Attention: This is a machine-generated transcript. As such, there may be spelling, grammar, and accuracy errors throughout. Thank you for your understanding!
Blake Oliver: [00:00:09] Hello everyone, and welcome back to the show. I'm Blake Oliver
David Leary: [00:00:13] and I'm David Leary,
Blake Oliver: [00:00:14] and we are talking today with AJ Yawn, partner in charge of Product and Innovation at Armanino. AJ, welcome to the show.
AJ Yawn: [00:00:22] Thanks, Blake. Thanks, David. Excited to be here.
Blake Oliver: [00:00:25] We're going to talk today about Audit Ally, a new product unveiled by Armanino. Combining audit expertise and automation technology enables the most comprehensive platform on the market to assess your data security controls in real time. That is the subhead on the website for this tool called Audit Ally. I understand it is a SoC two audit tool. Aj, I would love to learn why Armanino created this tool. Uh, why why you're now offering it to other firms. What is the what's the reason for this? But before that, I think David had a question about SoC two audits.
David Leary: [00:01:08] I think this word SoC gets thrown out there a lot. So like and you see these badges on websites or SoC, one SoC two SoC two type two I think the AICPA has like a SoC for service orgs. Orgs badge. Like is this a is it required. Is it nice to have recommended. Like can you give us a little background on what SoC is for our listeners that maybe don't know?
AJ Yawn: [00:01:28] Absolutely. Yeah. It's not the socks you wear on your feet. Um. I'll just level set there. It's not Sarbanes-Oxley.
Blake Oliver: [00:01:34] We're talking sock.
AJ Yawn: [00:01:36] It's not that either. Okay. Sock. Correct. Um, so the AICPA created all of those different socks that you mentioned. David. There's a sock one. There's a sock. Two, there's sock for service organizations. And really, what sock two is, it's become the de facto standard here in America for companies to prove that they're doing the right thing. From a data security perspective, a CPA comes in, assesses them according to this soc2 framework that the AICPA created and says, yes, you are protecting your customers data. And generally what happens, David, if you're running a business, you're going to go out. You'll find somebody. They're super excited about your product, they want to use it. And they're like, just before you sign on the dotted line to get this great contract, I need to see a soc2 report. I want to make sure that when I put my data into your system, it's not going to end up on, uh, Reddit later on. That's all a soc2 is. It's that proof point to say I can work with you. Sock ones are more for financial reporting, but really, what most of the US goes after is a sock to report that says I'm doing the right thing from a security perspective that a third party auditor has validated.
David Leary: [00:02:39] So as our business grows, it's not a government regulation, it's another contract we might try to get or business might try to get that vendor or potential customer. Vice versa would require this of our organization.
AJ Yawn: [00:02:53] Exactly. Yeah. It's not like a in health care. You have HIPAA for example, that everybody has to do or federal government. You have the FedRAMP stuff that everybody has to do. Soc2 is optional, but it has gotten to the point where it's really not optional anymore. As you grow, as you move and start working with those bigger companies, they have, there's there's certain companies that literally you cannot get past a check box. You have to they have to say this, this company has a soc2 and if you don't, they're just like, hey man, I love the tool, but I cannot work with you until you go get this Soc2 got it.
Blake Oliver: [00:03:22] So audit ally, this is the first of its kind soc2 tool, directly engineered by an accounting firm designed to integrate into any soc2 engagement and improve automation and recording and reporting capabilities. That's according to your press release. Tell us about Audit Ally. What is what what what kind of tool is it? What what does it do?
AJ Yawn: [00:03:43] Yeah, it's a tool that combines both the side of the table of the auditor that is doing and performing the audit, and the side of the table of the client that's going through the audit, and a tool that bridges the gap between both of these entities. There's tools out there that have been really focused on the client. There's been tools out there that are really focused on the auditor. We truly believe you can't automate this without thinking about both sides of the table. So Audit Ally is that thing that brings those both parties together.
