Cybersecurity: Expense or Investment?

Date November 11, 2019
Article Authors
HBK CPAs & Consultants

As a business owner or chief executive you focus on increasing the value of your business. Costs that don’t produce a return, if sometimes necessary, are unwanted expenses.

As the practice of cybersecurity has emerged, many organizations have looked at implementing a cybersecurity program as an expense. But even beyond protecting your organization from potentially catastrophic data thievery, a cybersecurity program is an investment that adds real, quantifiable value to your business—added value clearly evident as owners look to merge or sell their businesses.

Consider the many businesses spanning myriad industries that have fallen victim to cyber attacks or data breaches subsequent to being acquired. FitMetrix, a MindBody acquisition; Starwood Group, a Marriot acquisition; MyfitnessPal, an Under Armor acquisition; and Bongo International, a FedEx acquisition are glaring examples.

All markets and industries have been affected. As a result, a company’s cybersecurity program –or lack thereof– is a central consideration in current M&A due diligence.

In a recent survey conducted by the International Information System Security Certification Consortium, or (ISC)², 96 percent of respondents say they take the maturity of cybersecurity programs into consideration when determining the value of a company. (ISC)² is a non-profit organization offering training and various certifications to cybersecurity professionals.

Moreover, 53 percent of respondents said values can vary widely depending on the maturity and effectiveness of the cyber program; 45 percent agreed that a cybersecurity program adds value but said that they assign value via a plus-or-minus or pass-or-fail indicator.

Perhaps most interesting, the study revealed cybersecurity infrastructure—including “soft” assets such as a risk management policy, security awareness training programs and other governance initiatives that might not traditionally be considered infrastructure—actually has a greater impact on value than IT.

Conversely, the lack of cybersecurity infrastructure indicates a liability potentially devaluing the company.

To illustrate the value of your cybersecurity initiative, we recommend you develop a formalized and documented cybersecurity program. The program should be continually improved and reviewed at least annually by an appropriate third party firm.

Simply put: Invest in cybersecurity. Secure the future of your business and its value.

HBK can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Contact Matthew Schiavone, CPA, CISSP, CISA for questions or to schedule an assessment.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



A (Technological) Change Will Do You Good

Date October 15, 2019
Article Authors
HBK CPAs & Consultants

Adapting to technological change is a challenge all businesses face. Some changes force the matter — like required compliance with privacy and cyber regulations — while others, such as implementing a vendor risk management program, may seem less urgent. Regardless, businesses must recognize the need for a particular change and act accordingly.

A recent study conducted by the Information Systems Audit and Control Association (ISACA) and the global consulting firm Protiviti revealed the top five technology challenges faced by businesses today as:

  1. IT security and privacy/cyber security
  2. Data management and governance
  3. Emerging technology and infrastructure changes
  4. Resource/staffing/skills
  5. Third-party/vendor risk management

While all organizations face the same challenges, small and medium-sized businesses can find them more difficult to overcome, especially as they relate to number four on the list: a lack of resources, staffing and skills.

Monetary considerations aside, it is difficult to find qualified personnel. Addressing security, privacy, governance and infrastructure (effectivel, numbers one through three on the list) requires professionals with sophisticated skill sets. The difficulty and expense associated with trying to meet these demands internally make it more reasonable to outsource them.

We are here to help. HBK offers cost-effective solutions to address these challenges. We have IT professionals across numerous disciplines, from specialists in privacy regulations to technicians who facilitate infrastructure changes. Get access to the specific skill sets and resources you need when you need them. For more information or to schedule an appointment, call (724) 934-5300; or email me at MSchiavone@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



GRC: Just Another Acronym?

Date October 8, 2019
Article Authors

Governance, Risk Management and Compliance (GRC) is a methodology that provides organizations with an integrated approach to cyber security maintenance. It is most efficient when executed in its entirety as a three-pronged but single initiative though they are often considered separately.

  • Governance is the process ensuring effective and efficient use of Information Technology (IT) to enable an organization to achieve its fundamental goals.
  • Risk Management is the process of identifying, assessing and managing risk as a way to help achieve an organization’s objectives and based on its tolerance for threats — in short, clearly establishing the company’s risk acceptance or risk avoidance.
  • Compliance involves adhering to accepted practices, rules and regulations within a business at an industry or governmental level –or both.

One should take a holistic approach to GRC, as with any control or protocol it establishes to mitigate a risk. That is, the cost to implement the control should be less than the cost of actual exposure to the risk being mitigated. This approach is expanded by GRC when an individual or business considers costs associated with non-compliance — namely, fines or penalties.

