Skip to content

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our privacy policy to learn more.

Close
AICPA-CIMA
  • AICPA & CIMA:
  • Home
  • CPE & Learning
  • My Account
Journal of Accountancy
  • TECH & AI
    • All articles
    • Artificial Intelligence (AI)
    • Microsoft Excel
    • Information Security & Privacy

    Latest Stories

    • AI-driven spreadsheet tools — what CPAs need to know
    • Is spending on technology spinning out of control?
    • Using 3 Excel View tools to manage large spreadsheets
  • TAX
    • All articles
    • Corporations
    • Employee benefits
    • Individuals
    • IRS procedure

    Latest Stories

    • Job cuts mean strong 2025 tax season may be hard to repeat, IRS watchdog warns
    • IRS removes associated property rule in final interest capitalization regulations
    • Spouse is not entitled to sales proceeds in a judicial sale of taxpayer’s home
  • PRACTICE MANAGEMENT
    • All articles
    • Diversity, equity & inclusion
    • Human capital
    • Firm operations
    • Practice growth & client service

    Latest Stories

    • PCAOB publishes guidance related to Audit Evidence amendments
    • AI-driven spreadsheet tools — what CPAs need to know
    • Job cuts mean strong 2025 tax season may be hard to repeat, IRS watchdog warns
  • FINANCIAL REPORTING
    • All articles
    • FASB reporting
    • IFRS
    • Private company reporting
    • SEC compliance and reporting

    Latest Stories

    • SEC accepting Professional Accounting Fellow applications
    • SEC names new chief accountant
    • SEC ends legal defense of its climate rules
  • AUDIT
    • All articles
    • Attestation
    • Audit
    • Compilation and review
    • Peer review
    • Quality Management

    Latest Stories

    • PCAOB publishes guidance related to Audit Evidence amendments
    • AICPA unveils new QM resources to help firms meet Dec. 15 deadline
    • 8 steps to build your firm’s quality management system on time
  • MANAGEMENT ACCOUNTING
    • All articles
    • Business planning
    • Human resources
    • Risk management
    • Strategy

    Latest Stories

    • Business outlook brightens somewhat despite trade, inflation concerns
    • AICPA & CIMA Business Resilience Toolkit — levers for action
    • Economic pessimism grows, but CFOs have strategic responses
  • Home
  • News
  • Magazine
  • Podcast
  • Topics
Advertisement
  1. newsletter
  2. Cpa Insider
CPA INSIDER

How to mitigate vendor risk in a cybersecurity environment

Here’s what CPAs need to know when vetting vendors’ security practices.

By Lisa Traina, CPA/CITP, CGMA
September 7, 2015

Please note: This item is from our archives and was published in 2015. It is provided for historical reference. The content may be out of date and links may no longer function.

Related

June 1, 2015

Experts warn of cybersecurity ‘storm’: Technology round table, part 2

April 16, 2015

CPAs select security as top technology priority

TOPICS

  • Technology
    • IT Governance, Risk & Controls

Organizations seeking to protect sensitive data from cybercriminals must worry about more than their own operations when assessing potential threats. Vendors represent one of the highest risk areas in an organization’s cybersecurity structure.

Did you know that many major data breaches—including those at Goodwill, Home Depot, Lowe’s, and Target—started with vendor security issues? Or that AT&T was fined $25 million earlier this year due to compromised customer information resulting from lax security at a few of its call center vendors?

A recent incident reminded me just how significant the security risk with vendors can be. I was helping a friend with some accounting issues, and we needed to access a server at her office remotely. When she told me her remote-access password was “password1,” that was scary. What was even scarier was realizing that a vendor—in this case, a small computer network support company—set up the remote access. If we can’t trust the hired computer help to be concerned with security, whom can we trust?

We recently began offering vendor review services because many of our clients were struggling in this area. Initially, we underestimated two things: the amount of time required to complete a thorough review and the number of issues that would be identified. The need for due diligence is quite real!

Performing a thorough “vendor due diligence” is critical not only when selecting a vendor, but also on an ongoing basis. This is true for third parties that host your data as well as those that have regular access to your data, including computer support vendors. You are paying for services, so you should demand security that meets or exceeds your own security standards.

