Getting Ready for Assurance Has its Benefits



In recent months, sweeping global cyberattacks have taken thousands of businesses offline, compromising valuable data and blocking access to critical services and information assets. If it wasn’t clear before, it is now: cybersecurity is a business imperative with direct implications for overall company value. Prior to this spring, and without a common language or benchmark for cybersecurity, how do you quantify and communicate your cybersecurity risk in a meaningful way?

Enter the AICPA’s cybersecurity risk management reporting framework. Unveiled in April, the framework is intended to standardize the way organizations define their cybersecurity objectives and report against those standards in a format that works for all stakeholders.

At BDO, we work with clients to leverage the reporting framework in two key ways:

1) to design and assess a comprehensive cybersecurity risk management program, taking into account industry best practices and regulatory requirements; and

2) to undertake an examination-level attestation engagement, known as a SOC (system and organization controls) for cybersecurity examination.

BDO has been providing advisory services on cybersecurity strategy and risk management for some time. Before the new AICPA cybersecurity engagement guidance was even released, client questions started rolling in—how do we evaluate our cybersecurity risk management program? How do we talk with our board about it? What can we do to convince our clients and investors their data is safe with us?

Although a number of strong frameworks and standards have been in the cybersecurity space for some time, they are designed for an IT-savvy audience and are difficult for nontechnical stakeholders to understand. Unlike other frameworks, the AICPA’s reporting framework was designed to enable users to compare an entity’s cybersecurity efforts to that of other organizations while maintaining a degree of flexibility.

BDO uses the AICPA’s reporting framework when performing a SOC for Cybersecurity examination, which takes an enterprise-wide look at cybersecurity risk management, as opposed to focusing in on system controls relevant only to a service provided to an outside party. A SOC for Cybersecurity examination is a natural extension of the work CPAs are already trained to do: We look at controls and processes and quantify risk in a standardized way. In our traditional attestation work, we’re already assessing cybersecurity risk in terms of the potential financial impacts. Now, we’re looking a level deeper, examining cybersecurity controls not just in terms of financial risk, but to the extent that they can help the entity achieve its cybersecurity objectives.

Many companies will find they haven’t yet reached the level of maturity necessary to receive an unqualified opinion in a SOC for Cybersecurity examination—which is why we recommend most companies start with an internal readiness assessment before undertaking that engagement. An internal readiness assessment gives companies a snapshot of their current overall cybersecurity health—for example, whether their cybersecurity controls align with their overarching cybersecurity objectives, if resources are concentrated in the right places, and whether there are gaps in their existing controls that need to be remediated. After performing the internal assessment, we work with the organization to develop remediation strategies or to reprioritize cybersecurity investments as needed, and communicate those changes across the organization.

In addition to SOC for Cybersecurity, the AICPA has announced plans to address other system and organization (SOC) engagements. First, the AICPA is in the process of updating the SOC 2® Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy, to align it to the clarified attestation standards and to the 2017 Trust Services Criteria, which are used as measurement criteria for the engagement. The SOC 2 guide is expected to be issued by year end.

Second, the AICPA is developing a new attestation examination and related guide addressing vendor supply-chain cybersecurity risk that will enable CPAs to examine and report on controls relevant to the security, availability, information processing, confidentiality, and privacy of manufacturers and distributors to enable entities who use their services to assess the risks in their supply chain and distribution networks. The vendor/supply chain guide is expected to be issued in 2018.

We see the AICPA’s SOC for Cybersecurity examination, which is performed using the cybersecurity reporting framework, as the beginning of a rapidly growing new practice, bringing together the discipline of an auditor with the tech savvy of our cybersecurity professionals. Firms can explore this opportunity by accessing the AICPA’s Private Companies Practice Section (PCPS) Building a Cybersecurity Practice toolkit. You’ll find resources that help you assess clients’ cybersecurity needs.

To find the AICPA’s cybersecurity risk management reporting framework, visit For more information on cybersecurity, visit the AICPA’s Cybersecurity Resource Center at

Jeff Ward heads BDO’s AICPA SOC for Cybersecurity/Third-Party Attestation National Practice and is a member of the AICPA’s Assurance Services Executive Committee’s (ASEC) Cybersecurity Working Group, which developed the new cybersecurity risk management reporting framework.

Gregg Garrett is the Head of International Cybersecurity in BDO’s Technology and Business Transformation Services practice.

Cybersecurity courtesy of Shutterstock.

Fighting His Way Out of IRS Penalties. Literally.

