Skip to Main Content

insightsarticles

Developing a culturally competent public health workforce

By:

Luci Veilleux is a consultant on BerryDunn’s State Government Public Health Consulting team. She has a background in public health policy and health equity work, and is passionate about supporting states’ work to improve public health outcomes.

Luci Veilleux
02.01.22

Read this if you are at a public health agency.

As public health workforce challenges worsen through retirements, burnout, and added need for public health workers highlighted by the COVID-19 pandemic, funding levels for public health remain increased for the time being. This provides opportunities for states to leverage federal programs and funding streams to help ensure a strong and capable public health workforce to meet the needs of all communities. An important consideration for states is the level of cultural competence among their public health workforce.

Cultural competence: Definition and benefits

Cultural competence refers to the capacity to function effectively, both as an individual and an organization, in relation to community members’ cultural beliefs, behaviors, and needs. It allows public health professionals to provide more effective public health services to individuals and communities with cultures different from their own—through awareness, respect, and willingness to learn about cultural differences. The necessity of cultural competence in public health is especially timely due to new and existing disparities that have been highlighted by COVID-19 outcomes and the ripple effects of the pandemic.

Benefits of a culturally competent public health workforce include greater public trust in the public health system, more equitable and effective public health services, improved understanding of existing barriers and community health status, and the potential to reduce disparities and improve both healthcare access and health outcomes in historically marginalized communities.

As many states face significant workforce gaps and challenges in recruiting, training, and retaining staff, it is important to leverage best practices and key indicators of success to inform a sustainable and effective approach for workforce development. States may benefit from assessing gaps in cultural competence and related skills, and by identifying specific cultural competency areas and abilities they aim to achieve in the workforce. A strategic approach is necessary for maximizing the sustainability and long-term benefit of federal funding opportunities, such as those for public health workforce development in rural areas. 

Strategies and best practices for developing a culturally competent public health workforce 

There are many steps you can take toward building cultural competence in your agency. Some of them include:

  • Develop and implement a periodic assessment of workforce cultural competence, and training to measure improvement and incorporate up-to-date best practices
  • Recruit diverse staff to reflect the culture and demographics of communities, including the provision of linguistic support
  • Create and improve pipeline training programs by collaborating with local colleges, universities, and schools of public health and identifying existing gaps in the workforce and in public health educational opportunities 
  • Support inter-professional education and teams for community-based interventions, to foster collaboration between public health and healthcare professionals in the community to better meet needs 

Important first steps to improve and foster cultural competence in the public health workforce include setting goals related to building community partnerships and what those partnerships will achieve. 

Other steps for building cultural competence 

Additionally, collecting diversity data and demographic characteristics of the public health workforce, measuring and evaluating performance of the public health workforce and public health services, and reflecting community diversity within the workforce are necessary for developing a workforce that supports community cohesion and trust of community members. These steps can help you assess where you can strengthen services and how communities can be better reflected in the public health services they receive. Effective communication and language access are also critical steps to improve and foster cultural competence in the public health workforce.

BerryDunn can provide state public health and human services agencies with strategic policy and programmatic guidance and management support to maximize the benefits of federal programs to facilitate public health workforce development. 

If you have any questions about your specific situation, or would like more information, please contact our Public Health Consulting team. We’re here to help.

Related Services

Accounting and Assurance

Related Professionals

Principals

BerryDunn experts and consultants

Digital assets, such as cryptocurrencies and non-fungible tokens (NFTs), are changing how consumers and businesses pay, bank, and invest. A recent survey by Capitalize found that 60% of respondents would like a cryptocurrency investment option in their 401(k) plans. Several service providers, including Fidelity, have responded to that request by offering 401(k) participants direct but limited cryptocurrency investment options. Meanwhile, earlier this year, the Department of Labor (DOL) issued a stern warning about cryptocurrencies in 401(k) accounts. Here are some ways the federal government is assessing the benefits and risks cryptocurrencies pose to consumers, investors, and businesses.

