CPAs Well-Positioned to Help Manage Cybersecurity Risk
Cybersecurity is becoming a critical issue as consumers increasingly entrust their most confidential information – including Social Security numbers, tax identification numbers and financial information – to companies that store this data electronically. As companies look for third-party assessment and verification of their cybersecurity risk management program, CPAs are well-positioned to provide these services – and the more comprehensive definition of attest that many states have adopted ensures that only CPAs can provide cybersecurity attest services in accordance with the AICPA’s high standards.
Attest services are those services that are limited to licensed CPAs and can only be performed by licensees through CPA firms. They include audits, reviews of financial statements and examinations of prospective financial information.
In 2014, the AICPA and the National Association of State Boards of Accountancy released a more comprehensive definition of attest in the Uniform Accountancy Act (UAA) that restricts all services performed under the AICPA’s Statements on Standards for Attestation Engagements to CPAs – including attest services like SOC 1®and SOC 2® on security, availability and privacy controls. Under the previous definition, only services performed on financial statements were restricted to CPAs.
Thirty U.S. jurisdictions have already adopted the new comprehensive UAA definition of attest, and more states are looking to do so in 2016. Lawmakers realize that allowing non-CPAs to issue reports using AICPA standards and language associated with CPAs presents a threat to the public interest. The profession provides a basis for the public to expect competence, expertise, quality and regulatory oversight. When non-CPAs utilize AICPA standard reporting language, there is a risk that the public will be misled into believing the same oversight and quality control is being applied.
Oversight is vital because as the amount of information stored digitally increases, so too does the amount of cybercrime. The Ponemon Institute forecasts an 82% net increase in cybercrime over the next six years. In December, President Obama signed the Cybersecurity Information Sharing Act into law in an effort to prevent data breaches and incentivize information sharing. The Commodity Futures Trading Commission (CFTC) also recently issued proposed rules on cybersecurity that would require companies to produce a standardized summary of cybersecurity test results. Currently, there is no single approach or professional standard for security assessment services. CPA firms providing attest services could help companies meet new regulations like those proposed by the CFTC.
In fact, CPA attest services have the potential to be the marketwide go-to for evaluating cybersecurity risk management programs, and the updated definition of attest protects the public by restricting attest services to CPA firms. Given the sensitive nature of the data stored by businesses today, it is essential to have a high level of independence, technical skills and objectivity when assessing the security surrounding consumer information. Attestation services all meet a set of common standards. Companies can be confident that CPAs using profession standards are complying with the AICPA Code of Professional Conduct, meeting required technical training and proficiency, maintaining independence and ensuring there is a satisfactory amount of evidence before expressing an opinion in the report. While it is management’s final responsibility to ensure consumer data are protected, an audit firm’s attestation services can provide an objective assessment and allow a company to evaluate its cybersecurity risk management program, as well as its capability to recognize and respond to data breaches.
As cybersecurity concerns continue to grow, CPAs have an opportunity to lend their professional expertise and standards to a new set of services. The accounting profession is best situated to step in and provide the independent third-party verification so many companies are seeking regarding cybersecurity – and the updated definition of attest protects the public by mandating that only CPAs guided by strict professional standards and who are party to appropriate oversight can provide these services. Learn more about the role CPAs can play in the cybersecurity landscape and access news and information at the AICPA’s new Cybersecurity Resource Center (aicpa.org/cybersecurity). Also, an upcoming webcast, February 26, 2016, from 1:00 to 2:00 pm EST, discusses cybersecurity from a governance and audit committee perspective.
Julia Morriss, Project Administrator, State Regulatory and Legislative Affairs. Julia Morriss monitors and tracks state legislation and regulation that impacts the accounting profession. She holds a Bachelor’s Degree from American University’s School of Public Affairs, with a minor in Accounting.
Cybersecurity courtesy of Shutterstock.