Protect Your Reputation through Cybersecurity Due Diligence 

by Audrey Katcher, CPA, CISA, CITP, CGMA and Robert Rudloff, CISSP-ISSMP 

Fraud is not a new issue. Criminals have been taking advantage of the trust and naivety of others for their own personal gain for centuries. However, the advent of the internet and the constant advancements that occur in technology means that these tactics can now be used to attack on a much wider scale. For example, Phishing attacks are able to send emails to millions of potential victims in seconds. With more information moving to the cloud, increased use of mobile devices and the need to be connected through technology at all times, everyone is increasingly vulnerable to cybersecurity attacks. RubinBrown’s cybersecurity practice area aims to help clients with cybersecurity controls and posture in a time where protecting data is more important than ever.

It’s critical that CPAs realize they have a responsibility to their clients to take every measure to protect the information they are processing. Firms should strive to take on that trusted adviser role and ensure that they are mitigating the risk for themselves and their clients. A valuable first step is to get as informed on the topic as possible. The AICPA’s Information Management and Technology Assurance (IMTA) section and Cybersecurity Resource Center, which aggregates information, news and events from a number of AICPA teams, are great places to start. They have a number of valuable resources and tools, including webcasts, podcasts and articles, which can helps firms stay abreast of developments and new threats that could affect their practice. On a broader scale, there are also a number of other resources available through other organizations, such as the Information Systems Audit and Control Association (ISACA) and Information Systems Security Association (ISSA). SANS Securing the Human is also a valuable resource for firms to stay informed. 

Develop Solutions that Fit your Firm
Firms need to make sure they have a good understanding of the data they are managing, where it’s located and to what level it needs to be protected. Not all information is the same, and you need to ensure the controls you implement are appropriate for the data you are entrusted.  Make a serious assessment of where your firm is in terms of your internal controls and processes, and be honest with yourself about your strengths and weaknesses. It can be easy to get stuck in a “we’ve always done it this way” line of thinking, and may be difficult to conduct those assessments and make the changes necessary to address them. However, this is a process that is vital to protecting your firm and your clients. Ideally, the internal controls you have in place will fit your business model and actually enhance the work that you are doing.

Another key piece of cybersecurity is doing due diligence for the external vendors that you may be using. Testing and validating those entities for security is just as important as doing it for your own firm. A recent Ponemon study found that 39% of third party vendors wouldn’t disclose if they had encountered a security breach. For fourth and fifth parties, that number increases to over 70%.  With percentages this high, CPAs should certainly analyze and research outside entities they rely on, whether it be for processing tax returns or hosting your secure portal. As cybersecurity becomes an increasingly prevalent issue, our firm expects to see more organizations doing their own security testing in a way that can easily be shared, such as a SOC 2 report.

You Can Never be too Careful
In today’s business climate, everyone should keep cybersecurity threats top of mind. If something seems off, take the extra step to ensure you are not opening the door for a cybersecurity attack. An increasingly common type of attack is business email compromise or CEO impersonation. A simple control of placing a call to verify that email would completely prevent that type of fraud. CPAs are extremely busy, and can easily get caught up in their client service roles and task processing. Take the time to think through the information you are processing and trust your intuition. Clients won’t mind a quick call to validate information, and it will demonstrate that you are making the effort to protect their data.

In addition, aim to design controls for your firm based around the way you do business. Make sure you have a solid understanding of what information you are creating and gathering, and know how it is processed and stored. As new systems are brought in or changes are made within your firm, take the time to build in security up front rather than implementing the changes and trying to bolster security after the fact. Ensure that your employees have the proper training and understand how to protect all types of data within your firm. CPAs owe it to their clients to address cybersecurity, and they need to make sure they are doing their part to protect firm and client information.

RubinBrown, LLP is a Top 50 firm with offices in Denver, Kansas City, St. Louis and Nashville. Audrey Katcher, CPA, CISA, CITP, CGMA and Robert Rudloff, CISSP-ISSMP are partners.


© 2017 Association of International Certified Professional Accountants. All rights reserved.