Cybersecurity … a term we continue to hear more and more. In a blog I wrote earlier this year on the 2017 trends and predictions for the CPA profession, I identified cybersecurity as being a top priority in 2017. This prediction seems to hold true.
In the first five months of the year, two white papers have been published specific to cybersecurity and the CPA profession. In February, the AICPA published a white paper on the top cybercrimes including how CPAs can protect themselves and their clients. In May, the Center for Audit Quality published a white paper titled The CPA’s Role in Addressing Cybersecurity Risk. The remainder of this blog will highlight some of the recent developments in cybersecurity as it relates to the CPA profession.
The top cybercrimes identified in the AICPA’s white paper include tax refund fraud, corporate account takeover, identity theft, data theft and ransomware. At this point, I’m sure everyone has heard of all of these. The biggest challenge is how you, as a CPA, can help your organization or clients avoid being a victim of a cybercrime. Savvy cybercriminals are always finding new ways to circumvent existing security and controls to access information and systems. The constant changes in technology contribute to their effort. Small- to medium-sized businesses are often the target of cybercrimes as there is an expectation that these organizations will have weaker security and controls in place.
CPAs can play a significant role in addressing cybersecurity risks within their organizations and at their clients. In order to play this role, CPAs must first understand the top cybercrimes so they are in a position to educate others within their organization and at their clients to help them understand the cybersecurity risks they may face. CPAs can also provide guidance for strengthening policies and procedures to minimize these risks.
In response to the rapidly increasing concern over cybersecurity risks, the AICPA has launched a cybersecurity risk management framework that can be utilized by organizations to communicate information about their cybersecurity risk management program to various stakeholders. There are three key components to the framework:
- Management’s description of the entity’s cybersecurity risk management program.
- Management’s assertion to the presentation of their description and that the controls management implemented are operating effectively to achieve the entity’s cybersecurity objectives.
- CPA’s opinion on management’s description and the effectiveness of the controls to meet the entity’s cybersecurity objectives.
This new framework provides opportunities for CPAs in both public accounting and industry. CPAs in industry will be an instrumental part of developing management’s description and assertion. CPAs in public accounting have the opportunity to provide additional value to their clients in performing the cybersecurity examination.
CPAs already possess several strengths for addressing cybersecurity challenges. These strengths are identified in the Center for Quality Control’s white paper as adherence to independence, objectivity and skepticism, experience in independent evaluations, and multidisciplinary strengths. Ultimately, utilization of the framework can help ease cybersecurity concerns internally and externally.
The Indiana CPA Society and AICPA have resources available for addressing cybersecurity, including CPE courses. It is imperative for CPAs to have an understanding of cybersecurity risks and cybercrimes.
What is one thing you can do as an individual or organization to enhance your knowledge in this area to better serve your organization or clients?