Blake Oliver: [00:04:07] So is it fair to think of this as workflow software? Like David and I have a tool in our company where we have a checklist of procedures for every episode that we record of this podcast, and we go through that and there's multiple team members who do it, and we even have exposed that to clients now, where if we're producing a podcast for somebody, they can go in and or if they're a guest, they can go in and upload their headshot, put in their bio all in the same software. Is that the kind of thing we're talking about?
AJ Yawn: [00:04:36] Yeah, I think you can think about it like workflow software, where it's helping you kind of get through the steps necessary to ultimately get your report. I think some of the cool things that we're building on there is the ability for the technology to accelerate some of those steps in the workflow. So instead of, you know, an auditor having to type out a very long, detailed response of why a piece of evidence isn't isn't working, we're using artificial intelligence [00:05:00] to help enhance those answers and allow the auditor to move faster on the client side, instead of them having to wonder, is this evidence going to be enough for my auditor? We're using artificial intelligence on that side as well to to help teach them what right looks like. So it's workflow software. And think about the name audit ally. Really what we want is an ally. This technology is your ally to help you throughout the audit. It's giving you tips and tricks as you're going through each step. Because again, going back to the original soc2 is confusing for a lot of people. So we want to make it super easy and transparent about what's going on in each step, and then where we can use technology to help you do your job a little better.
Blake Oliver: [00:05:37] So give me an example of how I could automate one of those steps.
AJ Yawn: [00:05:42] Yeah. Um, a very simple example that we're we're working on right now is in an audit. You know, typically I'll come to you and say, hey, Blake, you know your company. I need a list of all of the new hires that have happened over the last year. This would be in a soc2 type two, David, where we're looking over a period of time and you'll say, okay, here's this list. We hired ten people last year. And then I'm saying, I need you to prove I want to prove that these random I'm going to select four of these guys randomly, four of these employees randomly. I want to prove that they actually completed security awareness training when they were hired. Because you say in your policy, somebody is hired, they got to go do no before or some other security training that says that they know the basics of security. Typically, an auditor would send that list over to you. You'd provide the things back and forth. There's all this uploads back and forth. Then the auditor is looking at the spreadsheet they're marking down. Okay, David completed it. On February 13th, he was hired January as that 30 days in between. Right now with Audit Ally, the way we're doing it is you upload that information, audit ally is going to automatically extract all of those details, the certificate date, the hire dates from the listing and then show that information both on the auditor side and say, hey, auditor, here's the information you need to make your decision about whether or not this control is met.
AJ Yawn: [00:06:50] But the really cool thing that I'm excited about is exposing that on the client side as well. So clients now know what right looks like, and if there's something missing, it's not a surprise because a lot of this stuff is very deterministic. It's hey, did you complete it within 30 days? There's not a lot of subjectivity between that. So as clients, you might want to know before I send this over to the auditor, there might be an issue because David completed his at day 31 instead of day 30. So that right there alone is just like being able to take. And I think it's the cool part about AI technology that exists today. We can take any information at A, PDFs, documents, extract it and do some processing with it. And that's really exciting, I think, in the audit space, because that's a big part of the job, is just reading through these documents and pulling information out.
David Leary: [00:07:31] So. So as a business, I'm trying to understand, is this just a service where you're doing the audit or because really, I care about getting the badge and getting to the finish line. Right. So are you assisting me? Hey, if I do have this hole here, like, here's how you, uh, remedy this situation or is this a half a consulting thing for firms I'm trying to understand? Or is it strictly an audit opinion?
AJ Yawn: [00:07:53] Um, yeah. So we'll help you get to the end. The challenge with Soc2 is that once you sign up and say, hey, Armanino is going to be my auditor, we can't tell you, hey, this was a mistake. You need to go fix it before you get your badge in a soc2 report, if we identify a a flaw, an exception in a control, we do have to report on it. But having an issue like what we just described. David, if you are one of out of four employees I didn't complete security awareness training. It's not the end of the world. It's not going to stop you from getting your badge. One of the cool things about the Soc2 report is it's truly a report. It's, you know, like a 50 to 60 page report which says a bunch of detail. So if you do have an issue, there's an opportunity in your report to talk about the remediation that you went through. Or maybe there was a weird circumstance, maybe you went on paternity leave and that's why you couldn't complete security awareness training. And you can explain that because really, a soc2 report is not necessarily about passing or failing an audit. It's about your getting this report from a third party who's come in and look at your processes, procedures, and then you get this report, and now you can go give it to your customers, and your customers can look at that report, read through it and say, okay, I'm fine with that security awareness training mistake, or I'm fine with this. And maybe in some cases they're not fine with it, but with, uh, Audit ally and with Armanino, we would be your auditor or any auditing firm that's using this tool. They would be their auditor. So they there's a little bit of a line of independence there where they can't necessarily say, here's how you they, they can tell you how to fix it and what you should do, but they can't do it for you. Um, to, to kind of make that very clear.
