The Role of Accounting in Managing Cybersecurity Risk

Cyber attacks are now a common occurrence that business and government entities must find ways to avert. Both public and private organizations recognize the IT risks presented by these threats, and often bring together various stakeholders to help mitigate them. As they look to develop these teams, accountants are often included. Why?

 

The Accountant's Role in Cybersecurity

Accountants Outside the Organization

For over 50 years, auditors have tested the reliability of organizational IT systems as part of their auditing procedures, to insure that financial output is valid. That understanding includes testing the strength of IT controls. Professional standards also require auditors to bring independence, objectivity, and skepticism to their engagements. Finally, staying current on new IT systems and trends is part of their professional development. Together, these characteristics create a foundation that make outside accountants strong members of a cybersecurity review team.

Accountants Inside the Organization

To successfully meet the goals of their positions, managerial accountants must have a depth of knowledge about an organization’s processes and systems, including IT systems. Their traditional roles also require them to anticipate organizational risk and to develop ways to mitigate these risks, i.e. change processes, purchase insurance, etc. Cybersecurity teams can depend on the breadth of knowledge managerial accountants can bring to the work of the team. Because funds for any project are generally scarce, managerial accountants can also assist teammates to identify critical information that then requires particular attention.

 

How Accountants Can Boost Their Cybersecurity Skills

While accountants inherently bring a set of strengths when working with a team to address cyber risks, they can also take steps to bring even more value to the team. First, look for education opportunities to strengthen your cybersecurity skills. No need to worry about the nuts and bolts! Rather, look to get into the mindset of a cybersecurity professional. What process do they use? What are the specifics they may be considering? What suggestions might they make for mitigation?

Second, identify resources to enhance your understanding of cybersecurity. Many professional accounting organizations recognize the importance of the accountant’s role in providing a perspective about cyber risk and ways to mitigate it, and they have developed a number of resources to help them develop necessary skills. Examples include:

1. The Center for Audit Quality: This organization created a document about the role of CPAs in addressing cybersecurity risks. The second section specifically speaks to the landscape of cybersecurity risk which will add to an understanding of the field. 
2. American Institute of CPAs (AICPA): The AICPA recognizes that publicly reporting a firm’s approach to cyber risk is not required, but firms may have a reason to want to include that information in their annual reports. They may also want to address a publicly reported security breach. Regardless of the reason, the accounting industry group developed a framework for auditors to use when addressing these cases. The framework may also be used to inform an approach to the work of a cyber team.   

 

A cyber review team made up of stakeholders with different strengths can be strong and effective. However, it’s important that members understand the perspective each professional brings to the table. While accountants bring a strong understanding of a firm’s processes and systems to the group, developing a deeper knowledge of the cybersecurity landscape can allow them to even better support their team.