White House calls for research on digital assets

In March 2022, the Biden administration issued an executive order calling for the federal government to report its findings on the risks and benefits of cryptocurrencies and other digital assets. For six months, various agencies conducted research and offered recommendations for responsibly developing the US digital asset industry. The result of this work was a fact sheet that was released in September. It outlines six main concepts for the development of responsible digital assets nationally and globally: consumer and investor protection; promoting financial stability; countering illicit finance; US leadership in the global financial system and economic competitiveness; financial inclusion; and responsible innovation.

Protecting consumers, investors, and businesses

The US government believes that without a solid framework of rules and regulations for digital assets, innovations in this sector could be harmful to consumers, investors, and businesses alike. In response to the White House calling for research on digital assets, several federal agencies issued reports addressing the potential benefits and challenges in protecting Americans from some of the potential risks posed by digital assets.

The Treasury Department’s report noted that about 12% of Americans own some form of digital asset. While the number of people holding these assets has grown, the volume of fraud and other scams has also increased. The Federal Trade Commission (FTC) reported that more than 46,000 incidents of cryptocurrency-related fraud occurred between January 1, 2021, and March 31, 2022, valued at more than $1 billion.

The Treasury Department’s report made four main recommendations:

  • Expand regulatory oversight
    Regulators including the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) should expand and increase investigations and enforcement related to digital assets, especially regarding potential misrepresentations made to consumers. Agencies also should increase their coordination of enforcement efforts between agencies as such efforts have been effective in shutting down fraudulent actions.
  • Increase focus on scams in online activities like gaming and entertainment
    The Consumer Financial Protection Bureau (CFPB) and FTC should expand investigations into consumer complaints. The Department of Labor should also ensure that 401(k) plans and participants are protected from aggressive marketing, conflicts of interest, and bad-faith cryptocurrency investments.
  • Encourage cross-collaboration between agencies
    While several regulatory agencies have issued guidance to deal with increasing cryptocurrency issues, the Treasury Department would like to see more cross-collaboration among agencies to create more comprehensive oversight. Building a more connected, cross-agency response is critical to promote safety and reduce consumer, investor, and business confusion, as well as the potential for fraud.
  • Educate consumers on digital assets
    Through its website MyMoney.gov, the Financial Literacy and Education Commission (FLEC) has taken the lead on educating consumers, investors, and businesses on financial issues. Now the FLEC will educate the public on common digital asset risks and scams and ways to report abuse. FLEC member agencies will also review the lack of information available to more vulnerable groups to help better understand the risks and opportunities they face. Lastly, the FLEC will engage with industry experts and academics to promote and coordinate public/private partnerships for financial education outreach.

Take a long-term approach to digital assets

Financial advisors often encourage investors to focus on the long-term and avoid trying to time the market with their 401(k) investments. Similarly, plan sponsors may want to take a long‑term perspective regarding their own approach to digital assets. Given today’s massive surge in the variety and scope of digital assets, plan sponsors should seek to understand their role in the financial landscape before rushing to implement changes.

Article
Digital assets: Potential benefits and risks for employee benefit plans

Read this if your company is a benefit plan sponsor.

While plan sponsors have been able to amend their 401(k) plans to include a post-tax deferral contribution called Roth for more than a decade, only 86% of plan sponsors have made it available to participants, according to the Plan Sponsor Council of America. Meanwhile, despite the potential benefits of such plans, just a quarter of participants who have access to the Roth 401(k) option use it. Plan sponsors may want to consider adding a Roth 401(k) option to their lineup because of the potential tax benefits and other advantages for plan participants.

A well-designed Roth 401(k) may be an attractive option for many plan participants, and it is important for plan sponsors considering such a feature to design the plan with the needs of their workforce in mind. It is also critical to clearly communicate the differences from the pre-tax option, specific timing rules required, and the tax-free growth it offers. Additionally, plan sponsors should be mindful of potential administrative costs and other compliance requirements in connection with allowing the Roth option.