Blake Oliver: [00:09:22] So what I are you using with Audit Ally, what are you plugging into? Is it open AI. Is it anthropic? Is it something else?
AJ Yawn: [00:09:30] Yeah. One of we're a big AWS shop. Um, so we're, we're using Amazon Bedrock, um, as, uh, the kind of the AI underneath the hood model. And they, they give us access to a bunch of different foundation models, from Jurassic Labs to anthropic, like you mentioned, to Yama to to, um, Amazon Titan, which is their own model. But there's also other technologies, other OCR machine learning technologies we're using, like Amazon, Textract, um, SageMaker comprehend all of these different tools, [00:10:00] which is the really exciting part because now we have the ability with some very, very great APIs and very great technology on AWS to access a wide range of models, but also do it in a secure manner, do it behind the protection of our own AWS account where we have the security. We're not our data is not training these models, which is a great feature that AWS has, where you can turn that off and stop these models from training on data. So it allows us to do some really cool things, but keep it kind of in a closed environment. Um, so yeah, all, all of the different things that are available on AWS is really what we're using.
Blake Oliver: [00:10:33] So you can swap out models, you can swap in a different model if you find something better that works for your needs, because you've got this flexible architecture.
AJ Yawn: [00:10:42] It's one of the coolest parts about it. I think, um, is that with a couple lines of code, you can really just say, uh, I think I want to use the anthropic model because it does this type of task a little bit better, and then it allows you there's a lot of cool ways to test as well. So you can use different. I found that different models work well for different different type of activities. So having that flexibility has been huge for us in the development process.
Blake Oliver: [00:11:03] So you say that Armanino is the first accounting firm to release a tool like this. There are though tools, services that are similar. If I do a Google search for I need a soc2 audit. I see companies with techie names that don't sound like accounting firms like Drata or Thorup's, or is Partners or Secure Frame or Nera or Kirkpatrick Price. Uh, that one sounds more like an accounting firm. Strongdm risk optics. Like there's a lot of these tech techie companies, tech sounding companies out there doing soc2 audits. So talk about that. Like, is that what inspired Armanino to get into this?
AJ Yawn: [00:11:49] Yeah. That's a I'm glad you brought this up because that's a big thing that's happening in the SoC two space right now. I mentioned this innovation that has occurred. I was a startup founder. I was a part of one of these tech. I started one of these techie companies that was doing SoC two. And really the change has happened is that, um, a lot of founders have found that, hey, there's an opportunity to build SoC two software because so many companies have to do this. They don't have a choice anymore. They have to go through and get this. So they built these tools. The challenge with these tools is it's really ostracized. The large, um, uh, really high quality CPA firms, if you look kind of in the top 50, you'll very rarely find any of those firms working with these, some of these type of tools. Uh, and it's really just because of the, the way that the business model works. Um, those are SaaS tools. They care a lot about annual recurring revenue. So they have to get that money from the clients, which then reduces the budget that the client may have to pay for a CPA firm, which then may determine the type of firm they're working for and what really has happened and why Armanino has made this big bet, is Soc2 has started to get a little commoditized because of this, this, this, this technology, um, innovation and increase that has happened.