The culmination of Governance, Risk Management and Compliance occurs when IT policies help convert the desired behaviors of team members into a formal, successful cyber security plan.

HBK Risk Advisory Services can help you design and develop your own GRC program to protect your business. Contact Bill Heaven at 330-758-8613; or via email at wheaven@hbkcpa.com. As always, HBK is here to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Cyber Laws & Best Practices: Getting Your Cyber House in Order

Date September 4, 2019
Article Authors
HBK CPAs & Consultants

Sir Winston Churchill’s definition of Russia as a “a riddle, wrapped in a mystery, inside an enigma” aptly describes the state of affairs between the bevy of cyber and data security laws and business enterprises forced to contend with the onslaught of cyber thieves and hackers. The “rock” of cyber thieves on one side and “hard place” of cybersecurity rules on the other can make life difficult for businesses.

Understanding the basics
When your business must adhere to disparate and fragmented cyber rules, regulations and laws, the first task at hand is to prioritize your needs, identifying, in effect, the “low hanging cyber fruit.” First, understand the requirements common to most cyber legislation. What are the states requiring a business such as yours to do in the event of a breach of “protected information”?

All 50 states and U.S. territories have laws mandating that businesses provide notifications to those whose protected information has been breached while in the care of the business. But each state has different requirements. It is conceivable that a single data breach will require a business to comply with 50 different sets of requirements. Consequently, a business should:

  • Take inventory of the states of residence of its clientele
  • Determine what it must do to comply with those states’ requirements
  • Prepare a plan to implement in the event of a data breach

Getting down to specifics
Following are details on the data breach notice laws for the states in which most HBK client reside: Florida, Ohio, Pennsylvania and New Jersey.

Florida Information Protection Act of 2014i: Any commercial entity that acquires, maintains, stores, or uses Personally Identifiable Information (PI) must notify affected Florida residents by written mail or electronic mail within 30 days of the breach.

  • If the security breach affects more than 500,000 people, or the cost of notification exceeds $250,000, the business may use other means and methods of notifying those affected.
  • If the data breach involves more than 500 Florida residents, the business must report the breach to the Florida Department of Legal Affairs.
  • A breach affecting more than 1,000 Florida residents must be reported to credit reporting agencies.

Ohio Notification requirementsii: In Ohio, any business that experiences a harmful data breach must notify affected Ohio residents within 45 days by mail, telephone, or electronic mail.

  • Businesses can use public service announcements in the event than 500,000 Ohio residents are affected, if notification costs exceed $250,000, or the business has ten or fewer employees and notification costs exceed $10,000.
  • When more than 1,000 Ohio residents are affected by a breach, all consumer-reporting agencies must be informed.

Pennsylvania Breach of Personal Information Notification Actiii: When a Pennsylvania business experiences a harmful data breach, it must notify affected Pennsylvania residents as soon as possible by mail, telephone, or email.

  • If the security breach affects more than 175,000 people, or the cost of notification exceeds $100,000, public service announcements can be used instead.
  • When a breach affects 1,000 or more people, you must report it to all consumer-reporting agencies.

New Jersey Data Breach Identity Theft Prevention Activ: Businesses in New Jersey are required to respond to a data breach quickly. A business must first notify the Division of the State Police in the Department of Law and Public Safety, then alert the affected consumers through email or written notice.

  • If the breach affects more than 1,000 people, the business owner must notify all consumer-reporting agencies.
  • A business that willfully, knowingly, or recklessly violates the New Jersey Consumer Fraud Act, including failing to adhere to the Theft Prevention Act, may have to pay the injured party three times the damages, plus attorney fees and court costs.

While the laws are similar, the nuances require businesses to attend to the particulars of each. And the nuances turn into stark reminders of the perils of cyber-crime. Having to author a letter to clients admitting their data was stolen while they entrusted it to your care can make for a formidable backlash.

We will explore various other cyber and data security laws that impact your business in our next article.