BoxingIRS penalties and fees have caused a fair amount of consternation among taxpayers in the past, but in what might be a bout for the record books, we could witness the first time a taxpayer literally fights to pay what they owe and reduce penalties.

Floyd Mayweather, widely regarded as one of boxing’s greatest, apparently owes the IRS unpaid 2015 taxes. The boxer’s recent tax court petition seeking an installment agreement with the IRS might represent his first foray into the super heavyweight category.

Mayweather’s 2015 fight against Manny Pacquiao reportedly earned him as much as $220 million, and likely represents a significant portion of his income to which the taxes are due. The $22 million Mayweather reportedly owes is tiny relative to his estimated net worth, but net worth doesn’t need to be liquid. And as penalties and interest accrue over time, it’s a safe wager the bill could amount to a knock-out blow.

The boxer has requested in his petition that the IRS await payment until his August 26 fight with Conor McGregor, which he claims will provide the liquidity he needs to meet his tax obligation: the fighter’s guaranteed purse from the 2015 Pacquiao fight was $100 million, and his upcoming fight with McGregor is expected to earn him a similar amount. Again, keep in mind, that’s the guaranteed purse—win or lose. The final amount to the winner is a composite of various factors that could boost Mayweather’s take as high as $400 million.

Continue reading "Fighting His Way Out of IRS Penalties. Literally." »

Tips for Eclipse 2017

EclipseOn Monday, August 21, a total solar eclipse will move across 14 states of the country. The last time this was visible in the United States was on February 26, 1979. The next won’t happen until October of 2023. Given their rarity, it’s understandable why a total eclipse has people excited and even taking time off from work to watch.

Even if you’re not in the path of the total eclipse, you’ll at least be able to see a partial eclipse from most places in the U.S. Below are some tips to prepare for the event and make the most of your experience.

Check what you’ll see in your location.

Take a look at this website prior to the eclipse to see what percentage of the eclipse you’ll be able to view. The website recommends looking at multiple zip codes around you to make sure you get the best view possible. This will also determine if you want to make travel arrangements or stay put.

Continue reading "Tips for Eclipse 2017" »

3 Tips for Millennials Who Want to Give Back

Almonte David 01As a young accountant who recently passed the Exam, things are going very well for you. You have gotten into a rhythm and you know the ropes. But, you’re looking to make a difference in your community – have you considered volunteering at a nonprofit?

David Almonte, CPA, CGMA and member of the AICPA’s National CPA Financial Literacy Commission, knows the merit of giving back. He was taught from an early age the value of education, a strong work ethic and volunteerism. Additionally, his skills as a CPA have given him the opportunity to make a difference in peoples’ lives. He frequently gives presentations across the country, many of them focusing on his main passion: financial literacy. By providing free and accessible resources from websites like and, Almonte hopes to break down the walls that very often lead to financial insecurity.

Like Almonte, you too can use the skills you’ve gained throughout your career to give back. Not sure where to begin? Here are three tips to jumpstart your community service:  

  • Brag a little. You’d be surprised by how many of your talents align with activities you genuinely enjoy. Write down your talents, then research various volunteer opportunities that utilize your skills. For example, are you a pro at creating a résumé, or know exactly how to nail an interview? Oftentimes, local homeless shelters seek out professionals to lead workshops that help clients get back on their feet. Or maybe you love writing – so find a small nonprofit that needs help keeping up its blog. Just as David uses his passion for financial literacy to give back, there are countless other needs in your community. All you have to do is look.

Continue reading "3 Tips for Millennials Who Want to Give Back " »

6 Planning Ideas for Advising Entrepreneurs

Advising entrepreneursIf you work with entrepreneurs or small business owners, you likely have an appreciation of their vision, determination and work ethic.  You may also have run into some common hurdles that can derail their finances.  By focusing on the following planning considerations, CPAs and advisers serving entrepreneurs can keep their clients’ business and personal finances on track.

Choose an appropriate business form

Helping entrepreneurs evaluate key tax and nontax factors when selecting a business entity is not only important to the business’ financial success, but also the owner’s.

Should they operate as an S or C corporation, partnership, limited liability company or sole proprietorship? What are the classes of ownership, special allocations, basis, liability, elections and distributions for each structure and the impact of these factors on the owner? Navigating these complex decisions is crucial to getting their business off on the right foot. If you are an AICPA Personal Financial Planning Section member or CPA/PFS credential holder, see Chapter 18 of The Adviser’s Guide to Financial and Estate Planning for a comprehensive overview of entity selection.

Continue reading "6 Planning Ideas for Advising Entrepreneurs" »


Subscribe in a reader

Enter your Email: