Podcast | Risk Advisory

LISTEN NOW

If you are unable to access the podcast below, look for PBMares AdvisoryWatch on Spotify.

Learn more about Risk Advisory on our website here.

Transcript

Andrea Sardone
In today’s world, nearly every organization faces some level of uncertainty, from cyber threats to market fluctuations to operational disruptions. The COVID-19 pandemic ushered in a new level of uncertainty, forcing businesses to not only plan for survival, but to be competitive in the face of increasing risk. Our episode today is one of a series on risk advisory.

During this series, we’ll dissect these challenges with a team of PBMares’ experts who will help you turn risk from a foe to a force of growth.

Andrea
Today we are talking with JJ Edmonds. He’s a certified public accountant and partner with over 10 years of public accounting experience, providing audit and assurance services to the firm’s financial institution clients with assets ranging from $10 million to $7 billion. He manages and oversees internal and external audit services and has worked closely with clients understanding their major financial processes to help them strengthen their internal control policies and procedures. He’s also one of three who’s now starting a new risk advisory services practice at our firm. Hi, JJ. Thanks so much for joining us.

JJ Edmunds
Hey, Andrea, I appreciate it. I’m ready for an exciting podcast here.

Andrea
Okay, so JJ, before we start talking about risk advisory, we need to either put to rest a rumor or break some news here that you almost got arrested during an internal audit at a client site. So what’s the story there?

JJ Edmunds
Actually, it’s kind of a short story in that we had access to a client’s bank account, and then we took their money. I’m just kidding. That’s not what happened. No. So the actual story here is that we had a new client and we were starting out the engagement.

We wanted to start with an easier audit. And what we decided to start with was a branch audit and a cash count at the branch. So that’s kind of an interesting audit in that we show up at the branch and we essentially watch them count their cash in the morning. So basically, you had $10,000 at the end of the day yesterday. Let’s see how much money is in there this morning. So because it was the first engagement we had done with them, I showed up early, got there about 30 minutes or so before the branch opened and was just hanging out in the parking lot. I was dressed in full suit, tie, dressed to the nines with my little PBMares backpack on, and I’m just standing at the front door of the branch, just waiting for people to arrive. So next thing you know, someone pulls into the branch parking lot and she’s on her phone and she looks a little worried. And I start thinking, Oh, maybe she’s just having a bad morning, a bad start. I kind of start to walk over to her and next thing you know, her car pulls out of the parking lot and goes across the street. I think, Oh, that’s also a little weird. The next thing you know, as it’s getting closer and closer to time for the branch to open, nobody was there. And I thought this is really weird because people are going to start showing up here in 10 minutes and we haven’t even started counting the money at all. The next thing you know, four different cop cars pull into the parking lot with sirens on, lights blaring, and it’s mad chaos. And I think to myself, oh man, this is not good at all. So the cop comes over and he asks us, Hey, what are you doing here? I introduced myself, saying I’m from PBMares. We’re here to count the cash. He says, okay, great. Well, you know, what, who should I confirm this with?

Well, the whole point of the cash count is surprise. Nobody’s supposed to know we’re there except for our point of contact. Unfortunately for us, our one point of contact had a doctor’s appointment that morning. So as they call back over to the headquarters to say, hey, there’s an auditor here from PBMares who wants access to all the money in the branch, nobody could verify who we were or why we were there.

JJ Edmunds
Very politely, the police said, I know this is a thing. We’ve heard of this before, but unfortunately, we’re gonna have to ask you to leave because nobody here can actually verify who you are or that you actually work for the credit union. So that’s my story of almost getting arrested while performing an internal.

Andrea
That’s really funny but you probably would have been the best dressed arrested person, ever. Right? I mean, you’re all ready to go. And, you know, the PBMares backpack in a mugshot. Although I’m not sure how we feel about that.

JJ Edmunds
I guess they say there’s no such thing as bad publicity.

Andrea
Well, that’s the first question that I want to ask you. You said you were counting the cash. So here we are. We’re in tax season, and everybody has tax returns on their mind and getting ready and April 15th is looming. So the word audit is always sort of a scary word. And people probably think of audits in that, oh, the IRS is going to audit me. But you’re doing a different type of auditing. And when you said you were counting the cash, let’s talk about the different types of audits. And then maybe let’s just start off with, you’re not a tax accountant. You are an audit and assurance accountant, correct?