Roth 401(k)s: The basics

A Roth is a separate contribution source within a 401(k) or 403(b) plan that differs from traditional retirement accounts because it allows participants to contribute post-tax dollars. Since participants pay taxes on these contributions before they are invested in the account, plan participants may make qualified withdrawals of Roth monies on a tax-free basis, and their accounts grow tax-free as well.

Participants of any income level may participate in a Roth 401(k) and may contribute a maximum of $20,500 in 2022—the same limit as a pre-tax 401(k). Contributions and earnings in a Roth 401(k) may be withdrawn without paying taxes and penalties if participants are at least 59½ and it’s been at least five years since the first Roth contribution was made to the plan. Participants may make catch-up contributions after age 50, and they may split their contributions between Roth and pre-tax. Similar to pre-tax 401(k) accounts, Roth 401(k) assets are considered when determining minimum distributions required at age 72, or 70 ½ if they reached that age by Jan. 1, 2020.

Only employee elective deferrals may be contributed post-tax into Roth 401(k) accounts. Employer contributions made by the plan sponsor, such as matching and profit sharing, are always pre-tax contributions. If the plan allows, participants may convert pre-tax 401(k) assets into a Roth account, but it is critical to remember that doing so triggers taxable income and participants must be prepared to pay any required tax. In addition, plan sponsors must be careful to offer Roth 401(k)s equally to all participants rather than just a select group of employees.

Qualified distributions from a designated Roth account are excluded from gross income. A qualified distribution is one that occurs at least five years after the year of the employee’s first designated Roth contribution (counting the first year as part of the five) and is made on or after age 59½, on account of the employee’s disability, or on or after the employee’s death. Non-qualified distributions will be subject to tax on the earnings portion only, and the 10% penalty on early withdrawals may apply to the part of the distribution that is included in gross income. Participants may take out loans if permitted in the plan document. 

First steps for plan sponsors

A common misconception among plan sponsors is that a Roth offering requires a completely different investment vehicle. The feature is simply an added contribution option; therefore, no separate product is needed.

When considering the addition of a Roth 401(k) option, it is important for plan sponsors to check with service providers to determine whether payroll may be set up properly to add a separate deduction for the participant. Plan sponsors may also need to consider guidelines for conversions, withdrawals, loans, and other features associated with the Roth contribution source to ensure the plan document is prepared and followed accurately.

Education is an important component of any new plan feature or offering. Plan sponsors should check with service providers to see how they may help to explain the feature and optimize its rollout for the plan. One-on-one meetings with participants may be very helpful in educating them about a Roth account.

A word about conversions

If permitted by the plan document, participants may convert pre-tax 401(k) plan assets (deferrals and employer contributions) to the Roth source within their plan account. The plan document may allow for entire account conversions or just a stated portion. When assets are converted, participants must pay income taxes on the converted amount, and the additional 10% early withdrawal tax won’t apply to the rollover. Plan sponsors should educate participants on the benefits of converting to the Roth inside the company 401(k).

Collaborate with the right service providers to educate your participants

The right service providers may review your current plan design, set up accounts properly, actively engage and educate your participants, and offer financial planning based on individual circumstances to show how design features like a Roth account may benefit their situation. If you would like to start the conversation about adding a Roth option or enhancing your participant education program, contact our employee benefits team. We are here to help. 

Article
Plan sponsor alert: Roth 401(k) remains underutilized despite potential benefits

Read this if you are a Maine business or pay taxes in Maine.

Maine Revenue Services has created the new Maine Tax Portal, which makes paying, filing, and managing your state taxes faster, more efficient, convenient, and accessible. The portal replaces a number of outdated services and can be used for a number of tax filings, including:

  • Corporate income tax
  • Estate tax
  • Healthcare provider tax
  • Insurance premium tax
  • Withholding
  • Sales and use tax
  • Service provider tax
  • Pass-through entity withholding
  • BETR

The Maine Tax Portal is being rolled out in four phases, with two of the four phases already completed. Most tax filings for both businesses and individuals are now available. A complete listing can be found on maine.gov. Instructional videos and FAQs can also be found on this site.