Sources:
i. https://www.flsenate.gov/Session/Bill/2014/1524/BillText/er/PDF

ii. http://codes.ohio.gov/orc/1349.19

iii. https://www.legis.state.pa.us/CFDOCS/Legis/PN/Public/btCheck.cfm?txtType=HTM&sessYr=2005&sessInd=0&billBody=S&billTyp=B&billNbr=0712&pn=0898

iv. https://www.njleg.state.nj.us/2004/bills/pl05/226_.htm

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Cryptocurrencies & Foreign Bank Reporting: What You Must Know

Date August 9, 2019
Categories
Article Authors
HBK CPAs & Consultants

In today’s world we are seeing drastic changes in how we interact with our environment. Those interactions are becoming predominantly electronic through the use of phones, computers, watches, etc. Our currency is following suit. By now, many have heard the terms “bitcoin” or “cryptocurrency” – but do they understand the concept? The news regularly reports on how this electronic currency enables us to complete transactions in ways that we have not experienced in the past. While this technology is being embraced by some, there may be unexpected tax-reporting implications that the headlines often miss. It’s imperative for taxpayers engaging in foreign banking and potentially, in cryptocurrencies, to understand basic information related to foreign reporting requirements. The Basics of Cryptocurrency What is “Bitcoin” and how does it work? Bitcoin is a type of cryptocurrency, which is a digital virtual currency housed online. It is generally held in a virtual “wallet.” These virtual wallets operate like bank accounts in which a third party holds the currency. Cryptocurrency can be purchased using traditional analog currency, such as U.S. Dollars, Euros, British Pounds, etc. Bitcoin is the most popular form of cryptocurrency, and it is used as a functional currency by many major retailers including Amazon, Sears, Home Depot, and CVS. While some use cryptocurrency to function like traditional currency, many are using it for investment purposes in a manner similar to that of stocks being traded on an exchange. Foreign Bank Account Reporting in General The U.S. Department of the Treasury and the IRS want to be informed as to where taxpayers are keeping their bank accounts and their respective balances. Two main documents that taxpayers involved in the use of foreign banking should be aware of are the U.S. Department of the Treasury Foreign Bank and Financial Accounts Report (Form 114) and the IRS Statement of Specified Foreign Financial Assets (Form 8938). These two foreign reporting forms are applicable to U.S. citizens, residents, corporations, partnerships, and even trusts, and must be filed (along with a normal federal income tax return) if the filing requirements are met. In general, Form 114 is applicable if a taxpayer is holding a bank account outside the United States and the balance in the account exceeds $10,000 USD at any point during the tax year. Form 8938 would become applicable (in addition to or separate from Form 114) if the bank account balance exceeds $50,000 ($100,000 for married filers) for the tax year. Both forms are informational to the applicable governmental agency and no taxes are paid on the balance. However, severe penalties can and will be assessed for a failure to file these required forms. Cryptocurrencies as Foreign Bank Accounts Since cryptocurrencies are electronic currencies tied to a virtual wallet, it is possible that the wallet where the cryptocurrency is held may be located in a foreign country. While there is currently no official guidance related to foreign reporting for cryptocurrencies, it is possible that a taxpayer owning cryptocurrency could have foreign reporting requirements based solely on the location of the wallet. The IRS recently notified the public that letters are being sent to taxpayers who are cryptocurrency holders, urging them to comply with U.S. tax laws related to cryptocurrencies. We will provide details about additional reporting requirements, and other potential tax implications for cryptocurrency holders, as they become available. Please contact a member of the HBK Tax Advisory Group at 239-263-2111 if you would like to discuss potential foreign reporting requirements for cryptocurrency or any foreign banking matters. Additional Resources: https://www.irs.gov/businesses/comparison-of-form-8938-and-fbar-requirements https://www.irs.gov/businesses/small-businesses-self-employed/report-of-foreign-bank-and-financial-accounts-fbar https://www.irs.gov/pub/irs-utl/irsfbarreferenceguide.pdf https://www.irs.gov/businesses/small-businesses-self-employed/virtual-currencies https://bitcoin.org/en/how-it-works
Speak to one of our professionals about your organizational needs

"*" indicates required fields



Ohio Governor Signs State Budget Into Law

Date July 25, 2019
Categories
Article Authors
HBK CPAs & Consultants

On July 18, 2019, Ohio Governor Mike DeWine signed the Ohio budget into law. There were an estimated $700 million in across the board tax cuts. The changes include:

  • For pass-through entities, the $250,000 business income tax deduction and 3% flat tax remains. However, the tax break was eliminated for lawyers and lobbyists.
  • The elimination of the state’s bottom two income brackets and a corresponding 4% cut to the remaining five brackets for personal income tax.
  • Required remittance of sales tax for sellers with gross receipts of at least $100,000 from sales into Ohio or engage in 200 or more separate sales. The bill also requires Marketplace facilitators to collect.
  • The Film Tax Credit has been broadened to cover post-production work and Broadway-style productions.
  • All state manufacturers will be able to apply for a “job retention” tax credit. To qualify, manufacturers need to make a capital investment equal to 5% of tangible property at the facility site, or $50 million, whichever is less.
  • Ohio will piggyback off the federal Opportunity Zone program with a state income tax credit equal to 10% of an investment into a qualified fund up to $1 million every two years.

