An AICPA framework enables CPAs with cybersecurity expertise to perform new services for clients.
By Russ Banham
As trusted business advisers, CPAs find ways to help their clients achieve their business objectives. Now, under the AICPA’s recently issued cybersecurity reporting framework, CPAs have an opportunity to expand the services they offer to help clients manage and understand cyber risks. The framework is supported by two distinct but complementary sets of criteria that enable clients to describe their cybersecurity risk management programs and evaluate the effectiveness of controls within those programs. In addition, CPAs can use the framework to evaluate (and in some cases report on) the client-prepared cybersecurity information.
The new cybersecurity risk management framework creates opportunities for:
- An entity’s management to describe its cybersecurity risk management program.
- CPAs to perform a consulting engagement to help a client’s management develop a description of its cybersecurity risk management program to provide to the board and other internal parties who are interested in that information.
- CPAs to perform a consulting engagement known as a “readiness assessment” to help a client identify where its cybersecurity processes and controls may need to be shored up.
- CPAs to perform a System and Organization Controls (SOC) for Cybersecurity examination engagement to assess the client’s cybersecurity risk management program. Either or both of the consulting engagements may be performed as a prelude to the examination service.
The new engagements require specialized expertise, given the evolving nature of cyber risks, the potential for management to fail to identify appropriate risks, and a firm’s potential liability for overlooking or underappreciating a cyber threat in its attestation. Because of the specialized skills required, many firms that lack the appropriate expertise will be unable to offer these services.
Nevertheless, for some firms the benefits of establishing the new practice line may outweigh the challenges. The primary reason is one of demand: Boards of directors and audit committees want greater assurance and transparency that the companies they serve are establishing effective cybersecurity management programs.
“Fast-changing regulations are being published with severe and prescriptive language, such as ‘do this’ and ‘don’t do that,'” explained Rod Smith, CPA, a managing director at Crowe Horwath LLP. “At the same time, there are a lot of different cyber risk frameworks in place today, some of them unique and others overlapping. Companies have to satisfy regulators’ increased expectations, and until now [we] haven’t really had a good vehicle to provide this assurance.”
A voluntary framework
This “vehicle” is the AICPA’s new voluntary cybersecurity reporting framework, which includes the three elements described in the table “Cybersecurity Reporting Framework.” The two complementary sets of criteria that support the framework are presented in the table “Criteria Supporting the AICPA Cybersecurity Reporting Framework.” The narrative description of the company’s cybersecurity risk management program, which is prepared by management, enables report users to better understand the context in which key security processes and controls operate within the entity’s cybersecurity risk management program.
Use of the description criteria to prepare the description provides companies with a common language to use when providing information about their cybersecurity efforts to interested parties such as boards, investors, and regulators.
Under the framework in the “Cybersecurity Reporting Framework” table, management also makes an assertion about whether the description is presented in accordance with the description criteria, and whether the controls within the program were effective to achieve the entity’s cybersecurity objectives. CPAs can engage to consult to assist management in developing the description and in performing the readiness assessment. CPAs also may be engaged to perform an examination engagement to express an opinion on the description and the effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives, which is the last element of the reporting framework in the “Cybersecurity Reporting Framework” table. The resulting cybersecurity examination report can be provided to report users, including a company’s investors, cyber risk insurers, and users of its products and services. “Although it is voluntary, it nonetheless serves a need in the marketplace that is currently underserved,” Smith said.
Gauging the opportunity
Many large public accounting firms already provide their clients with security-controls-related services, ranging from advisory services to examinations (for example, SOC 2 examinations). Firms that provide these services generally have multidisciplinary teams that bring a unique combination of strengths to the table—experience providing examinations of IT security controls performed using the rigorous approach required by professional standards combined with extensive expertise in IT and cybersecurity.
While clients of these firms often are publicly traded companies with large risk profiles and critical business partners, cybersecurity threats are not confined to large entities. Business enterprises of all sizes and in all industries are susceptible to them. Thus, midsize and smaller accounting firms may want to assess their clients’ cybersecurity needs, as well as the competencies necessary to provide cyber services to those clients, when determining whether to enter this space.
