Rapid technological development is compelling the digital transformation of all types and sizes of companies, putting the onus on their CPA firms to ensure those companies’ cybersecurity practices are effective and their data are accurate.
To add value in this era of digital disruption, CPAs must understand how different technologies are transforming their clients’ business. This is not a once-and-done exercise, due to continual technological ingenuity and innovation. Audit and advisory firms simply must keep abreast of all current and burgeoning innovations.
Audrey Katcher, CPA/CITP, CGMA, a partner in RubinBrown’s Business Advisory Services Group, spoke at the AICPA ENGAGE conference in Las Vegas on Tuesday on the top six transformative changes in companies that are driven by technology. Katcher, who has more than 25 years’ experience as a technology adviser, is a member of the AICPA Trust Information Integrity Task Force.
“We’re in the early stages of the fourth industrial revolution, where the transformative impact of these many new technologies is just now beginning to be felt,” she said in a telephone interview before the conference. “The mobile internet, cloud, and big data are yesterday’s technology drivers, while the internet of things is today’s key technology innovation. Next up are cognitive computing breakthroughs in augmented intelligence, machine learning, natural language processing, and robotics, among other technologies still incubating.”
Here are Katcher’s top six transformative client changes and their respective impact resulting from technology changes:
In many organizations, cybersecurity is “owned” by the IT function, which is tasked to implement, supervise, and maintain new systems and applications. Today, cybersecurity must be owned by the entity itself, because the location, accuracy, and security of a company’s data, and the resiliency of its network to withstand cyberattacks, represent a business and compliance issue of import to senior executives and board members.
Cybersecurity involves more than just technology networks and systems, given the people and processes that may inadvertently make an organization susceptible to a cyberattack. Cross-collaboration across the enterprise is essential.
“Finance and IT used to be occasional collaborators on IT issues, but given increasing regulatory requirements and the need for enhanced transparency (into financial data), collaboration is not optional anymore,” Katcher said. “There has to be a ‘Switzerland’ looking out for both technology enablement and the entity’s cyber-risk protection. Someone has to define the governance strategies that are in the best interests of the company.”
Technology is embedded deeply across every company today, producing a fast-changing array of cybersecurity risks. “Cyber is in everything,” said Katcher. “Although technology itself is becoming more secure, the weakest link remains people, followed by inferior processes for attack detection, system recovery, and crisis management.”
Substandard cybersecurity was evident in the recent “WannaCry” ransomware attacks that affected computers across the world. Many companies and government entities reportedly had not upgraded their Microsoft software with the patches provided to help prevent/mitigate the impact. “CPAs can help ensure, via attestations for companies, that the right people, processes, and controls are in place to help clients prevent such incidents,” Katcher said.
Here, there, and everywhere data
Every company has what IT professionals call their “crown jewels”—highly sensitive customer data such as credit card numbers or proprietary business information. Unfortunately, many businesses have not identified their crown jewels, much less who is allowed to access these data and on which types of devices. “If you don’t know where the critical information is, how can you secure it?” Katcher said.
A case in point is the vast number of employees that use cloud-based applications to conduct their work more efficiently. However, the extent of this usage is unknown, the solutions are not managed by the organization, and when an employee leaves, their information leaves with them.
“Engineering might use an app that puts the company’s intellectual property in the cloud, but since IT or someone charged with governance does not know this, the controls may not be there to protect the information,” said Katcher. “Ensuring a controlled vendor risk management program is in place to protect the most critical information is paramount.”
The transparency of cybersecurity risk management is important for the good governance of all business entities.
Corporate leadership seeks transparency into business and market data to increase the speed of operational decision-making. And boards of directors expect accurate reporting on the security of the organizations they serve. Without clear visibility into business and market data, these goals are thwarted.
“To validate the client’s cybersecurity in today’s demanding real-time environment requires transparency into their data and overall cyber-risk management,” said Katcher. “Otherwise, CPA firms may not be able to accurately present the financial figures to regulators and external auditors.”
Reporting on steroids
Reporting used to entail an analysis of the financials and the application of judgment. Today, accurate reporting depends upon how the data are input, processed, and stored, and the security risks presented in each scenario.
“Simply stating information and reporting that the data is accurate no longer is enough,” said Katcher. “CPA firms must provide evidence demonstrating that a client’s data is complete, accurate, valid, and secure. An example is SSAE 18, which provides additional guidance on how to validate ‘information produced by the entity.’”
Skill set shortages
With technology increasingly driving how business is conducted, the tasks traditionally performed in the work environment are rapidly changing. Augmented intelligence, machine learning, robotics, and other transformative technologies are combining in unique ways to replace some jobs, augment others, and demand the development of new skills. The challenge for many organizations is the dearth of talent to fill these roles.
The war for such talent that has ensued separates companies into winners, losers, and those in between. For the last two categories, talent gaps can generate cyber risks that are underappreciated. “In advising our clients, we have to feel their pain,” said Katcher. “They’re grappling with having the right skill sets in place, yet may not realize that not having these people is increasing their susceptibility to cyber risks.”
As other technologies emerge and are incorporated by companies, CPA firms have a tremendous opportunity to provide valued service. “Clients are clamoring for much-needed advice on their cybersecurity threats, information accuracy, and proper risk management,” Katcher said. “To provide it, we need to become experts. The rewards will be well worth the effort.”
—Russ Banham is a financial journalist based in Los Angeles. To comment on this article or to suggest an idea for another article, contact Jeff Drew, senior editor, at Jeff.Drew@aicpa-cima.com or 919-402-4056.