JJ Edmunds
Correct. So I know I still to this day struggle with my own personal taxes. I was joking with someone the other day that I had to enter it into our software and I had to ask one of the other tax staff, hey, where can I find the tax software and how do I get into it? Typically, when you think about CPAs, you don’t really think about what I do. But what I do is more processes and controls. And I know the goal of a financial statement, a clean audit and a clean opinion of no findings. And that focuses on the end results and on the numbers of the audit, where our internal auditing is really just around the processes, the controls, how we get there. It’s a lot more unique than just debits and credits and sort of the old school T-accounts and things like that. So we focus a lot on just processes and how we got there and different controls and items like that.

I always tell all of our clients and prospects that the goal of our internal audits is to have observations and to have findings or best practices, which is totally different from just the goal of having a clean financial statement opinion. So if we don’t have observations or findings, I always say that we didn’t do our job. We didn’t accomplish what we set out to do. And that comes down to the difference between just internal auditing standards and the US GAAS standards. It’s principle-based versus rule-based.

The internal audit standards are principle-based, which says be independent, whereas GAAS and GAAP standards have specific criteria around this is what it means to be independent. Here’s what it looks like. Here are the things that can impair your independence. So it is a difference of mindset and kind of methodology of what we do on a daily basis versus kind of what you traditionally think of as CPA auditing.

Andrea
Okay, GAAP is Generally Accepted Accounting Principles and GAAS is the Generally Accepted Auditing Standards.

Andrea
Just to point this out, you are as a CPA, a public accountant, and going back to that example of counting cash. For the average person, you make sure the money I just deposited yesterday, and the bank has processes and controls, to make sure that the money is there today. And you are providing that assurance. It’s so we can all rest easy, and same thing with passwords and all of that security, to make sure that when you give your personal information away they’re going to store it in such a way. So we’re going to talk to some of your colleagues and in another podcast about that.

JJ Edmunds
Exactly.

Andrea
Let’s talk about your new practice, the Risk Advisory services that you and two others at the firm have launched and are leading. Tell us about that.

JJ Edmunds
So we’ve focused on just risk. We got back to the basics when we combined our three services together and thought about what is it that we do combined and what’s the thread that controls what we do together? How are we all linked? Because a lot of our services, from process optimization to IT cybersecurity to entire auditing, they’re all roughly the same. So we focused more on just risk.

And that’s what every single business deals with, every second of every day. Every decision or action that is done is based on risk. And that’s what we’re here to help with, is to identify, evaluate, and just mitigate risk in general. I was joking the other day that risk is not new. This is something that’s been around for a while. I made the analogy that our risk advisory team is the Stanley Cup of PBMares.

And by Stanley Cup, I know that’s the new trend that you see on TikTok and a lot of places where it’s those giant water jugs that literally look like you’re carrying around a gallon and they’re bright colors and you see them all the time, but Stanley cups have been around since 1913. They’ve just now become relevant and sort of the hot topic. And I think that’s the way I think about risk and risk advisory services is that it’s not new. It just is now becoming a lot more front of mind, a lot more important to businesses.

And I think that had to do a lot with COVID. One of the side effects is just the digital transformation. When I think about working remotely, that was something that did exist before COVID. You could work wherever you wanted, but it wasn’t quite as easy. And that’s the way I think about risks now is that it was always there. It’s just something that you’re thinking through a little bit more because we’re all so connected.

Everything is one button click away, everybody wants to have a quick sign on or face ID and things like that. But you want to make sure that you have those controls in place. Also, businesses are being more proactive post COVID. You think about pre-COVID and it was, Hey, there’s going to be a worldwide pandemic. We’re all going to be shut down in our houses for months at a time. We never thought that was going to happen. But now businesses are thinking about it. If COVID happened, what’s the next thing that nobody’s thinking about? What’s the next thing that’s coming down the pipeline that nobody’s seeing? And how are we gonna be able to bounce back both quicker and better? Because if we bounce back from a global pandemic, what else is gonna concern us or worry us and how are we gonna bounce back from anything else?

Andrea
Obviously, we never imagined a global pandemic. It’s like, imagine what you can’t imagine. So basically, anything could happen.

All right, so you talk about risk and specifically, are there certain types of risks? What are the types of risk that we might not be thinking about, but we have to be… or somebody has to be?

