Drew Niehaus, CPA, focuses on accounting advisory services and governance, risk, and compliance in his role as managing director of a firm in Texas. He shares knowledge on those and other topics in this episode of the Journal of Accountancy podcast, including where organizations should start with risk management practices, the most significant new accounting standards, and why he advises new accountants, "You're not expected to know everything."
What you'll learn from this episode:
- Business events that can lead companies to "have some angst" about their internal controls.
- The aspects of risk management related to organizations' supply chains.
- The value that CPAs can provide related to problem-solving.
- A memorable question from Niehaus's first college accounting professor.
- Some of the changes finance has dealt with over the past 15 years, including new standards on revenue recognition and leasing.
- The advice Niehaus gives to new accountants related to asking questions.
Play the episode below or read the edited transcript:
— To comment on this episode or to suggest an idea for another episode, contact Neil Amato at Neil.Amato@aicpa-cima.com.
Neil Amato: Drew Niehaus is a firm managing director in Texas, and he remembers the days when he was a newly licensed, newly hired CPA. He wanted to prove his knowledge, and he now realizes that wasn't the best approach to take. In this episode of the Journal of Accountancy podcast, you'll hear the advice from Niehaus to ask all the questions. You'll also hear a discussion on risk management and more topics, coming up after this brief sponsor message.
Amato: Welcome back to the Journal of Accountancy podcast. This is Neil Amato. This segment is with a CPA in the Dallas, Texas, area. His name is Drew Niehaus. He's managing director at the firm Riveron. Drew, we're going to talk about a bunch of topics today, but what I'd like for you to tell me first, I guess, it's just a little bit about you and your role at the firm.
Drew Niehaus: Sure. Thanks, Neil. Yes, I'm the managing director at Riveron. I focus on accounting advisory services and governance, risk, and compliance services throughout a broad range of organizations, industries, and transactions. Riveron is a national business advisory firm specializing in accounting, finance, technology, and operations broadly, and I'm really in that accounting and risking control space.
Amato: Now, I read a post of yours recently that mentioned companies being concerned with their own internal controls. What to you are some of the factors contributing to that?
Niehaus: Frankly, quite a lot these days. I think when considering the risks an organization faces, really the only real constant is change. In the last few years that's certainly been the case, and I'd argue perhaps that pace of change has even accelerated.
The challenge of any internal controls or governance risk and compliance function is really to stay in lockstep with the changing business environment. And with that accelerating pace of change, those parts of the organizations are really being tasked to keep up. If I may maybe provide a couple of areas specific.
We really saw significant capital markets activity in the last few years, and although this year the number of IPOs have subsided, those organizations that went public over the last couple of years are really still working through the challenges that this type of transformation brings.
There's the obvious increase in regulatory requirements as companies become SOX compliant within the first one to five years. But beyond that, IPOs bring capital infusions, the business then spends that money, and that leads to other changes, so things like acquisitions.
That's not true just for public companies. As we've seen IPOs taper off this year, deal volume hasn't really subsided. So business combinations are a significant change event, and that drives companies to have some angst sometimes over their internal controls and have to work to figure out what needs to change.
There are controls around the integration itself, but beyond that, you have two organizations with likely different risk taxonomies and key control definitions, and those things need to be assimilated. Or maybe the acquired organization doesn't even have a formalized risk and control structure.
There's a lot of significant effort and work to evaluate the design of existing controls and then close those gaps and standardize the control structure to align with the new parent. I know it may be burying the lead to mention the shift to remote and hybrid work environments, as you and I are talking here in a virtual forum.
But that shift happened really quickly, and companies are still changing in this regard. They have to think about how controls are being executed in a remote environment, and what's the evidence of execution? How's the data being protected?
With the increased use of collaboration tools, I think really well-prepared organizations are really training their people, thinking bottom-up and not just top-down. I think the last thing that I wanted to touch on is maybe technology. Going back to that IPO and capital infusion. Well, maybe you're acquiring companies, but you're also probably investing in technology and modernizing your tech stack.
Companies have a really wide variety of these technology solutions, and that impacts the risk and control environment. Ideally, from my perspective, risk and control should be considered in that first discussion. When implementing a new system or an application, companies really should be asking themselves if they have an integration plan. What are their existing processes and controls that are going to be impacted by this technology change? What are their change management processes and controls? Things like that that will allow for a smoother transition.