Prior to beginning your due diligence, you may want to identify all vendors that have access to your personally identifiable data and what data is visible to each vendor. You may then vet vendors with a full review process or other steps, including paying them a visit and asking for a full tour of their facilities and a complete explanation of their operational and security policies. This research will complement any written documentation you may already have in hand.

Areas for reviewing vendors

Advertisement

Due diligence should begin with the contract. Never commit to a vendor unless the contract satisfactorily addresses crucial points including service-level agreements (SLAs), breach notification, and right to audit, among other factors. All contracts should start with a nondisclosure agreement. In addition, every contract or agreement should specifically address data security; you cannot assume that appropriate security controls are in place. This is particularly true for cloud applications. In addition to the contract, other areas should be investigated. Vendor reviews should focus on the following:

  1. IT security controls: All vendors should report on the key security measures they employ, and, in fact, many publish white papers explaining their security standards. Minimum security controls that should be in place for hosted data include:
    • Strong password parameters requiring complex passwords that expire periodically and strong controls limiting administrative privileges for vendors and ensuring that vendors do not share administrative passwords and privileges;
    • Invalid login lockout settings—e.g., three strikes and you’re out;
    • Multifactor authentication to prevent logins from new systems, unidentified devices, etc.
    • Encryption of data in transmission and at rest. It is worth noting that encryption at rest is sometimes an optional feature;
    • Limits on which resources vendors are authorized to access;
    • Establishment of an audit trail to identify who, by name, accessed the systems and which data, if any, they could see and/or change.
    In addition to controls, the vendor should absolutely undergo some form of information technology audit. This may be an AICPA Service Organization Controls (SOC) report but for smaller vendors, it could be an alternate assessment providing assurances of adequate security. If you cannot obtain any security audit information, you should be concerned. In addition to a security assessment, you want to know how often the vendor conducts employee training.
  2. Financial condition: It usually is not difficult to access company financial data on large vendors—and that information definitely is worth reviewing. Vendors in poor financial condition often are more likely to take shortcuts that can compromise security. Sometimes, the vendor will have to discontinue services, leaving customers in the lurch. Smaller, privately held vendors usually don’t have to make financial information available, but you can question them about their growth rates, length of time in business, etc.
  3. Business continuity: While data security is paramount, data availability also is essential. Data is not worth much if you and/or your clients can’t access it. Vendors should have sufficient plans for backup data centers and telecommunications lines to ensure a seamless business continuity plan.
  4. Incident response: Because breaches are now considered inevitable, all organizations should have plans for dealing with one. There should be complete transparency, with all contracts including provisions for timely notification of an incident. Incident response involves the monitoring and detection of security events on a computer network and the execution of appropriate responses to those events. This issue is large enough that banking regulators recently published new guidelines pertaining to incident response, business continuity, and vendor capacity.
  5. Other issues: Vendor reviews also should examine insurance coverage, performance standards, SLAs, and compliance reporting. Vendors often do not readily provide assurance of compliance with critical standards and regulations, such as the Gramm-Leach-Bliley Act and Sarbanes-Oxley. You should demand to see those reports.

Big questions that should be answered

Your vendor reviews are not complete until you can answer the following basic, but important, questions:

  1. Did you review the correct vendor(s)? Multiple vendors may be involved with any given system because software providers typically outsource hosting functions to data center providers such as Amazon Web Services (AWS). The security information you receive is more than likely for the data center, not the company you are contracting with. You should be able to get assurances from both parties, but this is often not the case. If you cannot obtain security assurances from the primary vendor, you should be concerned.
  2. Does this vendor review the security of other vendors it uses? Every vendor will be using other vendors, and they should have due diligence procedures of their own. This is not a given. AT&T admitted that its procedures for vetting subcontractors needed improvement.
  3. Where is your data stored? This might seem simple and obvious, but it isn’t always easy to determine where your data resides. This is because vendors have multiple data centers as well as multiple backup locations. You need to know if your data is in foreign countries.
  4. Does the vendor have periodic vulnerability testing? Because exploited vulnerabilities cause so many of today’s breaches, it is important that every organization undergo periodic testing. This is not a given either. In addition to testing, the timely remediation of vulnerabilities is needed. It may require some digging to know that a good process exists at your vendor and the related data center.

