Matt is a principal in Baker Tilly's risk advisory practice. Prior to joining Baker Tilly in 2020, Matt worked on the risk assurance practice of an international firm for 18 years. Matt leads Baker Tilly’s cybersecurity maturity model certification (CMMC) and government contractor IT risk suite of services. He has led IT audits and cybersecurity assessments for large primes down to smaller 8A contractors. Matt’s experience includes internal auditing, SOX compliance, information technology controls, business process controls and ERP risk and controls. Examples of these engagements include CMMC readiness assessments, 800-171 implementation projects, 800-53-based ATO readiness reviews, IT Risk assessments, Sarbanes-Oxley compliance, internal audit, pre- and post-implementation assessments and privacy assessments for clients.
Matt is actively engaged in supporting government contractors, grant recipients, state and local governments and federal agencies to navigate the CMMC requirements but has extensive experience supporting NIST 800-171 and 800-53-related assessments. Matt has also run fully co-sourced, internal audit engagements for large clients (multibillion dollars in revenues) in the government contracting industry.
- Led the internal audit team for a large, prime aerospace and defense firm and large technology services firm
- Led the transformation project of a large technology company to redesign customer data handling and contractual compliance efforts creating an effective second line of defense
- Led NIST SP 800-171 and CMMC readiness assessments for government contractors
- Led technology reviews at companies ranging from mid-size organizations to the largest corporations using firm methodology or standard frameworks such as COSO, COBIT, ITIL, NIST SP 800-53, NIST SP 800-171 or ISO 27000
- Developed standard work programs for the Costpoint ERP utilized by numerous government contractors. The work programs include automated, configurable controls over all the business cycles (i.e., financial reporting, order to cash, procure to pay, hire to retire)
- Conducted pre- and post-implementation reviews of business system implementations and significant upgrades for projects as large as $20M including Oracle, SAP and PeopleSoft ERPs
- Performed or managed technical audit projects including detailed security configuration reviews over operating system, database or application configurations
- Developed cybersecurity strategy and service catalogs aligned to business objectives and risk tolerance levels
- Enhanced data protection capabilities through risk-driven data classification and control requirements
- Created a proprietary segregation-of-duties testing tool and associated test cases used by to assess user access within the Costpoint ERP
- Ran a controls integration and user access design and workstream over two years for a large, prime contractor as part of their consolidation of two large and extremely complex SAP environments into a single instance
- Information Systems Audit and Control Association (ISACA)
- Institute of Internal Auditors (IIA)
- Certified Information Systems Auditor (CISA)
- Certified in Risk and Information System Control (CRISC)