JJ Edmunds
We tend to think about risk in five different categories. I know you mentioned cyber and IT, but then we also think about through a strategic lens of where are we going, how are we going to get there, and what’s coming down the pipeline. You want to make sure that you’re looking forward and thinking through, okay, what is coming up next and how can we help avoid it or plan for it or better prepare for it. Then there’s that financial risk, which is around the processes, controls, accounting, just your typical accounting world, and CPA functions. Then it’s operational. So that’s going back to the branch cash count that I mentioned earlier about counting cash, how you do things, what you’re doing from an operational perspective and how you serve your clients. Then there’s the regulatory items. So those are items that are tied to just compliance with rules, regulations, things like that. And then last but not least was IT, which we kind of mentioned earlier.

Andrea
So your background also includes IT. And you have a specialty or a focus on certain types of risk. And I think you mentioned banks. I mean, that seems like to me, I’m glad you’re on the scene there because I like to make sure that my money’s safe.

But tell us what you focus on. I mean, like the specific type of risk.

JJ Edmunds
I focus more on internal auditing which is risk-based auditing where we have a customized approach for each and every one of our clients to make sure that we’re addressing items head on and taking that strategic lens forever. Auditing always kind of felt like just performing a checklist and filling out forms and saying, Hey, do you have this? Do you have that? But we try to make sure that we’re getting outside of that, and getting into your junk drawer. I say I’m into auditing which is analyzing your junk drawer. Hey, we wanna see your closet that’s messy, that you don’t want anybody to see, right? Cause that’s where the risk is. That’s where the problems happen. Nothing ever happens in your front hallway when you walk into the house, cause that’s always the cleanest part of your house. We wanna see that dirty drawer that you’re afraid to show people because that’s where the risk is. And that’s the part that’s gonna derail your business. So that’s the part we want to make sure we’re looking at.

Internal auditing tends to have this bad connotation of the gotcha police. So even though we’re here to tell you all the things you’ve messed up on, in the end, auditing and internal auditing is just here to add value. We’re here to make sure that we can help your business run as successfully as possible.

Andrea
You’ve never been to my house, but I think you kind of nailed it. The common areas look great, but then there are the junk drawers. So what happens when they don’t let you have access to that junk drawer? Okay, I found this, we did this, and then later on they had this junk drawer that I never saw, and they never showed me. So just kind of tell us what your typical day entails. You go to a client site and what happens?

JJ Edmunds
We try to talk through what issues, concerns, problems do you have? How can we help? We try to make sure that we’re being friendly about it. I was in a board meeting one time where we delivered some observations and findings to a client. And one of the guys at the end of the table said, wow, that’s the nicest anybody’s ever told me that I’ve screwed up on something.

And then one of the other guys at the other end of the table goes, well, that’s because we’re paying them. If we weren’t paying them, it would not be nearly as friendly. So I’d like to think that we’re just friendlier in general. And that’s how we get people to show us their junk drawers and talk things through. Because we want to try to communicate just that added value of what we’re here to do and how we’re here to help, making sure that they understand the purpose of what we’re doing. And if that’s not the case, your business probably won’t be nearly as successful because there’s always going to be something holding you back.

Andrea
That’s interesting. You work with businesses, not individuals. Somebody’s listening who has a business and they think, Ok, I’ve got some junk drawers, I don’t know what to do. Doesn’t insurance require that they have controls in place? In other words, how would they know that they need you?

JJ Edmunds
No, and I think it’s just offering that fresh perspective. This is something we do for companies all across the US, coming in, talking through what they’re looking at, just offering that different perspective. A lot of times when you stare at something or you look at something for so long, you kind of get used to it. One of our colleagues the other day gave the analogy of a frog in boiling water, and that if you put a frog in boiling water, they’re gonna jump out immediately. But if you put a frog in a normal pot of water and then slowly turn up the heat on them. They’re not going to know what happened and they’re going to be boiled. I realize you didn’t probably think you were going to get that analogy on this podcast, but that’s what the PBMares Advisory Watch is here for.

Andrea
Yeah, you don’t pay attention and then all of a sudden, the heat’s on. And the poor frog. But that is actually a pretty good analogy. I would kind of be scared about the heat being turned up on me.

