3 Key Components for Effective Security Audits for LA CPAs

Author: Craig Pollack Date: Dec 11, 2017 Topics: _CPA and Accountant Blogs, Managed Security

Accountants, listen up: In a time when identity theft, DDoS attacks and digital hacks are rapidly increasing, it is important for any certified public accountants (CPAs) to know the health of their computer systems and security policies. Any professionals that handle sensitive company and client information need to be knowledgeable about security audits practices, expectations and requirements and must be able to demonstrate that knowledge. So ask yourself: Are you up-to-date on your knowledge in these areas? If not, definitely keep reading. And if yes, still keep reading because we may cover something you don’t already know

As a Los Angeles-based CPA, you are responsible for and are entrusted with handling confidential information and keeping that information safe. Security audits, which are required for all accountancy firms, are assessments of servers and other related systems that are designed to ensure information is appropriately secured. They also serve to provide your firm with feedback on areas that are identified as weaknesses, which could lead to disastrous events such as security breaches or data leaks.

So if this is your first time working with a security audit, or you’re looking for ways to prepare for your next audit, I’m here to help! I have put together a list of three key components your audit must include.

1. Conduct a Security Vulnerability Scan

Your systems contain an invaluable amount of sensitive data that must be kept secure. By conducting a vulnerability scan of your computer systems and other related assets, your auditor will be able to determine any strengths and weaknesses before they become a significant issue.

Making sure a security vulnerability scan is done correctly is imperative to the effectiveness of your security audit. This includes ensuring that your inventory of critical assets are online and present for the scan. The information gained from the scan can be used to help implement improvements to the computer systems, servers and networks to help prevent holes in security that could result later in breaches.

2. Review and Document All Security Policies

Before your security audit, it is important to review and make any updates or changes to your security policy documents and guidelines. Think of your policy as a living document that regularly needs to be updated in order to serve its true potential and be most effective. A document that is pulled out and reviewed only when an audit is going to happen, essentially, is a useless or ineffective document.

Throughout the audit process, the auditor will review all information for evidence that you understand security protocols and know how to protect your data, assets and overall business. As such, it is vital for you to demonstrate that your data and computer systems are protected and remain secure — and your documented policies should support that notion. After all, an effective security policy will verify your compliance with legislative requirements, and any information that is missing from the document will help the auditor to quickly identify any deficits or weaknesses in your operation’s procedures. Now is a good time to assess your practices and revise any necessary paperwork.  

3. Develop or Review a Business Continuity Plan

Business Continuity Plan.jpegWhat kind of disaster recovery plan does your business have? And where will it take your business in the future? Outlining business continuity plans for the future or to aid in disaster recovery efforts is important for every business. Audits will include this type of plan as part of the assessment process to ensure that your plans align with your security practices and approach. An auditor will want to know the adaptability of your security policies and what sort of coping mechanisms are in place in case the unthinkable occurs. Be sure to include everything — software, hardware, data storage assets and other related systems — that plays a role in your business’s daily operations. Business continuity and disaster recovery planning should be embraced and not treated like an unloved “ugly duckling.”

I encourage you to never view a security audit in a negative light. It is a process that is highly beneficial to your company and is there to ensure your business is prepared for disaster! By outlining any improvements that can be made, it helps you to ensure that your accountancy business remains on track and you will best be able to serve your clients and protect their confidential data.

Outsource Your Managed Security Services

Managed security services from a professional IT company are designed to help your company detect and prevent security intrusions and hacks, as well as to recover quickly from any such event. Employing these services from FPA can help you create a strong security footprint that results in enhanced security, better asset protection, and reduced risk and impact of negative security-related events. It is this kind of service that helps you avoid a “really, really” situation with your firm and deal with issues before they become a problem down the road.

Are you an LA-based CPA considering your first security assessment? Or have you successfully bridged the gap and already have implemented one in the past? If you have tips for others, please share them in the Comments section below.

CPAs & Accountants Resource Center 


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.