What Type of CPA Firm is Right for You?

Before choosing an audit firm to work with, you must understand why, for some types of audits, you need a CPA firm to perform the services. Clients and prospects ask us all the time why accountants are allowed to perform information security audits. We understand the confusion behind this sentiment and want to provide some clarity.

The AICPA’s SOC suite – SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity – specifically require a CPA firm to perform the audit. Why a CPA firm? To name just a few reasons: integrity, independence, and accountability. There are so many different types of CPA firms, though – bookkeeping, forensic, risk, tax, full-service, and audit firms. You specifically want to think about choosing a qualified CPA firm who specializes in information security auditing. We know it’s not a simple choice, though. When winning a new client, complying with regulations, or your business continuity depends on an audit, you want to make the right choice about who performs that audit. Let’s talk about five steps you can take when choosing a qualified CPA firm to partner with on your information security audits.

Steps to Choosing a Qualified CPA Firm

  1. What makes someone an expert in information security? You don’t want to hire just a CPA firm; you need a firm where most employees hold more than one information security certification and have extensive experience. It may seem daunting to find this information, but a little due diligence can go a long way. Look on the firm’s website, ask for an auditor’s bio or resume, or research what certain certifications mean. What information security certifications do their members of leadership have? What information security certification do their auditors have? At KirkpatrickPrice, our average auditor has 17 years of experience and we require specific certifications upon hire. Why would you let someone who doesn’t specialize in information security, IT, or cybersecurity audit your IT department, systems, data, infrastructure, and processes? Your auditor must have the relevant experience to perform this service in a quality way.
  2. Does the firm really specialize in information security? When choosing a qualified CPA firm, you want a firm that can help you reach all of your compliance goals. Let’s say the firm only offers SOC 2 services – what happens if you need help with policy and procedure writing, penetration testing, or SOC for Cybersecurity? Research the rest of their services to ensure you choose a CPA firm that can meet all of your needs.
  3. Does the firm have a peer review and quality assurance program? If the CPA firm doesn’t undergo a peer review, you’ve already caught a flaw; CPA firms are required to undergo peer reviews. The firm you choose should also have a quality assurance team or process to ensure that testing results meet timely, repeatable, accurate, and retainable standards.
  4. Is the firm committed to quality? You want to work with a CPA firm that has a proven track record of delivering thorough, quality audits; no shortcuts, no outsourcing. You’ll want to find information on how many services they offer, how many audits they perform on a yearly basis, if they can deliver multiple audits, and if there are any reported complaints against the firm.
  5. Do the firm’s values align with yours? When choosing to a business partner, you want someone whose principles and values support yours, someone who values your time and money, and someone you can have a positive relationship with. These same qualities can apply when choosing an audit firm. You don’t have to choose the firm with stereotypical auditors, the cheap firm, or one of the Big Four. You can find a CPA firm that wants to partner with you to help you reach your compliance goals. At KirkpatrickPrice, we want to educate, empower, and inspire your organization to greater levels of assurance.

Working with a CPA Firm

Choosing a qualified CPA firm to perform your organization’s information security audits can be a difficult choice for some. It may be more expensive, it may require a deeper level of due diligence, and it may require putting your compliance into the hands of a firm you haven’t heard of before. But a thorough, quality audit performed by someone who has the experience to do so will pay off in the end. What would it cost you if your top client was not satisfied with the quality of your audit? In the current threat landscape, it’s absolutely crucial for organizations to find CPA firms that take risk factors, security and privacy obligations, information security, and cybersecurity seriously. We know you need validation of your security methods. We know you need someone to make information security more approachable. We know you need someone to uncover the risks and security vulnerabilities that you don’t know about. In a day and age when security controls must be strong and effective against advanced threats, KirkpatrickPrice’s mission is to deliver quality services.

More Resources for Choosing a Qualified CPA Firm

5 Questions to Ask When Choosing Your Audit Partner

When Will You See the Benefit of an Audit?

