As busy season comes to a close, many practitioners will begin preparing to meet with clients and discuss ideas for improvements identified during the past audit season. This is a great time to share value-added suggestions for enhancing operations, which, especially in the case of a nonpublic client, may result in additional business opportunities for the firm. Even when they don’t, there can be other benefits, such as strengthening the client’s desire to continue working with your team. 

The following list will assist you in developing value-added suggestions. It reflects some of the most pressing concerns that industries and organizations of all sizes continue to struggle with, as they try to reduce their IT risk down to an acceptable level. Consider each area as an opportunity to communicate important issues to clients and help them devise a plan of attack.

The need: A modern-day incident response plan
Why it matters: Until recently, many businesses constructed their plans for responding to cyberthreats assuming that being compromised was a remote possibility. Unfortunately, in today’s world, that’s no longer appropriate, as evidenced by the recent breaches of several organizations, including some that make significant investments in data protection. With cybersecurity threats and reports of attacks dominating news headlines, it’s no surprise that many businesses are suddenly eager to revisit their strategies in this area. CPAs can support clients in identifying where data reside and how they’re processed, assembling an incident response team and establishing a system for internal reporting and documentation.  

The need: Updated business continuity plans
Why it matters: A client’s need or desire to update the business continuity plan can fluctuate from year to year. Typically, interest in this service spikes when there’s been a well-publicized event that negatively impacts a competitor or another business. In any case, while many businesses already have a basic plan, some are beginning to upgrade in order to ensure that they’ll be ready to address new threats and risks. Others continue to expand the testing of their plan so as to guarantee that they’ll be prepared, should an emergency arise.  

Faced with a new cybersecurity landscape, many companies are also integrating incident response activities into their business continuity strategies. Considering that technology permeates the business and most aspects of the customer relationship, this makes sense. For example, the business may need to provide alternate service delivery strategies for customers who rely on its Internet applications in the event of an attack, in order to safeguard the continuity of business operations.   

The need: Executive reporting and scorecards
Why it matters: With a host of game-changing tech-related developments, executives and board members are increasingly interested in assessing and monitoring how a business addresses IT risks. As a result, many organizations have significantly expanded the amount of information provided to boards and the C-suite, so that they can be more aware of evolving trends and initiate actions. Because it can be challenging for a layman to understand detailed IT concepts, some companies have even begun using pictorial scorecards that executives can use to fulfill their governance requirements. As information management specialists, practitioners are well positioned to assist in compiling and presenting such information in an easy-to-digest manner. 

The need: Enhanced vendor-management oversight
Why it matters: Vendor-management programs and oversight is well-trod ground for value-added recommendations. However, with the advent of cloud computing and the continued strategic use of outsourcing, the need to appropriately manage vendors has become even more critical. Typically, oversight is driven by two priorities. The first relates to regulatory compliance: If a business is subject to regulatory and industry standards, it will likely need to protect the confidentiality of customer information in order to minimize the risk of ID theft. In these situations, when customers do share confidential information and there is an expectation of privacy protection, the business is held responsible—whether data are maintained in-house or shared with a third-party vendor. The second priority relates to performance or, more specifically, the need to ensure that contracted services are provided for at the agreed-upon price.

The need: Centralized and updated policies and procedures
Why it matters: With the various business restructurings and rightsizing activities that have occurred during the past year, it’s not surprising that policies and procedures supporting business activities have become outdated in many organizations. That’s important, because while some businesses view policies and procedures as an administrative burden, many others have begun to rely on them to effectively manage their teams. For example, some have used policies and procedures to replace training programs that, for many companies, have been cut from corporate budgets. Practitioners, who have seen the types of policies and procedures that can be leveraged for multiple business needs in this challenging business environment, are uniquely positioned to assist the client with this matter

The need: Developing a cost-effective logging and monitoring strategy
Why it matters: Being able to review business activity and maintain an audit trail for it has always been a critical control. Whether reviewing audit trails manually or through automated means, such as computer-assisted audit techniques, practitioners have leveraged these reviews to develop insight into what’s happening at a business and provide guidance to clients in order to enhance their operations. But in today’s world, where data are transferred over an increasing number of networks and movements are recorded by the various systems, servers and devices used by an organization, the complexity of activity has grown multiple times. Unfortunately, that means we can no longer rely on a single, simple audit trail. Since, for many business executives, this is quite confusing, they often grow lax in monitoring. Yet, breach reports continue to suggest that had an appropriate monitoring procedure been in place, the damage to the affected organization would have been greatly reduced. The profession has provided CPAs with the necessary tools to help clients meet this challenge.

Joel Lanz, CPA/CITP, CFF, CISA, CISM, CISSP, CFE, is the sole proprietor of Joel Lanz, CPA P.C., and an adjunct professor at SUNY–College at Old Westbury.