CPAs with a specialization in information technology, can help clients address cybersecurity concerns by identifying potential internal risks and offering proactive steps to safeguard valuable client and customer information. CPAs with an IT skillset, who often hold the Certified Information Technology Professional (CITP) credential, may also be able to help advise clients through a readiness engagement – preparation for SOC for Cybersecurity assurance. To help CPAs provide highly specialized cybersecurity advisory services, the AICPA offers the following resources:
- Information Technology and Assurance Management
The AICPA’s Information Technology and Assurance Management (IMTA) Section supports CPA.CITPs and other professionals with an interest in IT. The IMTA Cybersecurity Task Force develops resources to help CPAs advise clients on cybersecurity concerns, including The Top Cybercrimes whitepaper.
- Building a Cybersecurity Practice
This set of tools from the Private Companies Practice Section (PCPS) helps practitioners understand the cybersecurity risks they and their clients face and communicate with clients about how to address those risks. These tools provide an opportunity for firms to provide clients with services they may need to address their cybersecurity risks. Resources require AICPA.org login; some resources require PCPS membership as well.
- Cybersecurity Risk Management Reporting Framework
The AICPA’s framework can be used to advise clients on assessing risks, establishing risk management objectives, updating policies and procedures and evaluating governance. A CPA advisor may also use the framework to help assess a client’s readiness for a cybersecurity risk management assurance engagement.
- Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria)
These criteria are intended for use by CPAs to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or for SOC 2® and SOC 3® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.