Getting Executives on Board with Information Security Needs

Best Practices for Safe Online Holiday Shopping

While businesses are gearing up for the busiest shopping season of the year and consumers are anxiously awaiting the best online deals, malicious hackers will be prepping to get their hands on valuables as well. This makes it increasingly important that consumers practice due diligence while online shopping. Clicking on random links, buying products from unsecure websites, and inputting personally identifiable information where it’s unneeded will put them at greater risk for their information to be compromised.

What are best practices for online holiday shopping? Cyber Monday is one of the heaviest online shopping days of the year, while Thanksgiving and Black Friday will continue to be leading online shopping days as well. What does this mean for consumers? Cybersecurity is going to be a key concern during the online holiday shopping season as consumers increasingly move toward shopping online, especially on mobile devices. We suggest following these six steps to ensure safe online holiday shopping.

1. Limit Personally Identifiable Information

When signing up for email lists, promotional discounts, and store accounts, be sure that you’re only providing companies with the least amount of information necessary. Many online store accounts require a first name and email address, but they might also have fields for last name, age, date of birth, or phone number. If these are not required, don’t provide them. This only makes it easier for malicious hackers to learn more about individuals and potentially wreak havoc on them.

2. Use Secure Websites

Shopping on unsecure websites is a major way that malicious hackers can steal your personally identifiable information. Because of this, you need to be cognizant of the websites you’re using. Does the website use HTTPS in the URL? Websites that use HTTPS encrypt the data transferred between your browser and the website you’re using. This keeps your data confidential from malicious hackers and will prevent hackers from modifying your data without your knowledge.

3. Stay Off Public WiFi

While it’s tempting to connect to public WiFi while online shopping – perhaps to make a purchase or download a coupon – it can put your personal data at greater risk. Public WiFi is generally not password protected and cannot protect your information from malicious hackers. Malicious hackers often utilize public WiFi, especially in crowded areas like airports and malls, that consumers are likely to automatically connect to. Instead of using public WiFi, opt to use your personal hotspot.

4. Differentiate Your Passwords

It’s critical for consumers to remember to utilize various passwords, especially during the holiday season. Using the same password for email, store accounts, and bank accounts could increase the likelihood of being hacked.

5. Think Before You Click

As the retail industry booms during the holiday season, consumers must be aware of suspicious links. Links in emails or on social media advertisements can be a form of social engineering and leave consumes vulnerable for a phishing attack. Using caution before clicking on links is paramount for safe online holiday shopping.

6. Monitor Your Payment Cards

As a final form of due diligence, monitoring your credit and debit cards for suspicious activities is crucial during the holiday season. While you can implement as many best practices for protecting your personal data as possible, there are no guarantees that a cunning malicious hacker hasn’t already compromised your data. You should sign up for text or email notifications if your bank offers them. By regularly monitoring your credit and debit cards, you’ll be more likely to identify and alert your bank about suspicious activity in a timely manner.

Don’t let malicious hackers make your holiday shopping experience more stressful. Make sure you’re implementing these six best practices for safe online holiday shopping. You can never be too vigilant in protecting your personal data.

More Resources

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

What is Cybersecurity?

5 Things The Grinch Teaches Us About Information Security

What is a Risk Assessment?

A risk assessment is a process by which an organization analyzes vulnerabilities, potential threats and risks to the organization’s security posture and IT systems. Performing a risk assessment is a critical component of any Information Security program. Because it’s mandated by several frameworks (SOC 1, SOC 2, PCI DSS, ISO 27001, HIPAA, FISMA), organizations wanting to comply with these frameworks must conduct risk assessments on a regular basis. By doing so, organizations will be able to stay on top of mitigating vulnerabilities in their security posture and demonstrate to their current and potential clients that they are performing their due diligence in keeping sensitive assets secure.

How Do You Conduct a Risk Assessment?