Amato: That's a good summation I think of the environment that's out there right now. Speaking of that environment, recently on the Journal of Accountancy podcast was an accounting professor from North Carolina State University and we partner with the university's ERM Initiative, or Enterprise Risk Management Initiative, each year on a survey the current state of risk management.
Now, obviously, we don't need a survey to tell us this, but one of the things that comes out is just, there's a lot of risk out there, and it's not going away, so how do you advise someone who knows they need to do a better job with their controls or with just managing risk?
Niehaus: Sure. You mentioned that part of that collaboration you have is around their Enterprise Risk Management Initiative, and I think that's the place to start. A robust enterprise risk assessment is step 1 when considering, "How do I manage and mitigate risk?"
But generally, I find when you say the words enterprise risk management or enterprise risk assessment, it really is a concept that means different things depending on who you're talking to. To answer your question, I guess let me level set a bit on what I mean when I'm talking about that.
Thinking about an enterprise risk assessment that defines organizational risks, performing broad outreach among company stakeholders to really get a holistic perspective of issues a company's facing.
When we're talking to clients and organizations about enterprise risk assessments, there's something that I'm generally clear on upfront is that you, Company X or organizational leader CEO, I'm sure you have a good handle on the population of the risks your company faces.
It's probably likely that there's not going to be a silver bullet or something that's completely net new that comes out of this assessment. A large part of the value when companies are assessing risks is really the broad outreach in getting that stakeholder's perspective on risks.
Because a lot of times how it works is there's a broad set of interviews, or a broad survey that goes out cross functionally within an organization, and it really gives that context around the risks, which are those that are most likely to impact the success of the business from that stakeholder's perspective.
That can help the leaders set the company's strategy and inform the controls an organization has in place. A quick example to make this a little real. Let's say a topic that's on the front of everybody's mind these days, supply chain. Manufacturing depends on its supply chain.
The relative strength and breadth of options in a supply chain is something operational leaders, CEOs, CFOs, COOs know that's a risk that needs to be monitored, but perhaps an organization has a really broad supply chain. They have many supplier options, so that risk in their mind is down just a notch from some other things.
But there may be a concentration of suppliers for a certain part that goes into their manufacturing component that's in one geographic region, and maybe that port is at risk for structural or geopolitical reasons, or even maybe that's happening in a number of ports for that specific commodity.
It's creating a trend. And those types of things are really and those nuances are really going to come from this enterprise risk assessment as you're talking to people in your facilities, in your procurement functions that are seeing these risks bubble up before maybe it gets to the level of your CEO or COO.
Amato: Now in your bio, one concept that I see come up strongly, I guess, is the concept of dealing with change and problem-solving. Is that the sort of service that can set CPAs apart you think, the ability to deal with change and problem-solve amid those changes?
Niehaus: It's funny, there's a perception, I think that accounting is black and white or pretty black and white. You follow the rules, report the financial results according to the rules. I'll never forget, over 20 years ago, my first accounting professor called on me in the class and asked if creating financial statements was like taking a picture of a company or painting a picture. I answered, "Well, it's taking a picture. You're getting a clear snapshot of the organization."
He laughed and said, "Don't worry, no one's ever gotten that right on the first day of class." He said accounting is like painting a picture. You have to interpret and apply the guidance to an ever-changing organization. It's not just the organizations that change. It's the macroeconomic around you in the regulatory environment, the accounting rules themselves, and any other regulatory environment that a company may be dealing with. I guess, Neil, that's my way of saying that dealing with change is a really big part of what CPAs do often and do really well.
In harkening back to some of the topics we've touched on at the beginning of this conversation, I think that's why CPAs are one of the core groups being tapped on the shoulder to lead the charge as organizations engage with these transformational events, IPOs, supply chain issues, something is transformative as organizations are engaging with ESG, for example.
We really have this built-in skill set to assess change, evaluate the impact, and put in the proper structure to ensure companies address it appropriately in implementation as it's happening but then sustainably over time.