In an effort to educate businesses and individuals on the use of the new portal, Maine Revenue Services has been hosting various training sessions. The upcoming schedule can be found on maine.gov

Article
New Maine Tax Portal: What you need to know

On November 8, 2022, Massachusetts voters approved a constitutional amendment to alter the state’s flat 5% income tax to add a 4% surtax on annual income exceeding $1 million. The so-called “millionaires tax,” also referred to as the “Fair Share Amendment,” is effective for tax years beginning on or after Jan. 1, 2023. The annual income level subject to the surtax would be adjusted yearly to reflect increases in the cost of living.

This measure is expected to bring in revenue of between $1.2 and $2 billion annually. The proceeds from the increased tax collections will support state budgets in the areas of education, roads, bridges, and public transportation. The measure passed with 52% voter support and is the sixth attempt to change the state’s flat income tax rate since 1962. This amendment is expected to affect about 0.6% of the state’s population, or about 20,000 taxpayers.

If you expect your income to exceed $1 million in 2023 and have questions regarding the recent legislation, please contact a member of our state and local tax team.

Article
Massachusetts voters pass "Millionaires tax"

Read this if you are responsible for cybersecurity or are a member of a board of directors.

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to the preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.

General

  • What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
  • Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
  • Has the cyber risk management plan been tested?
  • Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
  • Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
  • What percentage of our IT budget is dedicated to cybersecurity?
  • Does that allocation conform to industry standards?
  • Is it adequate based on our threat profile?
  • What are stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
  • What is the interaction model between senior management and the board for communications regarding cybersecurity?
  • Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

  • How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
  • Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
  • Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

  • Does the board play an active part in determining an organization’s cybersecurity strategy?
  • What are the key elements of a good cybersecurity strategy?
  • Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
  • How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
  • How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

  • What are the potential cyber threats to the organization?
  • Who is responsible for management oversight of cyber risk?
  • Has a formal cyber assessment been performed? Does it need to be updated?
  • Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
  • What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
  • Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

  • Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities?
  • Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
  • Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others with a direct or “dotted line” reporting to the CEO.)
  • Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

  • Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
  • What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
  • How effective are the organization’s risk management activities and controls identified in the assessment?
  • Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
  • Are there controls in place to ensure adequate, accurate and timely reporting of cybersecurity related content?
  • How does the company remain apprised of laws and regulations and ensure compliance?
  • What cloud services does our organization use and how risky are they?
  • How are we protecting sensitive data?

Threat intelligence and collaboration

  • What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
  • Does our organization share threat intelligence with law enforcement?
  • What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
  • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

  • Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
  • How regularly should a board obtain IT metric information?
  • Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
  • How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

  • How does management validate the type and volume of cyber-attacks?
  • Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
  • How does an incident response and recovery plan fit into the overall cybersecurity strategy?
  • Is the board’s response role clearly defined?
  • Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
  • Is there a culture of cyber awareness and reporting at all levels of the company?
  • Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

  • How does the board remain current on cybersecurity developments in the market and the regulatory environment?
  • Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
  • Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
  • Are directors provided with educational opportunities in this area?
  • Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

  • Has oversight of cybersecurity reporting been defined for management and the board?
  • Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, being included within the financial statement and proxy disclosures?
  • Does the company have a mechanism for timely reporting of material cybersecurity incidents?
  • Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Article
Board oversight of cybersecurity: Questions to ask

Thanks to a little-known law, eligible Massachusetts taxpayers will receive a tax credit in the form of a refund this fall—just in time for holiday shopping. Chapter 62F of the Massachusetts General Laws, a voter passed initiative from 1986, states that if state tax revenue collections exceed a cap tied to wage and salary growth, the surplus must be returned to the taxpayers. This tax credit was only triggered once before – 35 years ago.

According to the Mass.gov website, in Fiscal Year 2022, state tax revenues exceeded the cap by $2.941 billion—the sum of which will be returned to taxpayers by check or direct deposit in the coming months.

Governor Baker stated that a preliminary estimate of the refunds will be approximately 13% of the taxpayer’s personal income tax liability in 2021, though they will update that estimate in late October, once all 2021 tax returns have been filed.

