanks a lot for your time
and your insight thank you so much for
having me i enjoyed it no problem
thanks a lot jim take care bye-bye now
thank you and that's it for today's
episode of under control
you can find links to all of our social
platforms and to our guests
in the episode description if you like
the show make sure to subscribe and
leave a review
join us in two weeks time for the next
episode