Other measures include:

  • Raising the age to buy cigarettes from 18 to 21.
  • Creating a new tax on vape products of 10 cents per milliliter.
  • Creating a tax credit for property owners worth up to $10,000 for lead paint removal.

Please contact Suzanne Leighton of the HBK Tax Advisory Group at SLeighton@hbkcpa.comfor more information on how these changes to state law could affect your business.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



FaceApp & the Russians: Warning Signs?

Date July 23, 2019
Article Authors

You’ve likely heard of FaceApp, maybe you have even tried it. It is unquestionably one of the most popular Apps circulating today. It quickly went viral due to the “#AgeChallenge,” where celebrities as well as ordinary folks download it to use an old-age filter generating an image of what a user might look like in a decade or more. Launched by a Russian start-up in 2017, FaceApp has come under fire lately because of fears that user data was being sent to Russian servers. There are other potential privacy concerns as well, including some claims that the App has an ability to access a user’s entire photo gallery.

Is FaceApp safe to use? Probably; though I’m not planning on using it personally, as I have zero interest in seeing what I’ll look like in 20 to 30 years. But as I was watching a TV news report on FaceApp, it reminded me of an important Cybersecurity issue that might fall under the category, “Social Media: Be Careful What You Share.”

When you use FaceApp and agree to its user terms, what are you sanctioning? For one, the App is permitted access to your photos, location information, usage history, and browsing history. During a news report, an executive representing FaceApp told CNBC that it only uploads the photo selected for editing. Further, the FaceApp rep said it does not take other images from a user’s library, and that most images accessed by FaceApp are deleted from its servers within 48 hours. Still, the user agreement allows the developer access to a user’s personal data. And, again, the developers of FaceApp and its Research and Development team are all based in Russia.

The amount and type of personal data we share, especially online, is something to consider. By way of example, the Apple X phone offers facial recognition as an alternative to using a personal identification number or password; does that suggest the Russian FaceApp programmers have developed a way to access a user’s entire online account, since they have access to their photos? Remember that passwords are giving way to other log-in options, including biometrics. Consider the pace of technological development, including artificial intelligence when making decisions about where and how you share your personal information.

While Cybersecurity experts don’t appear particularly nervous about the FaceApp itself, the scenario should give us pause and prompt us to consider the potential ramifications of sharing our personal information.

HBK can help you with your Cybersecurity issues, including protecting your data. For assistance, call 330-758-8613 or email WHeaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Taxing Marijuana: A Weighty Issue

