At first blush, it may seem odd that the words CPA and cybersecurity would appear in the same sentence together. The fact is, the public accounting profession has long been active in helping organizations address information security. As far back as 1974, CPAs were required to consider the effects of information technology on financial statements during audits.
Since then, the natural progression has included the accounting industry’s steadfast efforts to help organizations with cybersecurity risk management. That effort has led to the development of numerous global standards for control over and reporting on information security. Today, four of the top 10 cybersecurity consulting companies are CPA firms.
Cybersecurity is no longer considered a technical or IT responsibility. It has become a regular topic in the C-suite and at the board level. As cybersecurity risk management becomes a critical business issue, choosing the best methods for mitigating risks and collecting sound information to help drive decision making is a considerable challenge.
Fortunately, there are two critical frameworks organizations can refer to that serve both as a starting point and as regular touchpoints, and one of them was developed by the accounting industry. First is the Framework for Improving Critical Infrastructure Cybersecurity from the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce. Second is the System and Organization Controls (SOC) for Cybersecurity, a reporting framework from the American Institute of Certified Public Accountants (AICPA).
The framework from NIST provides a set of standards and best practices to help organizations, regardless of their size or degree of cybersecurity sophistication, to create, guide, assess, or improve their cybersecurity programs as well as the resilience of their critical infrastructures. In that sense, it is mostly a security framework.
The AICPA, on the other hand, has developed its reporting framework to help any and all organizations regardless of their size or industry take a proactive approach to cybersecurity risk management and to communicate the effectiveness of cyber controls they have in place. In that sense, it is primarily a reporting framework, but it also serves another key need—a means to provide assurance related to an organization’s cybersecurity program.
Because the NIST framework is just one of several security framework options available to organizations, disparate standards and programs exist across companies. Therefore, the AICPA created SOC for Cybersecurity as a way of putting a common language and common criteria for any organization’s efforts to communicate and report on its cybersecurity risk management.
As a result, CPA firms that specialize in cybersecurity services can offer sound guidance across the security arc, from putting proper risk management measures in place to regularly assessing system controls and organizational processes to reporting on a cybersecurity risk management program’s effectiveness.
Here’s a brief overview of these two valuable frameworks.
NIST: Voluntary and Risk-Based
Much of the guidance in NIST comes in a section called the framework core, a set of cybersecurity activities, desired outcomes, and applicable references that are common throughout critical infrastructure sectors. The core presents five key functions—identify, protect, detect, respond, and recover.
Taken together, these core functions allow any organization to better understand the life cycle of its cybersecurity risk management and more effectively shape its cybersecurity program. And they provide the foundation for establishing a sound definition of what cybersecurity should include for your organization.
It’s important to note that the framework does not replace an organization’s risk management efforts or program; it merely complements them. Some companies may leverage the framework to identify opportunities for strengthening their cybersecurity programs; others may use the framework as a reference for establishing new programs.
The five core functions (Identify, Protect, Detect, Respond, and Recover) help organize basic cybersecurity activities at their highest level. Performed concurrently and continuously, they help create an operational culture to more effectively address dynamic risks.
AICPA Reporting Framework: Scalable and Flexible
The AICPA framework provides guidance to organizations when designing and describing their cybersecurity programs. The framework consists of a series of standards designed to help develop and measure your organization’s cybersecurity program. This framework is also used by the CPA firm when reporting on an organization’s description of its cybersecurity program. This examination must be completed by a qualified, independent CPA.
As an entity, you may need to communicate only a description of your program to your board, investors, and regulators. Or you may need to include an independent opinion and assertion of that program. This may be especially relevant if you are a service provider or a supply chain organization that needs to also have your program tested to address the risk management needs and requirements of the business customers you serve. When a CPA firm provides an assessment of an organization’s cybersecurity framework, the organization receives a written report from the CPA that can be used by management and shared with other relevant stakeholders. In contrast, the NIST framework does not result in a report that can be relied on by external parties.
For general purposes, the AICPA outlines the entity-level cybersecurity reporting framework as providing three key sets of information designed to meet stakeholder communication needs.
- Management’s description. The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program. This description is designed to provide information about how the entity identifies its sensitive information and systems, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the information and systems against those risks.
This provides the context needed to enable users to understand the conclusions expressed by management in their assertion and by the auditor in its opinion about the effectiveness of the controls included in the entity’s cybersecurity risk management program.
- Management’s assertion. Management makes an assertion about whether the description is presented in accordance with the description criteria and whether the controls within the program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
- The practitioner’s opinion. The final component in this approach is a CPA’s opinion on the description and the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.
Keep in mind that the AICPA also has developed the two sets of criteria used in the engagement—one for describing the program and one for the controls. Therefore, an organization’s management and the independent CPA are sharing a common language throughout the engagement.
Put Expertise on Your Side
The world of cybersecurity is moving quickly and changing constantly. Designing, implementing, and measuring a cybersecurity program can provide assurance to both internal and external stakeholders. Enlisting the assistance of a qualified CPA firm that specializes in cybersecurity best practices can bring added vigilance, protection, and peace of mind.
 AICPA, SOC for Cybersecurity, a Backgrounder, April 2017.