Cybersecurity: Accounting professionals work to keep the public safe
AICPA logo
AICPA logo
  • Home
colorful distorted image of padlock

Cybersecurity: Accounting professionals work to keep the public safe

Jul 11, 2022 · 3 min read

Hackers are becoming more sophisticated, but accountants are acting to help clients beef up their cyberdefenses.

It wasn’t long ago that Lindsey Whinnery, CPA, performed cybersecurity vulnerability scans and penetration testing on her clients’ IT systems just once a year.

The testing helps the financial services firms, not-for-profits, CPA firms and other clients Whinnery serves to identify gaps in their cyberdefenses that criminals can exploit to gain access to clients’ businesses, causing devastating losses to businesses and their customers.

And Whinnery has found that once a year is no longer frequent enough for this type of testing. Clients are asking for it quarterly or even monthly.

“That’s now kind of becoming the norm,” said Whinnery, a partner at CapinTech who specializes in providing cybersecurity services to clients.

Accounting professionals play a prominent role in protecting company systems and keeping company and individual data from being stolen by cybercriminals. The in-depth IT knowledge that many accounting professionals have, when combined with their expertise in creating and maintaining systems, procedures and controls, makes them ideally suited for cybersecurity roles and responsibilities.

Cybersecurity tasks performed by accounting professionals include:

  • Strategic decisions by company finance leaders on use and funding of cybersecurity systems, services and insurance.

  • Consideration of cybersecurity as part of a company’s enterprise risk management system by company finance leaders and internal audit professionals.

  • Advice to personal financial planning clients on how to protect their individual assets from hackers who may attempt to steal their identity.

  • Specialized services such as those provided by Whinnery and other CPAs who have chosen to devote their careers to this area of expertise.

“My goal is to keep my [client] organizations’ name out of the headlines,” Whinnery said. “Every day that happens, we did our job.”

When conducting the vulnerability scans and penetration testing for clients, Whinnery and CapinTech use specialized software that scans every device on an organization’s network. This helps them identify the gaps or holes in clients’ systems that hackers can exploit to gain access.

Whinnery also performs reviews of IT controls for clients in many industries and helps clients create a crisis management plan to follow if a breach does occur.

The AICPA has developed a cybersecurity risk management framework that helps organizations communicate information about the effectiveness of their cybersecurity risk management programs. The framework is a key part of the AICPA’s System and Organization Controls (SOC) for Cybersecurity engagement, which an independent CPA can perform for a client to report on the effectiveness of an organization’s cybersecurity risk management program.

Other resources that show accounting professionals’ focus in this area include a CPA cybersecurity checklist and a CGMA cybersecurity tool.

Making an impact

Whinnery enjoys doing this kind of work because it makes a difference. When a company’s systems are protected from breaches, Whinnery knows she also is protecting the data of all the customers and individuals who interact with the company.

She has a special fondness for not-for-profits. “I hate to see any organization get hacked, but a cyberattack can be especially devastating for nonprofits, because what’s getting stolen is donated funds or data on people that donate money,” she said.

Whinnery is happy to see clients’ cybersecurity measures becoming more sophisticated. More organizations are using two-factor authentication and purchasing cybersecurity insurance. Today, many companies rely on cybersecurity insurance to address their residual cybersecurity risks. Many years ago Whinnery began seeing “computer incident” coverage added as a line item to business insurance policies for a low cost and with low benefits. Now insurance policies that are devoted specifically to cybersecurity protection have high premiums, provide significant benefits and importantly require a pre-insurance review to qualify.

Companies purchasing this insurance must answer a questionnaire that might be as long as 30 pages verifying that they have specific IT controls in place. An insured customer who files a claim might be required to prove those controls were in place at the time of the breach in order to get reimbursement from the insurance company.

These developments help protect companies and the public, and they reinforce the work that accounting professionals are doing to combat cybercriminals. But this work will always be needed because as controls improve, scams are evolving to become more difficult to combat.

“As organizations are building better infrastructures to protect against cyberthreats, the cybercriminals and bad actors know that,” Whinnery said. “So they’re just getting more advanced, too.”

What did you think of this?

Every bit of feedback you provide will help us improve your experience

What did you think of this?

Every bit of feedback you provide will help us improve your experience

Mentioned in this article



Manage preferences

Related content