Listen on Apple Podcasts, Spotify and YouTube
Welcome to AccelPro Audit, where we provide expert interviews and coaching to accelerate your professional development. Today we’re featuring a conversation with Matt Johnson, Principal, KPMG Audit Practice and U. S. National Technology Assurance Leader.
Thanks to artificial intelligence, the rise of remote work and advanced analytics, the technology companies use to get work done and serve customers is evolving at an incredible pace. How are tech specialists in the audit field keeping up? Over a 20+ career at KPMG, Matt Johnson has been helping both clients and internal teams adapt to tech innovation and avoid technology-related risks.
He talked to AccelPro Audit about how digital transformation is changing tech assurance, executives’ increasing concern about cybersecurity risks, KPMG’s creative efforts to fill the talent pipeline, as well as his own personal career journey. While Johnson offers plenty of insight about the current tech landscape and developing your own career, perhaps his most passionate piece of advice is more strategic — focusing on how auditors can find the long-term motivation to keep learning in such a fast-changing field.
Listen on Apple Podcasts, Spotify and YouTube
Interview References:
Matt Johnson’s KPMG profile.
3:30 | 2024 KPMG U.S. CEO Outlook Pulse Survey. KPMG.
4:01 | Cybersecurity Disclosure. (December 2023). US Securities and Exchange Commission.
11:46 | Internal Control - Integrated Framework. COSO.
TRANSCRIPT
I. ON TECHNOLOGY RISKS AND REPORTING REQUIREMENTS
Jessica Stillman, Host: You're the U. S. National Technology Assurance Leader at KPMG. For those who are maybe less familiar with this side of audit, can you tell me what falls under tech assurance exactly? What does your practice cover?
Matt Johnson: We provide support for our external audits, the technology related assessments to those. And we also provide assurance through issuing different standalone attestation type reports for organizations that are looking to provide an independent assessment of the effectiveness of their operations as well. A lot of times we refer to those as a service organization type report, a SOC report.
JS: There's AI, blockchain, analytics, the rise of remote work — and tech assurance touches all of that, I imagine. How has this incredible pace of digital transformation in the last few years impacted your work?
MJ: It's impacted it in a few different ways. One is certainly the way we work; the tools that we use certainly continue to evolve. The second is what we focus on; we focus on technology risk, and so, as that landscape of risk continues to evolve, there's a lot more of them. The ecosystem is broader, the landscape continues to evolve. That's the second way.
The third is more connected to our people. It brings the first two together, both how they do what they do and what they do. And that clearly is centered around our professionals — and so investing in them and the opportunities that we see that technology provides them in their careers at our business and our clients.
JS: I want to hit on both the people side and the technology side. Let's take them one at a time and start with the technology side. Several reports and surveys that I read preparing for this interview said that cybersecurity is among the top concerns of executives and internal auditors now. Does that track with your experience, and what cyber related risks are your clients most frequently concerned about?
MJ: It does if you look at the feedback our clients share through surveys. We have a CEO Outlook survey that we have each year where we look at feedback from board members, audit committee members, and so on. Cyber over the last several years has ranked as one of the top risks on the board agenda.
I think when you look at that from a business risk, that's one lens. When you look at it as a technology risk, in other words, a risk that is exposed through technology and by technology, that's another. And so there's a lot of different dimensions in the context of cyber risks specifically that we are focused on.
JS: The SEC finalized its cybersecurity disclosure rules for public companies. What are the key points auditors need to know about those changes?
MJ: I think that really is a culmination and a recognition of the increasing interaction between technology risk and financial reporting as well as the risk to information and the integrity of information that shareholders are interested in relative to the financial markets.
From an auditor point of view, our responsibility is to evaluate management's assertions related to the financial statements. That then links to the work that we need to do, the technology risks that we need to understand in order to evaluate whether management is responsive to those risks and whether the opinions and attestations that we're issuing are in fact considering those risks. The procedures that we perform, and our understanding with respect to our client's landscape and space, is linked to that.
I think auditors need to understand the nature of the risk with respect to the clients that they're assessing, and then understand what the evolving requirements are with respect to any specific policy or rule that's been recently issued and what management's responsibility is.
JS: What are some of the headline differences between the rules now and the rules before this update?
MJ: I'd spotlight a couple of things. One, management has a responsibility, a requirement once it's effective, to have a clock on when they disclose certain information related to a material incident. That's one of the bigger headlines, the timeline that management has to report and disclose.
Secondly, the connected aspect of that is what trips that requirement, and that brings into consideration the materiality. When is an incident significant enough to actually trip that requirement to then report and disclose? And the rules certainly focus on a single incident, but also reference an aggregation concept. It may be several incidents or several types of activities that would then require, in the aggregate, for management to disclose.
And so organizations, when they look at their annual statements, the information they disclose about their risk assessment process and other types of processes related to the cyber risk, they need to understand they'll be reporting on that as part of, essentially, the management disclosure reporting requirements.