More details on the tax refund:

  • Taxpayers, both resident and non-resident, who have filed a 2021 state tax return on or before September 15, 2023, are eligible for the refund.
  • The expected time frame for the issuance of refunds is expected to begin November 2022.
  • Individual refunds may be reduced by refund intercepts, such as unpaid child support or unpaid tax liability.
  • Massachusetts taxpayers can use this online refund estimator to calculate their estimated refund using information from their 2021 tax returns.

If you have questions, please contact a member of our state and local tax team.

Article
Chapter 62F law to give Massachusetts taxpayers a bonus refund

Read this if you use QuickBooks Online.

Let's talk about where records for products and services are used in QuickBooks Online.

To create a product or service record, you hover your mouse over Sales in the left vertical pane on the main page and click Products and services. Click New in the upper right corner and open a blank record for an Inventory or Non-inventory part, a Service, or a Bundle (assembly). Once you complete a record and save it, it will appear in the list back on the Product and services page.

Working with products and services

That’s where we’ll start today, on the Products and services screen. This is a comprehensive table, a dashboard (or home page) for your products and services. It displays real-time information about your items’ pricing and inventory levels, as well as their type and tax status. At the top of the page, you’ll see big, colorful buttons that provide a total of the number of items that are low on stock or out of stock. When you click on one, a list of those products appears.

QuickBooks Online’s Products and services page displays inventory levels and warns you when your stock is low and at zero.

Each row on this screen contains details about the item listed there, like Description, Sales Price and Cost, and Qty On Hand. If you look down at the end of the row, you’ll see options for several types of Actions: Edit, Make inactive, Run report, and Duplicate. Click the gear icon above the table to modify the columns in the table. 

The More menu at the top of the screen contains more options: Manage categories, Run reports, and Price rules. If you want to know what actions you can take on multiple items simultaneously, check the box in front of each and click the Batch actions menu, over to the right (Adjust quantity, Reorder, etc.).

Warning: Be very careful using the Adjust quantity option. There are legitimate reasons for employing it, but you need to make very sure that you understand how this will affect other areas of your accounting. Please ask us if you’re unsure.

Using products and services in transactions

Once you start using product and service records in transactions, you’ll see why we suggested that you create those early on and make them as comprehensive as possible. While you can add products and services in the process of creating an invoice, for example, it’s much easier if you have them ready to go.

Let’s look at a sales receipt to see how this works. Click +New in the upper right corner and select Sales receipt. Select a Customer in the first field and verify that the related fields on the form were filled out correctly. Check and make any changes necessary in the Sales receipt date, Payment method, and Deposit to fields. 

Once you’ve built up a list of products and services, they’ll be available when you create transactions.

Enter the Service Date, and then click the down arrow in the field under Product/Service. The top of the list has an entry labeled +Add new. Click it if you need to add a product or service on the fly, or just select the existing one that you want. QuickBooks Online will fill in the Rate, Amount, and Tax (status). You only have to enter the Qty (quantity) that you’re selling. 

If you have more items or services to add, you can do so on the next line(s). When you’re done, check the numbers in the lower right and save the transaction. QuickBooks Online will adjust your inventory to account for any items you just sold. You can see this change by going back to the Products and Services screen. Or you can run reports, including:

  • Sales by Product/Service
  • Product/Service List
  • Inventory Valuation Detail
  • Physical Inventory Worksheet

Supply chain woes?

It seems that the serious supply chain problems we were experiencing in previous months have eased up some, but you may still be having trouble stocking some items. We hope this isn’t affecting you too much. 

QuickBooks Online, though, can help ensure that you know ahead of time when you must reorder. Its inventory-tracking capabilities can also alert you to items that aren’t selling well, so you don’t get overstocked on anything. And the ability to pull up product and service records when you’re creating transactions saves time and keeps your inventory levels accurate. Please let the Outsourced Accounting team know if you need assistance with this element of your accounting or any of QuickBooks Online’s other tools.

