Cybersecurity is Your Professional Responsibility 

Published October 31, 2016

In today’s business climate, information is priceless. Personal information that can give someone the ability to commit identity theft or fraud needs to be highly secured. Organizations in virtually every industry can be targeted and breached, therefore everyone is at risk. CPAs have to realize that this is a very real threat, and they need to ensure that they are taking every step possible to mitigate this risk.

I’m a unique kind of CPA with a highly niched firm. My practice is completely centered on IT compliance and audit and technology risk. I serve a varied client base, from large banks to small businesses, and am familiar with a wide range of technology and security issues. My background in this area gives me a good perspective on the area of cybersecurity, and I’m able to look at it both as a user, in terms of the steps my firm is taking, and as an advisor to my clients.

Education is Key
A key first step is educating yourself on the issue and understanding that cyberattacks are a very real threat. The AICPA’s Information Management and Technology Assurance section has a number of tools and resources that can help practitioners begin taking a look at the basics and having the appropriate conversations with their clients. The Assurance Services Executive Committee recently issued an exposure draft on assessing cybersecurity risk management. This is a great place for firms to start to learn more about this area. They can use the draft to examine their own practice and see how well they are addressing the issues that are discussed. The draft explicitly states what firms should be looking for and is a valuable first step in addressing the basics. This draft can also give firms the opportunity to gain exposure to this type of work and consider to what extent they would like to extend those services to their clients.

In addition to the AICPA’s resources, there are many resources out there that can help give practitioners a working knowledge of cybersecurity and the current issues firms are facing. I would encourage firms to seek out information from a number of sources. Look at reference tools or find CPE on the topic. For example, the IRS provides a number of publications that discuss what they expect practitioners to do in order to safeguard information. In addition, sole practitioners and small firms can refer to checklists from the Small Business Administration.

Throughout the technology industry, there’s a lot of noise around cybersecurity. There are so many vendors and products out there, and it’s hard to determine which is best. As a practitioner, you’re already challenged to keep up with your practice and likely don’t have much time to research all of the options and alternatives. Keep in mind that one of your core skills as a CPA is managing risk. Block out the noise and make the effort to understand what the true risks are for your environment. Security is not a one size fits all solution. Different firms will have different needs depending on the type of services you are providing and the kind of information that you are entrusted. Take the time to assess what your risks are and then work to identify solutions and internal controls that bring that risk to an acceptable level.

Focus on the Basics
As CPAs, we need to set the example for our clients. A large part of our professional responsibility is protecting the information that has been entrusted to us. There are a number of basic items that every practitioner should be doing in order to fulfill that responsibility. For example, if you’re using laptops, encrypt them, protect them and don’t leave them unattended in unsecure locations. In addition, ensure that you have appropriate malware protection on all of your devices. Try to avoid personal web surfing on your business devices. And don’t underestimate the importance of the human factor. You can have logical security and excellent programs in place, but those are only as effective as we make them. The best designed systems can quickly be circumvented by a user not doing what they should. Be sure to take the lead and be an example for your staff and clients on how to appropriately manage cybersecurity.

In today’s environment, technology drives business. Increasingly, business models rely on technology to deliver services and CPAs need to understand the basics from a business management perspective. You don’t have to be an expert, but you need to know enough to understand what the issues are and be able to have intelligent, helpful discussions with your clients. In order to remain relevant, you have to demonstrate that you understand the risks and how they can affect organizations. Clients are clamoring for people who understand both the business and the technology side of management, and we are uniquely positioned as a profession to do just that. Cybersecurity is one of the largest risks as it relates to technology and it is an ever present factor. Start with your own practice and ensure you are taking every step to minimize any cyber risk.

Joel Lanz, CPA.CITP, CISA, CISSP, CISM, CFE is a sole practitioner based in Jericho, NY. Joel is the current chair of the AICPA’s Information Management and Technology Assurance Executive Committee.


© 2017 Association of International Certified Professional Accountants. All rights reserved.