—
II. ON THE TECH ASSURANCE CAREER PATH
JS: I also want to talk about the people side of things. I understand that tech transformation is rapidly changing the landscape, not just for companies, but also for auditors themselves, how they work, the tools they use, their careers. What is KPMG doing to help auditors gain the tech skills they need to thrive?
MJ: It's a continuation of what we've always done. We've always invested in our people and that investment comes through what you would expect in terms of incremental trainings, just the focus that we have on making sure that our teams and our professionals are equipped with the evolving knowledge they need.
That's one; the other area that is a continuation is the tools. And as I mentioned before, the way that we work continues to evolve and we develop technology tools that help our teams be more efficient, help them take a lot of the work that they do on, I'll call it a tactical level, so that they have an ability to think broadly, strategically, to put the pieces together. We want to have engaging conversations with our clients and be able to bring them perspectives and insights as they do their work.
We really have a strong focus on our culture and being able to help our people develop themselves as they develop these other areas. That really works hand in glove, so to speak, to help each of our professionals unlock their full potential knowing that things will continue to evolve and change. It's not just about the knowledge, it's the idea of learning agility and resiliency and having that as an increasing skill set.
JS: That must apply not just to the organization and the team level, but to the individual auditor, as well, to have that sort of learning mindset and that interest in keeping skills up to date, because things are changing so fast.
MJ: Absolutely, and we've got to focus on that as well as all these emerging types of topics. We do have very specific skill building, core structures that we have in place. It's comprehensive. We roll that out to our professionals in a way that's both systemic, meaning that it's applicable to a variety of professionals, but also comprehensive, for those who may focus more in that area and who've chosen to have that as a focal point for their particular career or areas of business.
JS: We hear from many professionals that recruiting and staffing in the audit field is a significant challenge. There just doesn't seem to be enough people with the right skills for all the work that needs to get done. And Tech Assurance in particular, I would imagine, requires quite specialized know-how. So how do you see technology interacting with these recruiting challenges? Is it making it easier for firms to do more with less? Is it making it harder to find folks with the right skills that you can train up?
MJ: Interviewing through technology and being able to maintain connectivity and the workflow tools certainly was an enabler to what we were already doing. I would say if you step back, we continue to invest pretty heavily, even as early as high school, to attract and invest in talent starting at that stage of someone's aspiring career.
We widen the aperture significantly to the number of schools that we're touching, including trade schools, schools that are more representative of our communities where we work, where we live. It ties to our aspiration to have a really diversified workforce from just about as many different dimensions as you can think of. And that starts with our recruitment.
And then longer term, we're thinking about the strategy of what are our business needs for tomorrow? What are we doing today to align to those needs? And when we think about the relationships that we have with our university partners, those are incredibly important. We've got some great examples where we work very closely with them to invest in and contribute to curriculum, to insights, in the classroom as they have active discussions to partner for this overall goal of not just helping future KPMG professionals, but investing in students and younger professionals as they come into the workforce that we know could have an impact on anyone that's able to take advantage of that and benefit from it.
JS: I found it really interesting that you mentioned you are looking at high schools and trade schools. Can you tell me a little bit more about that? What does that look like in practice?
MJ: We have some internships that are designed specifically for those in the high school level to explore what a profession like ours could look like, what the opportunities are to connect them with our professionals, to really be role models and mentors to them. From a trade school and other schools perspective, we broaden the aperture of those that have access to apply, to be engaged with our professionals, with our brand, with what we do and how we do things. In some cases we have very specific focal points where we will invest in helping develop some of the curriculum as well.
JS: If someone is listening and thinking, Tech Assurance sounds like a really interesting field to get into. Can you talk a little bit about the path into the career? Do you need a strong computer science background and a strong accounting background to get started?
MJ: It is ideal to have an accounting background and a technology background. That could be a dual major. But, I'll tell you, a lot of the accounting majors that we're very focused on, those programs, in terms of the curriculum, are also evolving very rapidly to add more technology focused courses and content. I think the accounting majors of today look a lot like the dual MIS and accounting majors of yesterday. And I think that trend's going to continue.
As you know, the CPA exam is changing, so in ‘24 there's going to be a more technology focused track. We've seen the same trend with respect to even some of the professional organizations. COSO 2013 was updated after a long number of years to reflect the growing importance of the consideration of technology and technology controls in an organization's framework of controls.
I think you're going to continue to see this increased confluence, if you will, of technology in the accounting field. So absolutely, anyone interested in tech assurance, if you have technology aptitude and accounting aptitude, it's to me the blend of both worlds in a perfect way.
—
III. ON FINDING YOUR ‘WHY’
JS: Can you talk me through how you found your way into working in Tech Assurance? Did you start out knowing that's what you wanted to focus on?