JJ Edmunds
Well, so often we ask when we’re doing these meetings or a walk-through and we’ll ask why you do something a certain way. And so often the answer is, well, it’s just always been that way. That’s the way we’ve always done it. I’ve been here for 20 years and we’ve never done it differently. And just having that fresh perspective to say what are you doing now, what’s the purpose of that, and how can we help? And I realized that seems like basic questions and things to ask, but rarely do we see businesses take that introspective look at what they’re doing and how they’re doing something and why they’re doing it. And that’s why we’re here now.

Andrea
Let’s go back to COVID a little bit. Did new risk just appear suddenly? You mentioned remote working, but what else did COVID do to organizations that caused them to say, whoa, I gotta figure something out here, that is something we never knew. Have you identified stuff like that?

JJ Edmunds
Well, I think it has made businesses focus on who they are and what they do and what they do well and what they don’t do well. I think back to Airbnb during COVID and it shut everybody down and everybody had to stay in their house and nobody could travel or do anything. You think about a company that offers vacation rentals and things like that. Well, that doesn’t happen because you’re just not going to go to other people’s houses during COVID. But Airbnb realized that we are selling experiences and we’re selling community and time together as a family. So one of the cool things they started to do was see virtual tours. So you could do virtual wine tasting, you could do virtual tours of museums, things like that. Because they thought through what’s the core and the heart of what we’re doing. And that’s having experiences and just being together. So thinking things through, well, what does that look like?

As part of that, a lot of businesses have thought through, well, what are we good at? What are we not good at? And I think when they’ve decided they’re not good at something, we see a lot more outsourcing. Hey, we’re really good at doing this. So we need to find a vendor or a partner to rely on to do those things we’re not good at. And as part of that, you’re relying on a lot more businesses now. So that vendor management and that third party vendor management is huge. That’s one of those that you want to make sure that you know who you’re doing business with. And then in addition, who are they doing business with? Now that everybody is so interconnected, we’re seeing a lot of impact from the cyber side. If you have a cyber breach at one of your vendors, that’s gonna have a big impact on you. Especially in the credit union world, we’re seeing there was a big cyber breach at a vendor that caused an outage. I think about 443 different credit unions were impacted and 60 of them had outages where they were down for several days. So those are big deals because of no fault to those institutions, but because it happened at a vendor, because we’re becoming so interconnected now just in general through the business world.

Andrea
Let’s say you have business, like a credit union, and they realized, okay, we need to outsource something, so they’ve gone and found a vendor. You’re the type of person that comes in between to make sure this is what the credit union needs. Here’s what you can do to meet that need. But we’ve got to make sure that the vendor’s back door isn’t swinging wide open for something bad to come in. Is that the way it works?

JJ Edmunds
Yeah, that’s definitely one of the audits that we can perform from a vendor management perspective of making sure that you’re analyzing that risk, you’re looking through it appropriately and you’re aware of what else is out there, what could potentially happen because it is no longer if we’re going to have an incident, or if we’re going to have a problem, it’s when.

Andrea
So let’s just say you would go into an organization, provide the internal control audit and then you discover something. And you would say, oh, look, your back door is open here, and it says cybersecurity. And you would call in Nina, the other colleague in risk advisory and cybersecurity, who we talked with in a separate podcast. That’s the power of the risk advisory team is you discover these things and then you’re able to bring in expertise to address them.

JJ Edmunds
Exactly. We’re still working on the naming convention, whether we’re going to be the three amigos or the three musketeers, but that is definitely the benefit, we all come at it from a different angle or a different perspective to help serve our clients the best way we can, because we offer that diverse approach of process optimization, internal controls, and then cyber security, because nowadays those three things are linked more closely than ever and it’s hard to differentiate and separate them.

Andrea
So the three amigos or the three Stanley Tumblers, yeah that’s interesting. We can talk about that on the marketing side of how we want to put you guys out there but let’s go back to your example of your near arrest and the counting of the cash. So the three amigos, there you are and let’s just say you were able to go and observe the counting of the cash.

There’s operations. So then you reach out to your colleague, Bronach, who we’ve talked to in another podcast. I’d love to have the three of you together just talking through this. So tell me the difference between what you would do and an operational risk. So you would observe the counting of the cash, and then what would you recommend?

JJ Edmunds
Yeah, Bronach focuses more on how do we make this better, faster, quicker? So if we’re going to do a process, how are we going to make it more efficient? How can we do this in less time? Let’s cut hours off of this. From a control perspective, we try to make sure, okay, where’s the risk here? And is there a benefit reward of, can we do this easier or faster, do we need these controls in place, or is there a better control? And then from the IT cyber side is, how is that overlaying all of this, of what do those controls look like? Where are the weaknesses there? Where are the different issues, problems? How can we identify that from the cyber IT perspective?