We believe that the risk assessment process can be broken down to five steps. The first step is to conduct the risk assessment. To do this, an internal or third-party auditor will perform staff interviews, review policies and procedures, observe tasks in real-time, and conduct a physical inspection. Your organization’s hardware, software, system interfaces, data, information, and IT personnel will be involved in the risk assessment.

The next step is to identify risks. After you have identified your organization’s assets, you have to identify the treats to those assets, which were found in your risk assessment. These threats can be man-made (intentional or accidental) or natural events (floods, power outages, earthquakes, etc.) that can take advantage of an asset’s flaws, and that can result in a loss of integrity, availability, or confidentiality.

After you have identified risks, you’ll assess the risk importance and risk likelihood. What is the importance of each risk? What is the likelihood that each risk would actually occur? This process will help your organization strategically prioritize risk and determine where you should spend your time and effort. The likelihood of a risk can be expressed subjectively or quantitatively (high, medium, low or 1, 2, 3, 4, 5).

Next, create a risk management plan. Based on your complete analysis of which assets are important to your business and the threats and vulnerabilities that are likely to negatively affect those assets, you must develop security control recommendations to either mitigate, transfer, accept, or avoid the risks.

After you’ve developed an actionable plan to manage your risks and determine what you’re going to do and how you’re going to do it, it’s time to implement those controls. Continuous monitoring of risk management processes must be established to ensure that any and all risk mitigation efforts are operating effectively. Because the threat landscape is constantly evolving, conducting risk assessments on a regular basis will ensure that your organization strengthens its security posture.

Does your organization process, store, transmit, or use educational records? Are you responsible for ensuring that the information of students remains secure? FERPA is one of the most significant federal regulations in the education sector, aimed at protecting the privacy of students and their parents. Undergoing a FERPA audit is one way that educational institutions can identify and mitigate any vulnerabilities in their security infrastructure and are doing what is needed to protect students’ information. In this guide, you’ll learn the rights FERPA gives students and their parents, the controls used to assess an organization’s FERPA compliance, how a FERPA audit could benefit your organization, and ways that you can prepare for a FERPA audit. Let’s start with the basics first.

What is a FERPA Audit?

The Family Educational Rights and Privacy Act (FERPA) governs the access and privacy of educational information and records, such as enrollment information, GPAs, billing information, student course schedules, and student financial records. The educational records that a covered entity or business associate creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. FERPA compliance protects the confidentiality, integrity, and availability of educational records.

Who Needs a FERPA Audit?

Are you a service provider to educational institutions? Are you an educational institution or agency that receives federal funding? If your organization is an educational institution that receives federal funding or an organization that creates, receives, maintains, or transmits educational records, you must be compliant with FERPA.

What are the Benefits of Receiving a FERPA Audit Report?

FERPA compliance affirms the security of your services and gives your organization the ability to provide clients and regulators with evidence from an auditor who has actually seen your internal controls in place and operating. FERPA compliance can help your organization maintain loyal clients and attract new ones, operate more efficiently, avoid fines for non-compliance or a loss of federal funding, and most importantly: assure clients and regulators that students’ personal data is protected.

There’s no doubt that the GDPR is reshaping the marketing industry, and yet many marketers remain unsure about what the law actually requires. The regulation is long, confusing, and in many areas, vague. Plus, there’s immediate tension between GDPR requirements and marketing principles. A marketer’s goal is to gain identification information, while GDPR’s goal is to limit identification information to what’s strictly necessary.

Let’s take a look at how Unbounce, the marketing industry’s leading landing page and conversion platform, made its journey toward GDPR compliance.

Unbounce’s Commitment to GDPR Compliance

Unbounce has powered half a billion conversions over the past nine years. How does a platform that processes so much personal data ensure compliance with such a revolutionary, yet ambiguous data privacy law? By committing to compliance from the start. To learn about the methodology behind Unbounce’s GDPR compliance efforts, we spoke to Bethany Singer-Baefsky, Unbounce’s Data Protection Officer (DPO). As DPO, she works closely with Unbounce’s security team to analyze vendor compliance management, advise on the privacy implications for new projects, and provide resources and advice for teams whose jobs require handling personal data.