AJ Yawn: [00:13:00] And really what our goal is, is like, let's focus back on what is Soc2 is all about. Soc2 is about proving security to your third parties. And third party security is huge. A lot of breaches occur through third parties. So really what, what, what Armanino wanted to do was not only empower us here at the firm to use technology to enhance our soc2 practice, bring technology to our clients, bring back quality to soc2 and have people that want to work with an Armanino not have to choose between Armanino versus technology. You get both. But more importantly, as you mentioned at the beginning, Blake, we're opening this up to other firms so that other firms can now compete with those Stradas and Vantas and other tools that exist out there because they can say, hey, we have technology too, that is really focused on the core of Soc2, which is proving data security to the vendors and making sure that the auditors can actually do their job. One of the challenges I mentioned in the top 50 firms are not working with some of these tools.
AJ Yawn: [00:13:56] One of the challenges is that the tools kind of are are determining if a control is passing or not. They're saying, hey, we assess this, we scan this account and it's a green. You get a green check box. Really good auditors are going to want to know what's underneath that green check box. They're going to need to see the data. They're going to need to check and make sure and validate that stuff. That's the approach we're taking to audit allies. We're not telling auditors how to do their job. We're bringing the information forward so that they can hopefully do their job a little bit better. But we're making sure that we can still do the audit. We can do it the right way, do it at a high quality. That's the big thing that's happening in the industry, which is why I'm super excited about being here at Audit Ally, because if we can get this right, I think we're going to help save this accounting industry from what is potentially going to these, these, these software companies are trying to do, which is take over and kind of eliminate the firms from soc2 which which I don't want to happen.
Blake Oliver: [00:14:45] Well and beyond Soc2 what's to keep them from doing this in other areas of audit? I was, I was interviewing I interviewed Rob Valdez on my earmark podcast recently. That episode will come out shortly. Rob you know Rob from Novico. [00:15:00] Um, yeah. So so we were we were talking about, um, audit automation more generally. And Soc2 came up as an example of an area that has been very quickly commoditized by tech companies. They can do it for 20% of the cost, sometimes compared to a CPA firm, because they have all this automation technology, but the quality may be lacking. And so the question is how do, how do how do CPAs how do accounting firms get back to, you know, owning this and being competitive, especially when it comes to price while offering a high quality audit? Because like if I'm a tech company and like David said, all I need is the badge on my website to get the business. I don't care who does it right, I don't like. I'm just thinking of myself as a tech founder. I have an app. Do I care who did my soc2 audit? If my customers don't care, do I care? So. Right. So it's interesting. I guess that's a long way of getting to my question, which is like, how does how does this. What does this mean for the future of audit generally like especially financial statement audit? Are we going to see tech companies pop up doing financial statement audits that just put the CPA in a box at the end? Who signs off?
AJ Yawn: [00:16:08] Yeah, I think we're starting to see it. Um, even in financial statement audits and, um, uh, internal audit as well. There's a lot of tools out there that are being created. So I think, you know, this is really a kind of a microcosm of where the industry is headed. And it's why I'm super excited about being here at Armanino. My job title, like you mentioned, is partner in Charge of Product Innovation, which spans well beyond Soc2. Uh, my real focus is how do I bring technology to the entire firm, how do I help this firm kind of shift from just being a traditional CPA firm to kind of like, you know, I don't know if you've heard of this, but Domino's does not consider themselves a pizza company. Domino's considers themselves a technology company that delivers pizza.
Blake Oliver: [00:16:49] We love to talk about the pizza tracker on this show. We mentioned it at least once a year. Great.
AJ Yawn: [00:16:55] It's a great AI. That pizza tracker is amazing. Like, we probably could have a whole podcast on there. It's like it's just great. I love it every.
Blake Oliver: [00:17:02] Time we talk about, uh, every time I see a meme about clients asking about the status of their tax return, I say that firm needs a pizza tracker, but it needs to attract tax returns.
