Traditionally, CPAs have considered the chief financial officer (CFO) as the guardian of a business's organizational data. It was and remains the CFO's responsibility to maintain a system of internal controls that provides reliance for the accuracy and integrity needed to prepare and attest to the financial statements. These statements and the accompanying opinion continue to be relied on by stakeholders when making financial decisions. The increasing use of rapidly developing technology, software obsolescence, and the change in user preference from desktop to mobile computing platforms have created the need for a new type of data guardian responsible for protecting all types of information in a digital world. The chief information security officer (CISO) is the person performing this role in many organizations and has become an important consideration for CPAs, both in traditional auditing and advisory services.

The Digital Environment

In the evolving digital environment, the protection of data, financial or otherwise, is considered a critical intangible asset. Consumers expect that their information will be protected, and in some industries such protection is required by law. Internally, the explosion of data avail- ability creates innovative decision models that have changed management and created new business models (e.g., big data and data analytics). Concerns over the confidentiality, integrity, availability, and accuracy of this information, even when not used for financial reporting, continue to receive heightened attention from governance professionals and the boardroom. In some cases, the CISO functions as a point of contact for technology risk, similar to the role of CFOs in financial statement-related services.

The accounting profession has recognized that, as technology risk increasingly affects overall enterprise business objectives and risk, new risk mitigation strategies and service offerings are needed. The AICPA recently developed a cybersecurity risk management reporting framework that assists organizations in communicating the effectiveness of their cybersecurity risk management programs ("SOC for Cybersecurity," http://bit.ly/2riA0Tj). Both the Assurance Services (ASEC) and the Information Management Technology Assurance (IMTA) Executive Committees of the AICPA have issued additional guidance to facilitate CPAs' ability-whether providing traditional assurance or new risk advisory services-to help businesses meet concerns over information protection. ASEC has issued a series of white papers forecasting the changing nature and impact of technology on the future of auditing (e.g., Paul Byrnes, Tom Criste,...