The CPA’s Cybersecurity Toolkit: Enhance Expertise and Protect Clients
In today’s technology-saturated world, potentially harmful cyber attacks are affecting a growing number of organizations, especially those that harbor sensitive information. CPAs are often in a position of key business advisor to these organizations, and practitioners should be guiding their clients to consider cybersecurity risks and ensure that they are implementing reasonable controls designed to protect sensitive data and systems from common attacks. Some firms, however, may not have sufficient expertise to provide this type of insight to their clients.
To address these challenges for CPAs and their firms, LBMC Information Security has partnered with the Private Companies Practice Section (PCPS) of the American Institute of CPAs (AICPA), to develop a Cybersecurity Toolkit that can help CPAs better understand key cybersecurity risks, decipher common cybersecurity nomenclature, and identify the types of cybersecurity services that CPAs can offer to help their clients stay out of the cybersecurity headlines.
The AICPA Cybersecurity Toolkit Solution
While many larger CPA firms offer cybersecurity services to their clients today, medium or smaller-sized firms may not know where to begin with developing a cybersecurity service offering. The AICPA Cybersecurity Toolkit is designed to help CPA firms understand, establish, staff, and deliver cybersecurity services to its clients. To do so, the toolkit includes several artifacts that can address the following objectives:
- Help CPAs Understand Cybersecurity Issues
- Provide CPAs with Existing Cybersecurity Thought Leadership
- Outline Services CPAs Can Provide to Clients
- Describe How to Establish a Cybersecurity Service Offering
- Identify Clients Who May Need Cybersecurity Assistance
- Educate Firm Personnel on Cybersecurity Issues and Service Offerings
- Notify Clients of the Firm’s Cybersecurity Capabilities
The PCPS Cybersecurity Toolkit can be obtained HERE. While the toolkit defines a significant list of cybersecurity services that could be provided by the CPA, for firms wishing to establish a practice, the best advice is to select a few key services from the list and focus on delivering those capabilities well before trying to offer every service on the list. Firms seeking to provide one or more cybersecurity services to clients should ensure that they have sufficient knowledge and expertise at their disposal in the desired security domain. One important goal of the toolkit is to help CPAs and their firms avoid providing inaccurate guidance by taking much of the mystery out of cybersecurity issues, needs, and service offerings.
Some reading this blog may wonder why a firm with an established and successful cybersecurity consulting practice would agree to develop materials that could help other firms establish a competing capability. The answer, from LBMC’s perspective, is that our profession has been built on a spirit of “competition” over the years. Across all domains of public accounting, leading firms have contributed their expertise to our profession through participation on working groups and councils, authoring thought leadership articles, delivering speaking engagements, and using other mediums to share their expertise and raise the collective awareness of professionals. Since our founding in 1984, LBMC has proudly done the same, and we remain committed to doing our part.
A second reason is that some practitioners today may be attempting to provide services in the cybersecurity domain that don’t truly understand how to effectively deliver those services, leaving unsuspecting clients with a false sense of security when an engagement is completed. The toolkit can help to ensure that services and capabilities are properly scoped and conducted and that conclusions are robust and accurate so that all clients get an accurate picture of their cybersecurity posture.
Whether businesses want to acknowledge it or not, cybersecurity is a growing concern for businesses of all types. CPA firms and their leaders should be looking to help their clients be prepared for and secured against potential cyber attacks. Firms that invest the time and effort to develop an understanding of cybersecurity will be well-positioned to increase revenues, solidify the firm’s position as a trusted business advisor, and help clients protect their organizations.