Cybersecurity is a rapidly expanding opportunity for firms to offer advisory services. In a preview of an ENGAGE 2021 panel, Journal of Accountancy senior editor Neil Amato speaks with Steven Ursillo, CPA/CITP, CGMA, partner, risk assurance and advisory national leader at Cherry Bekaert, about how firms of any size can identify, prepare for, and take advantage of cyber advisory opportunities.

Also, Drew Adamek covers the IRS's new Tax Pro Account and recent changes to FASB lease accounting standards.

What you'll learn from this podcast:

• The skills that firms need to add or enhance to bolster their cyber advisory capacities.
• How to identify cyber advisory opportunities for your firm.
• What types of cybersecurity engagement opportunities may exist for your firm.
• How smaller firms can take advantage of cyber advisory opportunities.
• The different ways that firms can enter the cyber advisory space.

Play the episode below or read the edited transcript:

To comment on this podcast episode or to suggest an idea for another episode, contact Neil Amato, a JofA senior editor, at Neil.Amato@aicpa-cima.com.

---

Transcript:

The daily news is filled with reports of growing cybersecurity risks: Costly ransomware attacks are on the rise, the U.S. government recently accused foreign governments of corporate hacking, and an unfolding spyware scandal has engulfed politicians, business leaders, and journalists around the world.

This growing risk landscape can be a significant advisory opportunity for accounting and finance professionals.

I'm Journal of Accountancy senior editor Drew Adamek.

This week on the podcast my colleague, Journal of Accountancy senior editor Neil Amato, talks to a cybersecurity expert on how firms can establish, or improve, cybersecurity advisory practices.

And later, I'll recap some of this week's accounting news. But first, a brief message from our sponsor.

Neil Amato: Welcome back to the Journal of Accountancy podcast. This is senior editor Neil Amato. AICPA and CIMA ENGAGE 2021 is approaching quickly with live and virtual sessions in Las Vegas the last week of July.

One expert presenter is Steve Ursillo, a CPA who serves as partner and national leader for the information assurance and cybersecurity practice at the firm Cherry Bekaert. Steve is speaking on cybersecurity advisory opportunities for firms.

Steve, first, welcome to the podcast. What kind of staff expertise is needed for firms to get started on offering cybersecurity advisory services?

Steve Ursillo: Well, thanks, Neil. It's certainly a pleasure being here and I'm certainly looking forward to the in-person session at ENGAGE so very, very excited on that front. That's a great question. I get that quite often actually. You know, when we talk about what type of expertise is needed, it really depends on what the overall strategy is, but when you think about the session and the content that's going to be presented as it pertains to building or implementing a cybersecurity advisory practice. It's really appropriate for all levels. Right? So really the staff expertise from the partner or leadership level should be somebody who's actively looking to build and manage cybersecurity practice.

They should know enough about the subject matter. Obviously, like any of our technical standards require knowing enough about the subject matter and the content obviously to be proficient and be able to practice in that area. And that can be kind of an incremental approach depending on where that partner or from leader may be in their journey along with cybersecurity content scale.

But in many cases it's those firm leaders that are really the entrepreneurs that are trying to look at an opportunity to build that out, whether it's through their own knowledge or looking at other leaders that they may be bringing into the firm in order to carry that torch, whether that's hiring somebody or building out that next tier of leadership there. So it's certainly relevant there.

From the manager or senior manager perspective, it's a great opportunity for a practitioner who has a desire or a skill set in this area that wants to evolve into a practice. And those particular types of folks certainly have an opportunity to enhance their cybersecurity knowledge base or capitalize on training or experience that they've already acquired all along the way in their professional journey and be able to apply that in some of the advisory offerings that you see in many firms. And those managers are senior managers and are typically well versed in cyber governance and also some of the more technical aspects of service delivery around the cyber subject matter.

It also, like I said, gives them a great opportunity to find kind of a niche for themselves as it pertains to maybe building out something that a firm leader or partner doesn't necessarily have the resources for within that practice.