Date July 22, 2019
Categories
Article Authors

While the legalization of adult use of marijuana is currently off the table in New Jersey, New Jersey and other states will have to contemplate taxation in anticipation of future legalization. Determining a “right” sales tax that balances revenue receipts as it serves to eliminate a black market is not an easy task.  The following article sheds light on various marijuana taxation methodologies. (For purposes of this article, local taxes are not being considered.) There are two primary ways states tax the sale of adult use marijuana products: as a percentage of the selling price, similar to sales tax, or by weight. Taxing based on sales is easier to calculate. However, prices will likely decline once the market matures (see FIGURE 1), so tax revenue will decrease as well. As well, vertically integrated businesses could manipulate markups to reduce the tax burden. The Colorado Department of Revenue’s Marijuana Enforcement Division reported pounds of flower and bud sold in 2018 as of the date of the writing of this article. They had not reported revenue.  The Average Market Rate per pound of has been reported and, as shown in FIGURE  1, decreased significantly in 2018, then started to rebound in 2019. null  
Weight-based taxes are more complicated in that it requires determining the amount of the tax and when the tax is assessed.  For example, a weight-based tax could be assessed at the cultivator, processing or retail level.  At the retail level, taxes would need to be set at different rates for different types of products: flower, concentrates, edibles. When taxing edibles, how would the non-cannabis ingredients be accounted for?  When taxing tinctures, would the potency and quantity be considered? There are significantly more factors to consider when ‘weighing’ the options of a weight-based tax. History indicates that prices tend to be higher immediately following legalization; lower tax rates can encourage the legal purchase of cannabis.  When prices decline, tax rates could be increased, keeping out-of-pocket costs to consumers the same or almost the same.  If taxes are too high, whether weight-based or assessed as a percent of sales, many customers will continue to purchase through the black market.  States must also consider that when the United States de-schedules or legalizes marijuana, it is highly likely a federal excise tax will be placed on sales of the product.  This will replace the burden of Internal Revenue Code Section 280E currently burdening business taxpayers. What is the effect in dollars of taxing based on a percent of sales versus weight? To illustrate, we analyzed Colorado’s reported sales and the wholesale weight of flowers/buds sold from January 1, 2014, to December 31, 2018.  As Colorado has not yet reported weight data for 2018 yet, we used the 2017 monthly data adjusted for the year-over-year sales increase. These computations are for illustrative purposes only and are subject to the following assumptions:
  • includes only the weight of sales of flowers/buds;
  • assumes no markup no profit made by the cultivator, distributor, or retailer; and
  • ignores local taxes.
FIGURE 2 reflects a computation of tax revenue (medical and adult use) for the first four years of legal adult use in a state with a population of 8.908 million (specifically New Jersey). Sales Tax Percent and Weight  
Based on this analysis, total sales tax collected for the five years was $52.8 million greater using a weight-based tax structure of $42 per ounce compared to the 12% percent of sales tax.  Obviously, the 25% tax rate would generate more revenue – but it would likely be a less effective means of eliminating the black market.   Examples of Sales Tax on Marijuana  
As FIGURE 3 shows, the process of taxing marijuana can range from simple to complex and the amounts of tax collected can vary significantly.   Nine states (and Washington DC) do not impose their general sales tax on medical marijuana while four states (Alaska, Delaware, Minnesota, and New Hampshire) do not levy sales taxes. FIGURE 4 illustrates a sample transaction ($250 per ounce based on no markup of product and all taxes being passed through to the consumer) in both medical and adult use markets and the different amounts that would be charged to the ultimate consumer and the taxes collected.  On the medical side, the purchase of an ounce of marijuana results in a purchase price ranging from $250 to $342.50, depending on the state.  For adult use, the price paid would range from $282.50 to $360.75.  
Under the weight-based tax structure ($42 per oz), the consumer’s cost for medical marijuana would be $266.63 (the fourth lowest, with two states levying no taxes).  For adult use, the $42 per ounce tax would result in being at the halfway point compared to other states.  It is very important to realize that the price will not be the same in all states and that this example is presented for comparison purposes only. Sources: Colorado Marijuana Enforcement Division’s Market Size and State Demand for Marijuana in 2017 – Market Update (Aug. 2018) https://www.colorado.gov/pacific/sites/default/files/MED%20Demand%20and%20Market%20%20Study%20%20082018.pdf Colorado Marijuana Enforcement Division: 2016 Annual Report https://www.colorado.gov/pacific/sites/default/files/2016%20MED%20Annual%20Report_Final.pdf Colorado Marijuana Enforcement Division’s Market Demand and Size Study, July 2014 https://www.colorado.gov/pacific/sites/default/files/Market%20Size%20and%20Demand%20Study%2C%20July%209%2C%202014%5B1%5D_3.pdf https://www.colorado.gov/pacific/revenue/colorado-marijuana-tax-data https://www.colorado.gov/pacific/revenue/colorado-marijuana-sales-reports https://www.colorado.gov/Tax/marijuana-taxes-file Economic Impact of Tourism in New Jersey, 2017 – January 2018) https://www.visitnj.org/sites/default/files/2017-nj-economic-impact.pdf
Speak to one of our professionals about your organizational needs

"*" indicates required fields



Don’t Be a Boeing: Strengthen Your Cybersecurity

Date June 24, 2019
Article Authors
HBK CPAs & Consultants

There are no more excuses to bury your business’s head in the sand. The data and cyber theft threats are real. And imminent. And not just for big corporations or large government organizations. Attackers are at your front door … or worse.

There are three areas that need your consideration when it comes to protecting your data from cyber attack.

FIRST: To Error is Human: Have your processes and controls assessed and take stock of your level of cyber preparation. Pay special attention to your “human” vulnerabilities, as most cyber thefts are the result of someone either unwittingly or purposely allowing a breach to happen. The best software in the world can’t keep someone inside the organization from gaining access to your systems and processes.

Do it now. If you are defenseless you could have to pay ransomware to stay in business. Or worse, you might not be able to afford to stay in business.