Andrea
All right. So I’ll put you on the spot here. What is the craziest risk you’ve ever seen? Can you share that? Like, you would not believe. Now, don’t tell names, but can you describe what was wild?

JJ Edmunds
I don’t know if it’s the craziest risk we’ve ever seen, but definitely one of those items we occasionally see is 0% interest loans. That sounds awesome and I keep waiting to get one of those, but unfortunately it hasn’t come my way yet. But we found a weakness in some of the software that originates loans where if you don’t click these buttons in the correct order, which again, sounds crazy when you think about it, that those will not function properly and it will actually generate a 0% interest loan. And we do see this often. And it’s a wild, amazing thing, but it does happen more times than I would like.

Andrea
So you should not be getting a 0% interest loan, but somehow you do, and then the consumer would say, wow, this was a present, is that what happened?

JJ Edmunds
Yeah. Technically we’ve advised sometimes that you can go back and say, Hey, listen, nobody gets a 0% loan. Therefore, you have the right to go back to whatever the interest rate is. But if you’ve been paying down on the loan and it’s already been accruing the amount and you’ve just been paying down the principal because there is no interest, it is, in essence, an interest free loan.

Andrea
Well, when we’re offline, tell me where that is so we can maybe get one. All right, so let me summarize what we’ve talked about here. I heard you say risk has just exploded in the last few years and we can blame COVID for it. We can blame more globalization. I don’t want to say blame, but we can attribute it to that. There’s this kind of growing emphasis on digital experience and we all log into things every single day, online banking, that sort of thing. So your group is saying, let’s be proactive with this. Let’s not let the risk get us when we’re not watching. So that junk drawer analogy. And your team looks at five types of risks – strategic, financial, operational, compliance, and IT. And there’s this need for resilience and to be competitive in the face of these threats and cyber attacks that we hear about in the news. You don’t wanna be reactive, you wanna be proactive. And your team is leading that effort on, saying let’s make sure that everything is in the right place, the junk drawer is organized, so that you don’t get attacked in any one of those areas. Did I get that right?

JJ Edmunds
Sounds like you should come work for the Risk Advisory Services team. You absolutely nailed it.

Andrea
Well, I’m good at marketing, right? It sounds like I know what I’m talking about. Okay, it’s interesting because we’ve been talking about this internally for a while and I think it is kind of fascinating that it’s things that you never think about.

You just assume it’s going to be okay. So I think your message is don’t make assumptions, right?

JJ Edmunds
Exactly. That’s one of those things that just because it’s functioning or working properly, doesn’t mean you don’t have issues or problems or things going on behind the scenes that just haven’t bubbled up to the surface yet. So we want to make sure that you’re being proactive from a business standpoint to make sure that you’re not being derailed from what you’re not seeing.

Andrea
And then just then for the record, you were not arrested, right?

JJ Edmunds
No, I was not. They are still clients to this day and we still joke about that when we come on site saying, hey, did you let the local police know that we were gonna be here today to make sure that we have clearance to come in? So thankfully, that has not happened again, but it does make for a funny story. And a scary little moment there speaking as someone who was not prepared for what was happening.

Andrea
I bet. That’s kind of like your own personal control, right? You want to make sure like, hey, I’m coming over. Tell the police. That’s pretty funny. So JJ, anything you’d like to add or say?

JJ Edmunds
Again, I appreciate you having us here to highlight risk advisory services as it is becoming more and more important. We’re helping businesses stay on track to achieve the growth that they want to achieve.

Andrea
In the show notes, we’ll definitely have some contact information if you want to talk to JJ and his team. And I know JJ is always responsive. I’ll have to say that JJ returns emails faster than anybody else in our firm. So I appreciate that. It’s like I always know you’re going to respond fast. So thank you.

JJ Edmunds
That’s actually in our job description. So that’s one of the requirements for us.

Andrea
Thank you, JJ. It’s been great talking to you. Like I said, we’re going to be talking to your colleagues and maybe we’ll get all three of you on and maybe I could get a word in edgewise while you guys talk about risk. So thanks a lot.

JJ Edmunds
Thanks for having me.