Next part of that would be just the staff, so the associates, you know, those entry-level folks that are coming in that have a passion for cybersecurity. Typically, you're looking for people who have a good understanding of risk and control, technology, cybersecurity. They're coming in and they want to kind of put all that together.

Then, depending on where you're practicing, it's that conundrum: whether you're a technical executor providing advisory services on implementation and support versus somebody who is reviewing architectures versus somebody who is going in and matching up against governance and other frameworks and different protocols. There's going to be a different path and a complementary path in certain case. Some of those groups, some of those associates and staff may be technically inclined to get into incident response or penetration testing, which is obviously a much deeper technical skill set than somebody who is reviewing some cyber governance programs and things like that.

So it really just depends on what that staff is looking to accomplish. And they may be coming in and see a great opportunity to excel based on their knowledge and understanding of the subject matter as it pertains to what the firm's overall strategic objectives are in their cyber advisory program.

Amato: You touched on it a little bit, but what are the types of engagements firms can start to take on in the realm of cybersecurity?

Ursillo: That's also a very common question that I hear. The journey for different firms is going to be different depending on what their backgrounds are and what they're already providing.

If you have a firm that's a traditional firm providing audit and tax and they're looking to come in on the cybersecurity advisory front it may be different than if you have a firm that has a pretty mature or a more mature technology consulting practice. So there may be a more technical side of what they're going to do on the cybersecurity side that may be different than the risk and control and governance aspect of it.

So a couple of different avenues that you could come in. I would say a very common one is that many CPA firms are doing some level of IT risk and control engagements, whether that support for financial statement audit or it's deeper dive into their IT risk assessments or they're helping organizations navigate through some maybe best practice cybersecurity controls, depending on, once again, the maturity of the organization, the resources they have, the actual regulatory requirements that they're matched up against whatever it may be.

It is common to see kind of that quick start to really try to catapult off of ICFR and financial reporting controls and then go into the cyber compliance piece.

As you mature in those offerings and more and more technical resources become available, then that opens the floodgates for a lot of other services, right? You can go through all of the different cybersecurity requirements and help either on the implementation, the consulting, the reviewing, the monitoring, or even just the formation of their cybersecurity governance program.

And then within each of those requirements there is technical and procedural-based elements that organizations don't have the resources, in many cases, to execute on, so you can augment that, whether that's in a project management perspective or getting in and facilitating elements of that project or provide even managed services there.

It really depends on where you are. Firms take a role in providing attest or certifications around subject matter for third-party risk management purposes or giving assurance to third parties on the depth and transparency of the cyber programs that they have.

Typically, you have to have the subject matter expertise around not only cybersecurity components but also the cyber criteria that they're measuring up against for those examinations. And then there's also obviously the deep knowledge of the standards, the examination standards that you may be reporting on, whether it's SSAE or if you're doing it under an advisory and consulting nature, just understanding how to report on those consulting standards.

So those become different elements on the delivery of whatever engagement that you're going to do. But as I said before, as those technology resources increase and the more cyber depth is added to the practice, that opens up a lot of opportunity to do deeper dives in cyber privacy and data risk management services from governance all the way down to more formalized risk management programs with clients. In addition to some of those technical cyber advisory services that might come in the way of consulting for architecture, identity access management, different solutions that may be put in in order to help orchestrate and navigate the current threat landscape.

Vulnerability and penetration testing could be another opportunity. Social engineering and employee awareness training is a common one. Even configuration management, so a lot of organizations are moving to the cloud, and they need assistance on deploying and understanding the best practices for the cloud configuration and security management within those environments. So applying that at the different layers is certainly something that's an opportunity for firms to practice on.

If the firm has the right expertise, they can get involved in helping organizations navigate their software development life cycle and get into secure configuration management and helping them navigate and really apply those best practices in that particular domain. There is also elements of this that you can do, like I said, ad hoc or from a managed security perspective.