What did “compliance from the start” mean for Unbounce? In our conversation with Singer-Baefsky, she tells us, “After Safe Harbour was overturned in October 2015, Unbounce began paying close attention to developments in EU data protection law. We took note when Privacy Shield was adopted, and followed the debates surrounding what would become GDPR. The laws were changing around the same time that Unbounce was looking to open up an office in Berlin, so we have been committed to compliance from the beginning. Compliance implementation, including obtaining buy-in, scoping, having regular progress meetings, completing infrastructure changes, etc., began in earnest about a year before the law went into effect.” It took collaboration across all teams to ensure that initial GDPR implementation was finished before the deadline. Developers dedicated over 5,200 hours to GDPR compliance, marketing and product marketing teams treated compliance like a product launch, and the support team fielded a deluge of customer questions. Singer-Baefsky adds, “This was a team effort in every sense of the word.”

Unbounce created a landing page so that anyone could find up-to-date information regarding Unbounce’s GDPR compliance progress, FAQs, and additional GDPR resources. Singer-Baefsky explains, “Our support and sales teams, especially those team members based in Berlin, were beginning to field a ton of questions as we neared the implementation deadline. Our legal/compliance/security team is quite small, and we didn’t have the people-power to constantly answer questions and simultaneously work towards the ever-looming deadline. We met with our marketing and product marketing teams and decided to approach our comms from the point of view of a product launch. We wanted a place to educate customers about our GDPR compliance efforts, and we updated the page based on our progress and on feedback we received from visitors and our teams.” This landing page allows Unbounce to remain transparent with their current and prospective customers, plus they published a blog post that educates marketers about how to ensure their landing pages are GDPR compliant.

Is GDPR Compliance Worth It?

GPDR compliance costs organizations time, resources, and money. Even though GDPR compliance is an ongoing effort, Singer-Baefsky believes that making sure that Unbounce was prepared for the GDPR enforcement deadline was absolutely worth the cost. First, compliance is helping Unbounce meet its business objectives. Singer-Baefsky states, “Unbounce wants the world to experience great marketing. Great marketing builds and maintains trust, and data protection is what ensures that that trust remains earned. Beyond this, our European office and customer base represent a substantial investment into the European market; a failure to attain GDPR compliance would amount to a colossal business failure.”

GDPR compliance also gave Unbounce an opportunity to analyze its processes. Singer-Baefsky said, “This was a company-wide effort that absorbed our development and legal teams for months, but as overwhelming as that could be at times, it was also an opportunity to review the ways we store and process data, ensure our security and access controls were up-to-date, and get our documentation in order. The result is a product our customers, and the millions of consumers who land on their pages each year, can trust as well as a more mature risk management system and a renewed culture of privacy and security awareness.”

Unbounce’s GDPR compliance process can offer insight into steps other organizations can take to prepare for enforcement. GDPR compliance is daunting; it’s unlike other compliance frameworks, and marketers are not only confused, but also scared by it. Singer-Baefsky notes, “We’re all just doing what we can until enforcement begins in earnest and the EU starts recognizing third-party certifications.” Until then, let KirkpatrickPrice help you with your compliance efforts. For marketers who want a streamlined compliance approach, contact us today and let’s connect you with one of our privacy experts who can show you how KirkpatrickPrice can prepare you for GDPR compliance.

More About Unbounce

Build high-converting landing pages, website popups, and sticky bars in a fraction of the time it takes with a developer. Try for free at https://unbounce.com/ or find us on Twitter.

More GDPR Resources

How Does GDPR Impact the Marketing Industry?

Privacy Policies Built for GDPR Compliance

Inside Unbounce – GDPR: It’s Still a Thing!

GDPR Marketing Survey from Demandbase