Skip to main content


Every CPA Firm Needs to be a Security Company

CPA firms are also once again changing. For many, the first customer facing technology may have been offering self-service options to extend back office functionality. Electronic invoicing and collections are two early examples that date back to the ...


In 2018, the year of artificial intelligence, internet of things, blockchain, and big data, it is safe to say more and more companies are emerging to be technology companies. In the last year, a lot of attention has been placed on how automotive companies such as Ford and General Motors are positioning themselves as technology companies.

Large conglomerates such as GE are marketing themselves as “the digital company that’s also an industrial company” and are using young programmers as the center of a large advertising campaign. However, it isn’t just industrial and manufacturing companies that are pivoting, large financial institutions are now developing and often acquiring Fintech providers. Santander created Santander InnoVentures with a stated aim of, “to support the digital revolution to make sure Santander customers around the world benefit from the latest know-how and innovations across the Banking Group’s geographies.” Verticals such as healthcare, education, media and many others now must address technological changes more than ever and position their investments in technology as differentiators. 

Technology and CPA Firms

CPA firms are also once again changing. For many, the first customer facing technology may have been offering self-service options to extend back office functionality. Electronic invoicing and collections are two early examples that date back to the 1990s or earlier. As time moved on, other parts of the business, particularly those related to engagement delivery, also began to leverage technology. In the 2000s, firms began using file sharing services and central repositories such as Microsoft SharePoint to exchange data with clients. Most firms purchased commercial-off-the-shelf (COTS) products as they did not have many, if any, developers on staff. Today, firms have a plethora of on-premise and cloud-based offerings available and if none of them meet requirements, the potential to develop something in-house is readily available. These new solutions also require firms to think about security more than ever before.   

Large Firms and the Cobbler’s Children

Many CPA firms, particularly larger firms, offer technology related advisory and consulting services, including developing software for their clients. However, they also need to innovate and leverage technology to improve the quality of their own offerings, be it tax, audit or advisory. These firms often have staff with the knowledge to adequately secure their own environment; however, they rarely work with internal initiatives. The problem is the work performed for the firm’s external clients are revenue generating, while securing internal systems yields no revenue, or is seen as taking away revenue due to the opportunity cost.

Smaller Firms and Knowledge Gap

All firms regardless of size need to leverage technology for competitive advantages. However, unlike large firms, smaller firms likely do not have the expertise to adequately secure their newly procured or developed systems. While organizations such as the AICPA have cybersecurity content available, and frameworks such as ISO 27001 exist, smaller firms may not have the time, means, and occasionally, desire, to implement security best practices.

Security Checklist

Whether a firm decides to buy or build there are many security considerations to address. For firms on a tight time frame or need a concise reference, the following checklist covers fifteen of the most common controls that should be considered when deploying a new technology.



Are users of the system required to use strong authentication?




Have permissions and roles been appropriately defined and implemented?




Are all critical systems routinely backed up and are these backups tested?



Change Management

Does a formally documented process exist to track and process changes?



Continuous Monitoring

Is a process in place to continually evaluate the security of the environment?



Data Classification

Has the data being used by the system been categorized and inventoried?




Is the data secure while in transit and at rest?



Incident Response

Are people, processes and technologies in place to address a security breach?



Least Privilege

Are technical processes running with only the necessary access to fulfill the task?




Does the system produce an adequate audit trail to identify an issue?



Patch Management

Are the hosts supporting the environment patched on a timely basis?



Physical Access

Is physical access to the system adequately restricted?



Policies & Procedures

Do documented security policies and procedures exist for the environment?



Service Level Agreements

Have service level agreements been established with vendors and/or for clients?



Third parties

Are all third-party interconnections known and been documented?





Preparing for the Next Project

In addition to the determining what things should be evaluated when implementing a new technology, firms need to understand when to begin asking these questions. It is paramount that an understanding of the controls in place occurs as early as in the system development life cycle (SDLC) as possible, preferably in the requirements gathering and planning phases. While identifying gaps later in the SDLC is better than not knowing them at all, the cost to remediate gaps increases greatly went they are identified later in the project.  


Matt Wilgus is a Practice Director at Schellman & Company, Inc., where he leads the Threat and Vulnerability Assessment offerings. In this role he heads the delivery of Schellman’s penetration testing services related to FedRAMP and PCI assessments, as well as other regulatory and compliance programs.Matt has over 19 years’ experience in information security, with a focus on identifying, exploiting and remediating vulnerabilities.  In addition, he has vast experience enhancing client security programs, while effectively meeting compliance requirements.