Nonprofit Resources


Important Cybersecurity Questions for Your CPA Firm

We are in the midst of tax season and if you saw the recent NBC Nightly News clip with the Traina & Associates team, there is no shortage of warnings from the IRS and others about prevalent fraud schemes, phishing attempts, and other cybersecurity issues.

The threat grows each year. And with the amount of personal information involved, the risk is significant.

How can you ensure that your CPA firm is taking all the necessary steps to protect your data? CapinCrouse takes the security of clients’ data very seriously and adheres to cybersecurity best practices, led by the cybersecurity team at Traina & Associates, a CapinCrouse company.*

If your organization uses another CPA firm, or if you use a CPA firm for your personal taxes, ask these four questions to start the cybersecurity discussion.

  1. Do you use a secure file transfer website for the transmission of any confidential or sensitive information? Information should never be exchanged through email, which is not secured or encrypted. Your CPA firm should have an alternate method for encrypted data exchange and use it with clients and other partners. It may seem inconvenient for taxpayers to have to set up login information for another system, but it is an important security step.
  2. Do you have an Information Security Officer or other individual responsible for maintaining security for all of the firm’s data and systems? This is an important role. Cybersecurity can no longer simply be left to the IT department. Many times the controls put in place by IT departments don’t operate as intended. And with new cybersecurity threats constantly cropping up, IT departments can’t just add security responsibilities onto their already demanding roles. Senior leaders/partners should understand the layers of controls required to maintain a secure environment and allocate sufficient resources toward a continually maturing environment.
  3. Do you use multifactor authentication (MFA) on your email accounts and all other critical systems? Credentials can be compromised through a variety of methods. For example, even if an email does not include confidential information (and it should not), it can be used as a starting point for perpetrating fraud. But if MFA is in place, cyber criminals won’t be able to use the credentials they hacked.
  4. How often are your cybersecurity defenses tested, and what does the testing include? Periodic testing is important to ensure that the appropriate controls are in place and operating as intended. This testing should be comprehensive and should include vulnerability testing, in which various systems are scanned to identify whether any known weaknesses exist. The results are then analyzed to determine critical gaps in security. Ideally, your CPA firm should also conduct periodic phishing testing to determine employees’ ability to identify fraudulent email.Weaknesses commonly found during testing include missing software patches, virus protection that hasn’t been updated, and web filtering and other controls that aren’t working properly.

We often say that cybersecurity is like cake — the more layers, the better. That way if one control fails, others exist to help stop an attack. Asking these questions will help you ensure that your CPA firm is taking a layered approach to protect its systems and your valuable data.


*Traina & Associates is an authorized trade name of Capin Technology LLC, a subsidiary of Capin Crouse LLP.

Lisa Traina

Lisa is a partner at Traina & Associates, a CapinCrouse company. She uses her more than 30 years of experience to assist organizations in implementing measures to secure data and manage risks efficiently and effectively. She is a nationally recognized speaker and author, and serves on the AICPA Cybersecurity Task Force. Lisa founded Traina & Associates in 1999 to provide IS security services to a broad range of industries. Traina & Associates joined CapinCrouse in January 2017.

Leave a Comment