Business continuity

Business Continuity and Cybersecurity

December 6, 2017


The CPA firm is evolving. As automation streamlines some of the more basic nuts and bolts of a practice, accountants have been freed up to offer more consulting-like value-added services to their clients.

The Association of International Certified Professional Accountants (AICPA) is leading the charge in this area. They published a set of best practices surrounding a new service line that may surprise accounting practitioners who are reluctant to embrace the technology that is changing their profession. That service line is cybersecurity.

But how will accountants leverage this high-tech area for their practice? The answer is risk management and business continuity.

This post explores the connection between accountants, risk management, business continuity, and cybersecurity.

What does Business Continuity Have to Do with CPAs?

The AICPA has an entire website devoted to helping accountants transition into the cyber security assessment and mitigation arena. Helping clients develop a business continuity plan for operations, including technology, may seem like a stretch for many accountants. But the AICPA suggests that the new CPA service line follow a specific framework to create a business continuity planning process that first, defines its cybersecurity program and then develops a written risk assessment and business continuity plan suitable to present to boards or other stakeholders.

The AICPA suggests that an accounting practice seeking to evolve in this way should develop a readiness assessment for clients to help them identify cybersecurity risk. They also recommend a system and organizational controls assessment as the foundation for a business continuity plan.

Get a free assessment of your internal cybersecurity risk.

But the bad news is that few firms have the technical expertise to develop these types of consulting engagements. With the majority of accounting firms residing at the small to mid-size practice level, few have IT teams that can develop business continuity planning. Yet, many of the larger management-consulting firms already assess security as part of their methodology.

These firms use a multi-disciplinary team to provide these services, bridging the gap between accounting, risk, and technology. While these firms typically provide services to equally large companies, cybersecurity threats potentially impact small to mid-sized firms as well. There is a big gap in the market for small companies that recognize the security threats but have no plan to counteract hackers or survive the incident.

An article in the Journal of Accountancy agrees with the AICPA recommendations and concludes:

Many smaller firms lack the type of expertise needed to draw effective conclusions. While auditors, by default, are control experts, evaluating cybersecurity requires a unique understanding of the nuances of cybersecurity. Firms can either develop this expertise internally or partner with a firm that already has it.

It’s true that market demand for these services is extremely high; boards and management want to know that their liability is low both on-the-ground and in the digital space. Given that management accounting firms involve themselves daily in risk management, it makes sense to embrace technology. As compliance rules tighten, regulators are looking for companies that fail to stay abreast of the latest changes.

CPAs can target specific vertical markets, such as hospitals or medical practices, which have clearly been targeted by cyber terrorists this year. Utility companies are both highly regulated entities along with high targets for hackers. Small accounting practices can take a page from Crowe Horwath, who focuses strongly on banking and financial institutions.

It’s clear that the accounting industry is at a crossroads and must develop new services that embrace cloud technology. Business continuity is a logical next step that will evolve small accounting firms from just “tax preparers” to trusted advisor status.

But where would the small to mid-size firm even begin to change their practice to accommodate these new industry trends? The answer is to start at home.

Business Continuity Starts at Home

Perhaps the first step toward developing this service line in a CPA practice is to avoid the “do what I say and not what I do” syndrome. What we’re suggesting is that cybersecurity should start with the CPAs own infrastructure.

TOSS C3 can provide you with a network assessment and help establish your business continuity plan as the first step toward developing this area of your practice. Request a Quote to find out how we can help.




Let's Start a Conversation.

Connect with us and experience the TOSS difference.

Send this to a friend