Most organizations do not have sufficient vendor review procedures in place, but it is never too late to start the process. And the process should be ongoing, occurring at least annually. Here’s hoping that the tips above will help you ensure that the third parties you use don’t increase your cybersecurity risks.

Lisa Traina, CPA/CITP, CGMA, is the founder and owner of Traina & Associates, which provides information systems and IT security audit and consulting services to business clients.

Advertisement

latest news

October 3, 2025

PCAOB publishes guidance related to Audit Evidence amendments

October 2, 2025

Job cuts mean strong 2025 tax season may be hard to repeat, IRS watchdog warns

October 2, 2025

Is spending on technology spinning out of control?

October 1, 2025

IRS removes associated property rule in final interest capitalization regulations

September 30, 2025

IRS withdraws prop. regs. affecting corporate spinoff transactions

Advertisement

Most Read

MAP Survey finds CPA firm starting pay on the rise
IRS finalizes regulations for Roth catch-up contributions under SECURE 2.0
NASBA, AICPA release proposed revisions to CPE standards
IRS releases draft form for tip, overtime, car loan, and senior deductions
IRS shutdown plan: Employees stay on the job for first 5 workdays
Advertisement

Podcast

October 2, 2025

Car talk: M&A, AI and EVs changing the dealership landscape

September 25, 2025

Professional liability risks related to Form 1065, CPA firm acquisitions

September 18, 2025

‘We’re still the thinkers’ — a reminder for tax pros in the AI era

Features

AI-powered hacking in accounting: ‘No one is safe’

AI-powered hacking in accounting: ‘No one is safe’

Building a better firm: How to pick the proper technology

Building a better firm: How to pick the proper technology

Why accountants need to master the art of reading the room

Why accountants need to master the art of reading the room

How BI and analytics enhance management accountants’ partnering role

How BI and analytics enhance management accountants’ partnering role

SPONSORED REPORT

Preparing clients for new provisions next tax season

As the 2025 filing season approaches, H.R. 1 introduces significant tax reforms that CPAs must be prepared to navigate. These legislative changes represent some of the most comprehensive tax updates in recent years, affecting both individual and corporate taxpayers. This report provides in-depth analysis and guidance on H.R. 1.

From The Tax Adviser

September 30, 2025

Current developments in taxation of individuals: Part 1

August 30, 2025

2025 tax software survey

August 30, 2025

Are you doing all you can to keep the cash method for your clients?

July 31, 2025

Current developments in S corporations

MAGAZINE

October 2025

October 2025

September 2025

September 2025

August 2025

August 2025

July 2025

July 2025

June 2025

June 2025

May 2025

May 2025

April 2025

April 2025

March 2025

March 2025

February 2025

February 2025

January 2025

January 2025

December 2024

December 2024

November 2024

November 2024

view all

View All

PUSH NOTIFICATIONS

Coming soon: Learn about important news

CPA LETTER DAILY EMAIL

Subscribe to the daily CPA Letter

Stay on top of the biggest news affecting the profession every business day. Follow this link to your marketing preferences on aicpa-cima.com to subscribe. If you don't already have an aicpa-cima.com account, create one for free and then navigate to your marketing preferences.

Connect

  • JofA on X
  • JofA on Facebook

HOME

  • News
  • Monthly issues
  • Podcast
  • A&A Focus
  • PFP Digest
  • Academic Update
  • Topics
  • RSS feed
  • Site map

ABOUT

  • Contact us
  • Advertise
  • Submit an article
  • Editorial calendar
  • Privacy policy
  • Terms & conditions

SUBSCRIBE

  • Academic Update
  • CPE Express

AICPA & CIMA SITES

  • AICPA-CIMA.com
  • Global Engagement Center
  • Financial Management (FM)
  • The Tax Adviser
  • AICPA Insights
  • Global Career Hub
AICPA & CIMA

© 2025 Association of International Certified Professional Accountants. All rights reserved.

Reliable. Resourceful. Respected.