SECOND: Assess your vendors and third-party providers. It’s much like going to a doctor’s office in the morning for a checkup, then having your immune system attacked by the malady of the day by a virus you picked up from someone sitting next to you in the waiting room. It’s the same with vendors and those who service them. They can infect your systems in spite of your best efforts. It was the root cause of the Target data breach in 2013 that extended to as many as 70 million customers. Boeing continues to struggle as its fleet of 737 Max passenger jets – and its stock price – remains grounded due to problems with third party software described as “fatally flawed” and that has been at the root of two major airline catastrophes.

THIRD: Assess the data you transmit, process and store. Make a pecking order of data to determine which are more critical to your operation, and start at the top. Then proceed through it all.

Cybersecurity is no longer a check-the-box process; it is a way of doing business, a part of your business that must be addressed continually and methodically. We can help. Contact HBK Risk Advisory Services at 614-228-4000 or email us at SFranckhauser@hbkcpa.com with your cybersecurity questions and concerns. We can meet with you to discuss precisely when, how, where and why you need to protect your data. You can take baby steps. The one thing you shouldn’t do is nothing.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Are You Cyber Secure and Who Wants to Know?

Article Authors
HBK CPAs & Consultants

This is an update to the original INSIGHT article Are You Cyber Secure?, which was published in July 2017.

System and Organization Controls 1 or SOC 1 (SOC) report provides assurance over controls at a service organization which are relevant to user entities’ internal control over financial reporting. Obtaining a SOC for Cybersecurity report can prove that a cybersecurity risk management program is designed and functioning effectively. It can also reassure everyone a member of a board of directors to a potential customer that information with which your company has been entrusted is being handled in accordance with cybersecurity best practices.

No matter your business or industry, cybersecurity is a concern. If you operate in cyberspace – and what business doesn’t? – you are vulnerable. To guard against the many risks ranging from exposure of confidential information to loss of business reputation, every organization should have a cybersecurity risk management program. However, conveying the maturity of your risk management program to stakeholders is a challenge that needs overcome.

To meet that need the American Institute of Certified Public Accountants (AICPA), the certification and standards organization governing the practice of accounting, has introduced Systems and Organization Controls (SOC) for Cybersecurity. Building upon the profession’s experience in auditing system and organization controls, SOC for Cybersecurity enables CPAs to examine and report on an organization’s cybersecurity risk management program.

HBK CPAs & Consultants (HBK) has been performing SOC 1 and SOC 2 attestations since they replaced the SAS 70 report in 2010. In the area of SOC for Cybersecuity, we offer management two types of assurance services, advisory and attestation.

In an advisory role, we perform a readiness assessment, which helps businesses assess their cybersecurity program against the industry’s leading frameworks, and more appropriately, against the AICPA Cybersecurity criteria. We assist with identifying gaps in the framework and remediating those gaps to further develop or implement an effective cybersecurity program. For more established programs, we help organizations formally align the existing program with the three criteria as established by the AICPA:

Security – The system is protected, both logically and physically, against unauthorized access.

Availability – The system is available for operation and use

Confidentiality – Information designated as confidential is protected as committed or agreed

In an attestation engagement, we examine your cybersecurity program and provide an opinion on whether it is effective. We map your controls to ensure your program complies with the AICPA-established criteria. We review your description of how those criteria are accommodated, then test and validate the effectiveness of these controls and issue a report.

A cybersecurity risk management examination report includes the following three key components:

Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of its cybersecurity risk management program, The report provides information on how the company identifies its information assets, how it manages the cybersecurity risks that threaten it, and the policies and processes implemented and operated to protect its information assets against those risks.

Management’s assertion. The second component is an assertion provided by management that the description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

Practitioner’s report. The third component is a practitioner’s report, which contains an opinion on whether management’s description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

Our attestation is justification management can use to demonstrate to everyone from the board of directors to a potential customer that their cybersecurity program is in accordance with best practices. The AICPA logo of SOC Cybersecurity certification is a key differentiator for a business, assuring stakeholders the security of the information they handle.

All organizations should have a cybersecurity program in place. Having it assessed for readiness, that is, ensuring your controls are aligned with the AICPA-defined standard and criteria, will afford assurance that it is designed appropriately. Receiving official attestation demonstrates the design is functioning as it should, and only makes sense in providing a level of confidence to your stakeholders that you are a business that has implemented a robust and comprehensive cybersecurity program, that your organization is cyber secure.

Speak to one of our professionals about your organizational needs

"*" indicates required fields