GRC Uncensored

GRC Uncensored

GRC Uncensored
GRC Uncensored
The Unfiltered Truth About CPAs and Audits
0:00
-40:08

The Unfiltered Truth About CPAs and Audits

S01 EP 11: Troy, Kendra, and Elliot attempt to unpack why CPAs, with backgrounds in finance, are skilled enough to audit cybersecurity programs.
Elliot Volkman's avatar
Troy Fine's avatar
Kendra Cooley's avatar
Elliot Volkman
,
Troy Fine
, and
Kendra Cooley
May 20, 2025
Share
Transcript

In Episode 11 of GRC Uncensored, hosts Troy Fine, Kendra Cooley, and producer Elliot Volkman ditch the script and go full behind-the-scenes. What starts as a loose, unscripted conversation quickly turns into a direct discussion about the current state of auditing, the stigma surrounding CPAs in cybersecurity, and how GRC professionals can build trust where others fall short.

Catch this episode on Apple, Spotify, Amazon, or YouTube.

Key Takeaways

  • Not all CPAs are created equal: The problem isn’t the designation; it’s the disconnect between auditors and the technical environments they’re evaluating.

  • Audits should be a tool, not a threat: A good audit can reveal critical gaps and help security teams scale, if you let it.

  • GRC needs better storytelling: Translating technical risk into business impact is a superpower—and one not enough teams have mastered.

  • New voices are changing the game: With Troy launching his own firm, it’s clear there’s a new generation of auditors ready to break the mold.

When CPAs Become the Punchline

Troy opens up about the backlash CPAs often face in cybersecurity circles, especially around SOC 2 audits. While the community tends to paint CPAs as out-of-touch clipboard-wielders, Troy offers a more nuanced take: yes, many auditors lack deep technical understanding, but that's not always a CPA issue; it’s often a hiring issue. If anything, he argues, CPAs are trained to identify and assess risk, which is an important piece of the security puzzle.

Kendra agrees, but adds that technical knowledge still matters. She's been through enough audits to know when an auditor is just checking boxes versus actually understanding what's under the hood. Her preference? Auditors who can ask the right questions and even challenge her thinking, because it helps her advocate for more budget and resources internally.

GRC as a Gateway

The trio also discusses GRC as an entry point for cybersecurity professionals, particularly those without a highly technical background. While Elliot points out that many people stay in GRC once they start there, the team agrees that the work requires more than just business savvy; it demands understanding and articulating risk, often translating between engineering teams and executives.

The Personal Reveal: A New Era for Troy

In a surprise moment, Troy shares that he’s launching his own CPA firm: Fine Assurance. His mission? To rebuild trust in the audit process, one engagement at a time. Troy hopes to raise the standard—and the perception—of SOC 2 audits and the CPAs behind them.

Discussion about this episode

User's avatar
© 2025 Chaos
PrivacyTermsCollection notice
Start writingGet the app
Substack is the home for great culture