CPA’s Are Accountants Not Security Experts
From the AICPA Web Site
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. These reports are performed using the AICPA Guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of stakeholders:
Oversight of the organization
Vendor management program
Internal corporate governance and risk management processes
Similar to SOC 1 there are two types of report: Type 2, report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and Type 1, report on management’s description of a service organization’s system and the suitability of the design of controls. These reports may be restricted in use.
The SOC 1, 2 and 3 grew out of the old SAS 70 standards and essentially require a CPA to become experts in control, and security for all sorts of different enterprises. Enterprises that they have never run and cannot possibly fully understand a given businesses’ tradecraft with the accompanying specific threats. Some yes, of course. All – no, for this requires a team of smart people with many different backgrounds.
This over reach was described very nicely in a post from Jon Long on LinkedIn
Using technical specialists on SOC 2 engagements I have received some pushback on the idea that CPA firms can and should use hard-core security professionals on SOC 2 engagements to improve the quality of the engagement, and make companies more secure. AT-101.22 clearly says that it is possible for CPAs to gain “knowledge of subject matter” through the use of specialists as long as they can (a) communicate to the specialist the objectives of the work and (b) to evaluate the specialist’s work to determine if the objectives were achieved.
My response was as follows…
There is only one standard for assessing an organization’s security it is called OPSEC, not CPA or CFP or CEO or CFE, or CPP. I just cannot see how one who is training in accounting and has specialized in depth knowledge in that field can than morph into an expert on information security and privacy and give an opinion that has any merit whatsoever. While I do agree that OPSEC and the security of a companies IPCI is part of the Treasury function, I do not see how and external auditor can express such an opinion – without and identical backup opinion from someone who is a certified OPSEC Professional.
Just because I have a doctorate in economics does not mean I should seek hospital privileges.
This prompted a radio interview that took place later than same evening on Jon’s radio program. Link to Program
My argument against CPAs becoming certifiers of security is that while they do bring a great deal to the table – this is not their core of competency and credential morphing is a dangerous thing for both the professional, the client and those who place a significant reliance on the SOC 1, 2 and 3 reports. To reiterate, there is only one standard for assessing an organization’s security it is called OPSEC.
The nature of fraud and theft changes with the opportunities. Most people in 9 to 5 corporate life have no idea how easy it is to make them a mark. Now more people, with a similar sheltered background, are going to certify a business of which they have no operational experience in the given industry and they are issuing a warrantee of security.
It is total BS and appears to be nothing more than rent seeking by a profession that has had its wings clipped for over promising and under delivering again and again.
I get the desire to do good and I do not fault the genuine motives, only all of the methods as well as the players and the shameless rent seeking.