Trustmi Talks

The New CPA Exam Part 1: What It Means for Security and Finance

The Trustketeer
5 min
CPA Exam changes part 1
CPA Exam changes part 1

This two-part series examines the broader implications of the changes to the CPA (certified public accountant) exam going into effect in the new year. Part 1 examines how these changes will transform and strengthen the relationship between finance and security teams.

Starting January 1st, 2024, several changes will go into effect for the Uniform CPA (certified public accountant) exam that will improve the working relationship of the finance and security teams at enterprise organizations. Known as the CPA Evolution initiative, the changes to the exam are transforming the CPA licensure model to ensure that newly licensed CPAs can demonstrate an increased understanding of and a broader skill set related to technology.  The CPA Evolution initiative is a collaborative effort between the National Association of State Boards of Accountancy (NASBA) and the American Institute of Certified Public Accountants (AICPA), and the changes to the exam reflect the evolving role of today’s CPA, and the skills and competencies required in the role including knowledge of emerging technologies.

The Exam: What’s Changing

Up until now, proficiency in technology and information security has not been a key focus of the CPA exam. But the role of the CPA has evolved over time and demands that candidates have a more technical skill set than ever before. With the proliferation of digital systems, finance professionals must be able to fluently use tech tools and information systems, and have an understanding of data collection, storage and management, security, privacy, and more.  

The increased emphasis on the role of technology across the core competencies of the exam, which include Accounting, Audit and Tax, will make certain that CPA candidates have exposure to and knowledge of essential tech skills.  Beyond the three core areas, the exam will also include a “discipline” section for candidates to demonstrate more in-depth knowledge of one of three disciplines, including one focused on Information Security and Controls. This greater emphasis on technology and information security on the exam is a productive and notable change that will have broad implications for businesses in every vertical.  It means that CPA candidates will come into the workforce with a broader understanding of how finance can work with IT and security, which will provide many benefits to the organization.

Bringing Finance and Security Together

In many organizations there is often a disconnect between security teams and finance teams. And yet, ensuring finance teams have all their systems and workflows secured should be of paramount importance to every business particularly since financial losses are at risk. There are many processes and systems that finance leaders, treasurers, and accounting professionals oversee that might not have the level of protection necessary to fend off cyberattacks. Because finance systems and processes are administered by finance teams, as opposed to the security team, there are often security gaps in those systems. For example, adjustments to permissions for the ERP system or access to sensitive financial data might be controlled internally by finance and not security. This means that if there’s an ERP attack the security team will only find out and get involved after the fact, rather than attempting to prevent the problem proactively.

With improved training and focus on cybersecurity on the CPA exam, future finance professionals will better understand how to evaluate, use, and manage technologies that can help protect them from cyberattacks. And this will help them to better secure all their processes and tasks, from business payments and vendor management to financial reporting, compliance and everything in between. Also, this increased focus on cybersecurity will be important in bringing Finance and Security teams closer together so that they work as business partners and not as distant peers that only communicate after a cyberattack or incident occurs.

Helping Security Better Manage Risk

Having finance people better informed of cybersecurity will help CISOs and IT leaders be more effective at managing the overall company security risk. Here’s an example: there are many vendors and sensitive systems that are managed by the Finance team that the CISO or security team might have evaluated and run a security assessment on when the systems were first implemented.  However, over time, these external parties may be granted greater access to financial information and the security team might be completely unaware of those changes in permissions.  Furthermore, any security assessment that was run when the vendor was first brought on board years prior would no longer be valid if their permissions have changed, which creates a huge security risk the security team would never know about. This is a big blind spot for CISOs.  If finance professionals are more knowledgeable of cybersecurity, then they will know to loop in the security team sooner to mitigate any looming risk.  This will help the CISO and security team avoid getting blindsided later if an attack takes place, and as a result, reduce the amount of unforeseen risk the CISO would have to manage through.

Improving Security Discipline

Having finance people better informed of cybersecurity will help CISOs to implement better corporate security strategies and frameworks. As CISOs look to implement zero trust frameworks at their organizations, there are many systems that fall outside of their purview that cannot support zero trust. Many finance teams at large organizations use legacy financial systems that fall into this category. To architect and roll out an effective zero trust approach, these legacy systems need to be replaced and the finance tech stack requires reorganization with appropriate controls in place. Finance people with greater technical expertise and knowledge of cybersecurity will be key in evaluating new technology that can fit into a CISO’s security framework and plan. This increased competency will also ensure that finance teams only work with third-party vendors that can adopt zero trust principles and meet the organization’s standards for security. As a result, the CISO can implement a robust zero trust framework across the organization more easily and, more importantly, plug the gaps caused by legacy systems and third-party vendors, which we know are highly susceptible to attacks and breaches.  

Change Is Good

Many candidates for the CPA may fear these changes to the exam, however it will actually make their lives easier in the end.  With a stronger foundation rooted in technology, finance professionals will know how to better evaluate, select and implement agile tools that will help them be more productive and efficient.  They will also consider decommissioning the legacy systems that have been creating more manual work and headaches. They will evolve their operations by leveraging automation and AI that will allow them to cut costs and better protect their bottom line. Most importantly, they'll be able to smoothly align with security teams to ensure maximum protection for their data and confidential information and avoid fraud and errors. Ultimately, having a better understanding of how technology plays into their function will create stronger finance leaders.

The benefits of building and strengthening a relationship with the security will produce huge benefits for both teams in the long run.  Historically the finance and security teams have been silo’ed and not typically in synch. By having a stronger grounding in cybersecurity, finance professionals will be able to partner with security professionals to help them better protect the business as a whole.