Amato: We've touched on some of the ways that that ability has been tested, but I'm wondering if you can talk some about just that exact thing. I mean, not just the past two years, but really the past 15 or so with a number of risks from the great recession to where we are now. How's it been tested?
Niehaus: As you mentioned in the last 15 years, and you can certainly go back further if you like, the population of risks and some of these seismic events that have occurred, they've really significantly impacted the way companies operate.
Think about credit risk management, and we've talked about supply chain or migration of data, the cloud. In each of these cases, and there are many more examples, CPAs have to consider the operational risks that a COO and a CEO are thinking about as they're running the company strategically and how those translate to financial reporting risk.
One of the biggest moves in the last 15 years is in how companies work with data. I hear the phrase people processing technology really often thrown about as shorthand when discussing what I do around risk and compliance, governance risk and compliance. But I like to add data to that. People process technology and data.
Technology and data are linked, but they're different. How organizations house and manage their data is really fundamentally different now than it was 10 or 15 years ago. CPAs have really had to consider what are the risks in terms of data conversion, in mapping, when migrating to the cloud?
What are the controls in place to ensure the completeness and accuracy of the data both throughout that migration and after it? That sustainably in the future aspect that I was talking about. And even going back to how CPAs work in environments of change.
Look, the most significant new accounting guidance in decades has come out in the last five, six years in the form of the new revenue recognition standard, followed quickly by the new leasing standard. Shaping and implementing those standards required a pretty fundamental rethinking about how companies account for its core operations.
Report those operational results to investors, stakeholders, financial statement and users. Translate for them, what was this change? What does it mean? How do I look at these financial statements now? Honestly, I think CPAs have thrived throughout all this change.
We've really demonstrated our value, not just in financial reporting, but really in assessing and translating operational risk and informing business strategy.
Amato: For those aspiring CPAs, whether they're in school, they're in the process of studying for the exam, or maybe just the recently certified ones, what are two or three bits of career advice or just general advice that you'd pass on?
Niehaus: Sure. My niece actually recently graduated from Ohio State. She's starting in the fall with a Big Four firm and just passed her first part of the CPA. I'd like to think that I passed along some kernels of wisdom to her, but she might feel otherwise.
Reflecting on our conversations a bit, in my experience as I work with people out of college every day, I think my first piece of advice is just that you're not expected to know everything, and in fact, you're expected to know very little. Now, your degree and your CPA Exam, those are part of your toolkit.
They are really important parts that are going to be fundamental throughout your career. You're going to need a toolkit to help clients or help organizations solve problems. But those first few years, the best tools you have are going to be your colleagues, the people you work with, and for. My piece of advice is ask all the questions.
I tell my teams, I don't worry about the people who talk too much and ask too many questions. Sure, maybe they can package them and ask them at one time rather than 15 times during the day, but that's really not an issue. The ones that I think about and I wonder what they're up to are those that I don't hear about.
Look, everyone has different styles, but what I worry is that people think they need to get the answer and that they can tap us on the shoulder and leverage the experience of their colleagues. I don't want them spinning their wheels. I wish I did that a little more in the outset of my career, not trying to prove myself that I knew everything and really asking more questions early on.
I think the other piece of advice that I'd give is really no matter what your task is, try to take a step back and do your best to understand how what you're doing, the little tasks that you're doing, fits into the bigger picture, whether it's part of an audit or closing the books each month or putting together budgets.
You're going to be able probably to re-create that spreadsheet or get the numbers to work. But that small task is really just a brick in a bigger building that's being constructed.
As you complete each of those bricks individually over your first few years, understanding what they do, how it's informing that structure is going to allow you to take a step back much earlier than maybe your peers and really see things in a way that others don't in terms of what our risks are, or even if it's not organizational risks, what am I doing and is there a way that we could do it better? Is there a way that it's been done this way in the past, but maybe it's more efficient and more effective if we change things?
Providing those kinds of perspectives and insights is what I think we all find satisfying. Being able to see the forest for the trees a little earlier in your career, I think, would go a long way towards getting you some of that satisfaction.
Amato: Drew, I really liked the painting versus the photo comparison and also the part that you just said, especially about asking questions. This has been a great conversation. Is there anything you'd like to add in closing?
Niehaus: Neil, thank you for having me on, and I really appreciate the opportunity to have this conversation with you.