MJ: I did not. I went to school for accounting at the University of South Carolina. I was always interested in technology and I was always interested in business and accounting. And what I discovered at the time was a relatively budding type of IT auditor profession. Some of the firms were hiring into it directly out of school. Others were not. Some of the programs at the time did not have a dual program.
I had what I would describe as an interest in technology in a business context and the business side of IT and the IT side of business. I didn't want to be a systems engineer or programmer necessarily in the deeper side of tech. I didn't necessarily aspire to have a traditional career path and ultimately land in a financial type of role like a CFO. And in my early stage of my career I really found that niche where I was evaluating technology in the context of external audits or other types of audit-centric considerations and environments.
JS: One of the ideas animating this podcast is that peers relying on each other to share information can be a powerful thing for your career. Can you talk to me about how you personally rely on peers, either inside or outside your organization, to deal with tough situations or manage career decisions?
MJ: Absolutely. I think a lot of people hear it now as your personal Board of Directors. Not just one person, but like tools in a toolbox, you have different people you lean on for different things. That has always resonated with me personally. I've had a lot of people that invest time. And I like to think that I'm able to invest time in others to be that person. Even from the time I was a staff all the way up through a partner to leading a practice, still I have people that I can call and just bounce ideas off that are not directly in the context. They have a better and different perspective.
JS: I read that you served on the board of the KPMG Asian Pacific Islander Network. Can you talk to me a little bit about the role these sort of resource groups have played in your career and the value of the work they do?
MJ: It's an incredibly important part of the KPMG ecosystem, for me specifically having lived overseas in various parts of Asia. I was born in India, and that to me was a great opportunity to give back, so to speak.
But also I've learned more than I've given. That Asian Pacific Islander network is a way to bring together people with different experiences that are perhaps experiencing common experiences or challenges and learn from one another, celebrate things that we have in common, even while we celebrate the things that are different. And when you look at Asia, and just the vast differences across the landscape of that, it's very rewarding to learn from others.
It's a fantastic way to expand our professionals' network in ways they wouldn't naturally intersect through, for example, serving on the same clients together. It's a really great way to accelerate networks that you can lean on throughout your entire career.
JS: After 20+ years at KPMG, What advice on advancing your career and climbing the ladder would you have for listeners who are looking to stay and grow within one firm long term?
MJ: I'd like to be able to say, when I first started with the firm 20 plus years ago, as you said, that I had this grand vision of being here 20 years later. I didn't. I wasn't that smart. I wasn't necessarily even that ambitious. But I would tell anybody this: start by figuring out your ‘why.’ We figure out our ‘what’ pretty quickly. What do I do? What's my title? But the reality is that we're human beings. Not human doings. I didn't figure my ‘why’ out until I was about six years into the firm and I was thinking through the context of career progression.
I was thinking through, why am I still here? What are the opportunities maybe outside? And I was able to step back and reflect on my why, and my why is to help people. Part of how I grew up, my parents did and still do mission work. We served underrepresented and underserved communities and individuals.
It really connected back to how I was raised, how I was brought up. I was interviewed for an article 10 or so years ago, and that was the first time I actually articulated, beyond myself, my why is to help people through client service, with our own teams mentoring, developing, teaching, giving our professionals opportunities and volunteerism in the community.
So everything I do with respect to KPMG is connected to my why, and I'm very fortunate to be able to do that, knowing that the organization that you're with has values that are aligned to yours, has a culture that's supportive of your why. What you do will always continue to change, so I'm less focused on what I do, as I'm focused on, is it aligned to my why?
When that happens, you really are able to work with purpose and with passion, and it's a lot of fun. And so what I've done has changed over the years. What has not changed is my ability to feel that what the firm allows me to do, aligns with my why, so that 20 plus years later, I wake up every day and I can look at my calendar and connect to my why.
When you go through a challenge, when you go through a hurdle or something that doesn't seem as engaging, it's always good to be able to reflect back and say, there's things and there's tasks that aren't necessarily as fun, but if it's connected to your why, you push through it. Do you make candles or do you give people light? How do you describe your job? That helps me focus both strategically, but also meaningfully as well.
JS: Did that shape the path you took as you looked for your next advancement or your next lateral move, whatever it might be? Was that the lens you were looking for to decide, is this the path I want to take?
MJ: It didn't serve as a motivator directly, but every opportunity I got, it did connect to that. It says, “Hey, it gives me a bigger platform to help more people to give other professionals an opportunity to grow.” If I move out of this role and take this other role, then that gives an opportunity for someone else to take and fill the role I just had to expand their opportunity, whatever it is ultimately I see that through that lens.
Listen on Apple Podcasts, Spotify and YouTube.
This AccelPro audio transcript has been edited and organized for clarity. This interview was recorded on October 16, 2023.
AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your day-to-day job performance and make your career goals achievable.
Send your comments and career questions to questions@joinaccelpro.com. You can also call us at 614-642-2235.
If your colleagues in any sector of the audit field might be interested, please let them know about AccelPro. As our community grows, it grows more useful for its members.