AJ Yawn: [00:17:11] Exactly, exactly. Yeah. And that's that's what we want to offer a level of transparency and audit. Ally, you know, we're starting with Soc2. It's a big focus of ours. But we already are kicking down the the going down the road with ISO 27,001 with PCI, with HIPAA, with high trust, a lot of other things that audit ally is going to expand to. You mentioned tax. We're building some tax stuff as well. The whole idea is that if you look five years ahead, the way that CPA firms do business today is going to dramatically change with technology, with AI, with all of this innovation and these startups that are getting a lot of funding to disrupt this industry. So the CPA firms have a choice right now, which is why I love being here at Armanino, because one of our core values is being entrepreneurial and pursuing things like this as they see, you know, Matt Armanino, the CEO, he sees the future he sees five years from now. So he's like, let's do this now. Let's invest and bring technology, and hopefully not only for ourselves. Again, I'm really passionate about I want to be able to save. Um, and not that the accounting industry is drowning, but I want to save this industry by helping to bring technology, because I think that's we're going to have to change. We're going to have to do something different. And this is an opportunity, I believe.
Blake Oliver: [00:18:19] I think you're right. 100% Soc2 is the beginning of this trend. It's just the area that the tech companies have started to automate first, because it's the pain they felt first and they're going to come for all audits. And so it's so awesome that Armanino is building this tool and opening it up to other firms, because it gives firms a way to compete with these technology companies and to stay relevant and and compete on compete on price while offering a truly high quality audit. Um, in the time we have remaining AJ for those listening who are interested in using Audit Ally in their own firm, how can they get in for more information, do you have pricing published? Like what? What can you tell me? Like if I wanted to use it myself, how would I do that?
AJ Yawn: [00:19:04] Yeah. So for if you're in a company and you're interested in using Audit Ally on this page, there's a little contact page that you can reach out. Or you can definitely come directly to me on on LinkedIn. Or I'll share my email here with the group. And we can have that in the show notes. But um, for firms, same thing. And we do have some tiers and it's really about and right now is a great, great, great opportunity for firms that are interested in learning more and getting involved. You see their pictures of myself and Liam Collins, who leads our assurance practice practice here at the firm. Um, we're offering some very great entry, kind of free. I'll just be very transparent, free use of the tool for for firms because, again, we believe in trying to get this out to many firms as possible. So if you're an early adopter, you're going to get a great opportunity to, to bring this tool to your clients. Um, but then as you grow, one of the things that we want to do is you talked to Blake about the financials, the finances of tools [00:20:00] out there and CPA firms and being able to be competitive. As firms use audit ally at scale, it becomes much, much cheaper and much more economical to do. And that's we were super intentional working with internally here. Um, discussing it with other firms, kind of proving previewing this.
AJ Yawn: [00:20:17] We wanted to make sure what is the best pricing not, you know, not from just a making money revenue perspective for for the firm. But what's the best that we can get the highest level of adoption. Because the more firms we get on this tool, the more clients we get on this tool, which then the more people are starting to see. There is a distinct difference between a firm using an audit ally and the level of detail, the level of quality versus a firm using another tool. And hopefully we can present that dichotomy in the industry. So all that to say, if you're a firm and you're like, this sounds really interesting, I want to learn more. This is a great time to reach out because we're we're just we're trying to get as many people we really, really believe in what we're building. So we're. Comfortable letting people try it out and go use it on clients, because we know once you lose it on a few clients, you're going to come back and say, yeah, that was great. We want to do it more and more and more and bring this technology to our clients. There's also going to be opportunities for firms to white label this as well in the future. So you're not going to have to have Armanino branding, you know. Yes.
Blake Oliver: [00:21:12] Tool. That's an important.
AJ Yawn: [00:21:13] One. You'll have your own branding as well. Right? Because that's a big part of Soc2 is something that maybe we can in a Soc2 report on the front page of the report, the firm's logos there. Yeah. So you do know who issued the report. And that's a big thing. And as you move upstream, companies are like, if I don't recognize that CPA firm, I'm probably going to ask some more questions because I care about the quality of the audit. So yeah, we're having that opportunity. So you can keep your branding, make your customers feel like they're still involved with your firm. Um, and yeah, reach out. Reach out to me. Reach out to Liam, and we're excited to get it out in front of as many people as possible.
Blake Oliver: [00:21:45] So find AJ on on LinkedIn y a w n. We'll have a link to the page for Audit Ally in the show. Notes. Aj, we got to run to another discussion. Thank you so much for your time today. Really appreciate having you on and hope to have you back soon.
AJ Yawn: [00:22:01] Thanks so much. I really appreciate it.
