In 2020, the number and sophistication of cyberattacks increased more than ever. It was a year of massive data leaks, expensive ransomware demands and the advent of a new and highly complex threat landscape. As cyberattacks affect more businesses, security continues to be top of mind for the C-suite in all organizations; it’s also becoming more important to those with whom they do business. To make the best choices, decision-makers need information about the processes and controls that organizations have implemented to prevent such attacks and to keep information from getting into the wrong hands.
To obtain insights related to organizations’ security efforts, industry groups, regulators, governmental entities, standard setting bodies, or other organizations (collectively referred to as sponsoring organizations) often develop third-party assessment programs (TPAs). TPAs generally establish requirements or instructions for organization management to evaluate and provide certain information to the sponsoring organization. In many cases, the TPA also requires an evaluation of the information management provides by a third-party “assessor.” The sponsoring organization uses the assessor’s evaluation to determine whether to provide the organization with a certification, authorization, or another form of approval. Most TPAs focus on information related to processes and controls around security and data privacy.
Qualified CPAs can act as third-party assessors and help clients obtain certifications from sponsoring organizations. CPA firms need personnel with specific skills and competencies (mainly around IT systems, and risks and controls) to provide these services. The opportunities to provide new services in this growing market are increasing every day.
To learn the latest about TPAs and the services CPAs can provide to clients, join us at the AICPA® & CIMA®’s inaugural SOC & Third-Party Risk Management Conference, to be held virtually on May 3–4. The session “Managing Third-Party Risks: Introduction to Third-Party Assessment Programs” will discuss the characteristics of TPAs and provide guidance on how qualified CPAs may be able to provide related assessments to help their clients.