If you're dealing with transaction advisory folks, cyber due diligence is a big area to play and making sure that in either pre- or post-transaction the cyber risks are mitigated to a tolerable level. You also have incident response and breach coaching that organizations could play a part, you know, either planning for a breach or post breach, responding to and getting back up and running and navigating any future risks around what those initial root causes were.

Amato: Some people might be listening to this and they're a smaller firm and they might think, oh my gosh, how can I do this? But one aspect of, I think, your presentation that firms don't have to be large make this happen. So how does a smaller firm get into doing this cybersecurity advisory?

Ursillo: There are a number of different opportunities depending on whether you're a small, medium or large firm. You certainly have the opportunity to get in. It's just a matter of how you're going to place that and how you're going to think about your overall delivery strategy and the type of cyber services you want to deliver on. I use an example, and I'm not a tax person, but I use the example commonly that there's different elements of tax. There's individual, corporate, and estate tax. There's international tax. So depending on your expertise, if you're going to get involved with tax there are certain areas that you may specialize in. It's the same thing in cyber.

So really understanding the strategy as to where you want to be, what fits the firm path and profile to get there, what type of expertise you need to have in order to get there is really important. Then you take a step back and say where are we in this journey? Do we build it?

So I went back to kind of earlier conversations. Do we have a motivated key stakeholder within the firm, partner, director, senior manager that is willing to kind of roll their sleeves up and really take this initiative, get themselves educated on all facets of the delivery expectation, and then carry that forth and really take it to the next level, which would obviously build a great opportunity for that particular firm to diverse into the cyber area or are you going to partner?

Are you going to look at maybe some elements of the service delivery yourself, but then partner with some specialty groups out there and maybe tuck them into a part of your service offerings. Right? And that's certainly a viable solution. You see that happening as well.

There's still a need to make sure that the key stakeholders and the service delivery partners are technical enough to understand the nature at which they are delivering and the quality of the work being done by those partners, but certainly can leverage those partners in understanding what is needed and getting the overall service out the way it needs, or you could potentially buy. Obviously there is opportunity there for other businesses and firms and individuals who are practicing in this domain to be able to be acquired by a firm and tucked in to their typical operation.

So once again, it may be a different path for a more mature firm versus a smaller firm that may not have those resources, but ultimately there is a place for everybody.

Amato: Steve, thanks. You want to give a quick wrap-up of the conversation and a look ahead to that session? Appreciate your time today.

Ursillo: Thank you. It's always a pleasure. Certainly look forward to seeing everybody, and I think I would just recap this as cybersecurity is a hard trend. It's not going anywhere. It's needed in various elements of what we do in service delivery. It's going to be something that's tucked into a lot of other types of offerings that firms are going to be practicing. So certainly a great opportunity for folks and would certainly encourage people to look into pursuing that path and what makes the most sense for their strategic initiatives. So thanks again and look forward to seeing everybody.

Adamek: In other news, the IRS recently unveiled a new online feature recently known as the "Tax Pro Account," the purpose of which, for now, is to automate the submission of powers of attorney (POAs) to authorize tax practitioners to represent individual taxpayers and tax information authorizations (TIAs) to view those taxpayers' accounts.

Tax Pro Account, which is separate from e-Services, is intended to speed the time for obtaining authorizations to represent taxpayers but does not replace other options for obtaining third-party authorizations.

For more on using Tax Pro Account to obtain authorizations to represent clients please visit the news section of www.journalofaccountancy.com.

On Monday, July 19, FASB issued a standard designed to improve the board's lease accounting rules related to a lessor's accounting for certain leases with variable lease payments. The new standard amends lessor lease classification requirements.

Ken Tysiac has that story on the Journal of Accountancy website. We'll link to it in the show notes for this episode.

For more accounting news, please visit journalofaccountancy.com.

I'm Journal of Accountancy senior editor Drew Adamek.

Thank you for listening.