Article
How QuickBooks Online tracks products and services

Read this if you are responsible for cybersecurity at your organization.

Cybersecurity threats aren’t just increasing in number—they’re also becoming more dangerous and expensive. Cyberattacks affect organizations around the globe, but the most expensive attacks occur in the US, where the average cost of a data breach is $9.44 million, according to IBM’s 2022 Cost of a Data Breach Report. The same report shows that the cost of a breach is $10.10 million in the healthcare industry, $5.97 million in the financial industry, $5.01 million in the pharmaceuticals industry, and $4.97 million in the technology industry.

Cyber threat actors are a serious danger to your company, and your customers, stakeholders, and shareholders know this. They expect you to be prepared to defend against and manage cybersecurity threats. How can you demonstrate your cybersecurity controls are up to par? By obtaining a SOC for cybersecurity report.

What is a SOC for cybersecurity report?

It provides an independent assessment of an organization’s cybersecurity risk management program. Specifically, it determines how effectively the organization’s internal controls monitor, prevent, and address cybersecurity threats.

What’s included in a SOC for cybersecurity report?

The report is made up of three key components:

  1. Management’s description of their cybersecurity risk management program, aligned with a control framework (more on that below) and 19 description criteria laid out by the AICPA.
  2. Management’s assertion that controls are effective to achieve cybersecurity objectives.
  3. Service auditor’s opinion on both management’s description and management’s assertion.

Why should you consider a SOC for cybersecurity report?

A SOC for cybersecurity report offers several important benefits for your organization, which include:

  • Align with evolving regulatory requirements. The cybersecurity regulatory environment is constantly evolving. In particular, the SEC’s cybersecurity guidelines are becoming stricter over time. A SOC for cybersecurity report can demonstrate you’re aligned with these guidelines. If you’re a public company or are considering going public in the future, you need to be prepared to meet not just the SEC’s guidelines of today, but their evolved guidelines in the future.
  • Keep your board of directors informed. Your board is responsible for ensuring the business is effectively addressing and mitigating risks—and that includes cyber risk. A SOC for cybersecurity report offers your board a clear and practical illustration of your organization’s cybersecurity risk management controls.
  • Attract and retain more customers. It’s becoming increasingly common for companies to require that their vendors have a SOC for cybersecurity report. Even for companies that don’t require such a report, it’s important to know their vendors are keeping their data safe. Having this report differentiates you from vendors who have not prepared one.
  • Improve your cybersecurity posture. A SOC for cybersecurity report can identify current gaps in your cybersecurity risk management program. Once you’ve addressed these gaps, you can show your customers, stakeholders, and shareholders that you’re continuously improving and evolving your cybersecurity risk management approach.

How do I prepare for my SOC for cybersecurity assessment?

There are several steps you should take to prepare for your assessment.

  1. Choose your control framework. You have several options, including the NIST Cybersecurity Framework, ISO 27002, and the Secure Controls Framework (SCF). There are multiple online resources to help you choose the framework that’s right for your organization.
  2. Determine who your key internal stakeholders are for your cybersecurity risk management program. You’ll need to select a point person to be responsible for ensuring the independent services auditor has all the documentation they need to complete their assessment and act as liaison across internal and external stakeholders.
  3. Collect all cybersecurity-related documentation in one location. Make sure you have an organizational system that makes sense to your point person so it’s easy for them to pull the appropriate materials to give to the independent services auditor.
  4. Conduct a readiness assessment. You can work with an independent services auditor to conduct such an assessment which will identify gaps you can address before performing the attestation.
  5. Select an independent services auditor to perform the attestation. SOC for cybersecurity services are provided by independent CPAs approved by the AICPA. Ideally, you’ll want to select a firm that is experienced in your industry, has a diverse and robust team of cybersecurity professionals, and is accessible when and where you need them.

As always, if you have questions about your specific situation or would like more information about SOC for cybersecurity services, please contact our IT security experts. We’re here to help.

Article
Yes, you need a SOC for cybersecurity report—here's why