“Many smaller firms lack the type of expertise needed to draw effective conclusions,” said Mark Burnette, CPA, a shareholder at LBMC PC. “While auditors, by default, are control experts, evaluating cybersecurity requires a unique understanding of the nuances of cybersecurity. Firms can either develop this expertise internally or partner with a firm that already has it.”
Others agree. “There’s plenty of work to go around, but for many firms it requires additional expertise,” said Jeff Ward, CPA/CITP, CGMA, national managing partner of third-party attestation services at BDO USA. “This is simply a natural progression of financial audit. Firms increased their technical expertise from SOC 1 to SOC 2 to address things like data center risks. The new framework is the next iteration.”
He added, “Since cyber risk affects every business, companies naturally will turn to their current providers first for the attestation.”
Smaller CPA firms must anticipate this possibility and prepare to provide a response. To provide the service, Ward advised they reach out to create partnerships with peer firms in their state societies and form industry alliances, or recruit needed skill sets.
The effort may well be worth it. “Many CPA firms are aware of the demand for these services,” Burnette said. “Board directors and audit committees are asking the firms about the effectiveness of their companies’ cybersecurity practices. They’re looking for an independent attestation, seeing that as more definitive than an internal report by the company’s chief technology officer or the vice president of IT.”
Marketing and pricing
Although businesses are not required to adopt the AICPA’s reporting framework, CPA firms may wish to explain the merits of the new services to clients. Firms can educate their clients on the level of consistency the new framework provides in the context of cybersecurity reporting and related assurance. “It’s up to our profession [for the framework] to gain traction,” Burnette said.
He projected that as more companies engage firms to provide a cybersecurity attestation, their business partners will follow suit, creating a domino effect. “The sooner a CPA firm can establish a qualification in a particular domain, the easier it is to parlay that expertise into additional opportunities, by pointing out the prior experiences and how they have learned from them,” Burnette added. “One of our best marketing strategies when we talk to clients about our cybersecurity attestations is to share what we’ve already seen and learned, and how we’ve adapted our approach and work efforts based on that. That sends a clear message that we’ve got the experience to make the [attestation] as efficient and as minimally invasive as possible.”
Some CPA firms target their cybersecurity services to specific markets or customers. For example, BDO markets its cybersecurity services to highly regulated industries like utilities and health care institutions, which are at significant risk of a cyberattack or disruption. Crowe Horwath has a similar focus on the banking and depository institutions it serves. In both cases, the sectors’ vulnerability to cyberattacks and their related regulatory obligations are likely to make attestations more attractive to their boards and senior management.
Technology companies, such as cloud-based providers that store client data, are also at high risk of cyberattack. Such businesses are open to the idea of a more consistent cyber risk management framework. “Our customers have different levels of maturity in terms of information security and the unique and changing regulatory compliance issues they confront,” said Max Solonski, chief information security officer at BlackLine, a cloud provider of financial and accounting software. “[CPA firm] Moss Adams handles our SOC 1 and SOC 2 reports, and we would certainly be interested in them conducting an independent attestation to further validate the adequacy of our security levels, based on the needs of our clients.”
With regard to pricing the new examination, Smith of Crowe Horwath advised that interested parties calculate the costs of needed resources, particularly new hires and training of existing staff, and factor in the possible need for additional liability insurance protection.
“We’re in deliberations right now trying to figure out what the new engagement means in terms of liability insurance, given the opinion risk,” he explained. “We want to be sure we estimate the effort properly and price it accordingly. And we plan to do plenty of due diligence before accepting a client.”
LBMC is doing the same. “We already have cybersecurity experts who know what it takes to properly assess a client’s security posture, so we should be able to develop an [engagement] plan and make a per-hour estimate of how long it would take for them to perform the procedures necessary for the new cybersecurity risk management program attestation,” Burnette said. “We’ll then plug that into a budgeting tool to calculate the rate per client and adjust our processes and budgets as we perform a few of these engagements and learn from the assessment process. It’s a work in progress.”
BDO, Crowe Horwath, and LBMC all plan to offer the new examination and expect that at some point in future the AICPA framework is likely to become widely adopted.
Russ Banham is a veteran financial journalist based in Los Angeles and is the author of more than two dozen books.
This article was originally published in the October issue of the Journal of Accountancy.