If Our CPA Firm Does Compliance & Cyber, Do We Still Need Penetration Testing?

Read time: minutes
Table of Contents
    Add a header to begin generating the table of contents

    Your CPA firm hands you a thick cyber GRC report. Policies updated. Risks scored. Controls “in place.” The board meeting goes smoothly. Then one night, your EMR, file share, or case management system is locked by ransomware, and everyone turns to you with the same question: “We did all that compliance stuff. How did this still happen.”

    That is the gap this article closes. Accounting style cyber GRC shows what should work. Penetration testing, vulnerability scanning, and incident response prove what actually holds when attackers do not care about your paperwork.

    Key Points (at a Glance)

    • Cyber GRC was born in accounting and audit. It excels at policies, risk registers, and SOC style reporting for boards and regulators.
    • Penetration testing and vulnerability scanning come from offensive security. They simulate real attacks and uncover misconfigurations, weak segmentation, and hidden paths that audits routinely miss.
    • Regulators and cyber insurers now expect both: documentation that controls exist and evidence that those controls withstand active testing. A SOC report or HIPAA risk assessment on its own is no longer enough.
    • Most CPA led cyber practices stop at GRC and scanning. Big Sky Cybersecurity combines full cyber GRC, manual penetration testing, continuous vulnerability scanning, and incident response under one Montana based crisis team.​

    The Story Behind Cyber GRC: Built by Accountants, Not Attackers

    Cyber GRC exists because boards, regulators, and auditors need a way to see cybersecurity in their own language. Governance. Risk. Compliance. That language came from accounting and audit long before it came from security engineers. In practice, GRC focuses on:

    • Governance. Who is responsible, which committees exist, what gets reported, and how decisions are made.
    • Risk management. Risk registers, scoring models, and treatment plans that show how you intend to handle threats.
    • Compliance. Mapping your environment to HIPAA, SOC 2, ISO, or other frameworks and documenting the controls that satisfy each requirement.

    The work product looks familiar to CFOs, controllers, and partners:

    • Policies and standards.
    • Risk registers and issues logs.
    • Control matrices and test plans.
    • SOC reports and HIPAA risk assessments.

    This is valuable. It gives you a coherent story for auditors and boards. But in a real attack, your adversary does not ask to see your policies. They ask your firewall, your VPN, and your identity systems whether you left a door open.

    How Origins Shape Outcomes: GRC vs Offensive Security

    Where a capability comes from shapes what it is good at. Accounting rooted GRC and offensive security solve different problems. Understanding the difference keeps you from over trusting any single report.

    What accounting style cyber GRC does best

    • Documentation that stands up to audits. Clean policies, clearly defined controls, and traceable evidence.
    • Regulatory alignment. Strong mapping to HIPAA, SOC 2, and other frameworks, with language that matches regulatory expectations.
    • Board and committee reporting. Dashboards, risk heat maps, and written opinions that fit easily into governance packs.
    • Financial framing. Translating technical risk into business and financial impact.​

    What offensive testing brings that GRC cannot

    • Live exploit paths. Demonstrated ways an attacker can move from the internet into your internal systems and data.
    • Lateral movement simulation. Evidence of how far an attacker can travel inside your network once they land.
    • Misconfigurations and gaps. Findings where controls exist on paper but are misconfigured or inconsistently enforced.
    • Real world scenarios. Tests modeled on how healthcare, legal, and professional organizations are actually being breached today.

    Neither discipline is “better.” If you report to a board, you need GRC. If you want to sleep through the night, you need your defenses tested by people who think like attackers.

    Why GRC Alone Is No Longer Enough

    A few years ago, you could show auditors and insurers a risk assessment, some policies, and maybe a vulnerability scan and call it good. Those days are over. Today:

    • SOC 2 guidance and leading assessors increasingly call for penetration testing and regular vulnerability scanning as part of a credible control set.
    • HIPAA security resources and industry experts recommend technical security testing to validate that documented safeguards actually work.
    • Cyber insurers are tightening underwriting, often asking not just “do you have policies” but “have you tested your controls in the last 12 months.”

    GRC answers the question “What should happen.”

    Penetration testing and vulnerability scanning answer “What actually happens when someone who knows what they are doing attacks us.” Incident response answers “What do we do when they succeed anyway.”

    If you are holding PHI, legal files, or critical business data in Montana, regulators and carriers now implicitly expect all three.

    Decision Guidance: Where Are You Today?

    1. No real policies or risk framework yet

    If your environment is still mostly tribal knowledge, start with baseline GRC. You need:

    • Core security policies.
    • A documented risk register.
    • A basic control framework mapped to your primary regulations.

    Once that is in place, schedule initial vulnerability scanning and scoped penetration testing so you do not mistake neat documentation for actual protection.

    2. Binders of GRC, no offensive testing history

    This is where many Montana healthcare and professional firms live. You have:

    • HIPAA risk assessments or SOC 2 workpapers.
    • Policies updated annually.
    • Maybe some scanner reports from your MSP.

    You have never hired anyone to manually attack your systems in a controlled way. In this case, your next investment should be manual penetration testing plus structured vulnerability scanning, not another GRC refresh.

    You already know what should happen. You need to know where it breaks.

    3. Aiming for a crisis ready, mature posture

    The ideal end state for a Montana clinic, law firm, or business looks like this:

    • Integrated cyber GRC. Policies, controls, and risk registers maintained and aligned to HIPAA, SOC 2, or similar.
    • Regular manual penetration testing and automated vulnerability scanning. Offensive validation tied back to your control framework.
    • Incident response planning and retainer. A tested plan and a Montana based crisis response team that already knows your environment when prevention fails.​

    That is the combination that protects revenue, reputation, and careers when something goes wrong at the worst possible time.​

    Why Big Sky Cybersecurity Is Different From CPA Led Cyber GRC

    Most CPA firms that “do cyber” come at it from one direction. They start with GRC and sprinkle in scanning. Offensive testing and real incident response are bolt ons, if they exist at all. Big Sky Cybersecurity came up the opposite way.

    We started as Montana’s healthcare and professional services cybersecurity crisis response specialists. Our first job was handling live incidents, performing digital forensics, and running real penetration testing in environments where downtime meant canceled appointments and missed court deadlines.​​

    Then we built GRC on top of that field experience, so your policies and risk registers reflect what actually happens under pressure.

    Working with Big Sky, you get one integrated team that:

    • Delivers full cyber GRC. HIPAA, SOC 2, and related frameworks, with policies, risk registers, and control documentation written in language your auditors and regulators respect.
    • Runs manual penetration testing and structured vulnerability scanning that target your actual critical systems and vendor paths, not just generic infrastructure.
    • Maintains a Montana based incident response capability, so the people who designed and tested your controls are the same people you call at 2 AM when prevention fails.​

    Most CPA led practices cannot follow an attacker step by step from an exposed service to domain compromise. Most pure hacking shops cannot sit in front of your board and explain HIPAA, SOC 2, and risk appetite. Big Sky does both, as one crisis focused program.​

    FAQ: GRC, SOC Reports, and Penetration Testing

    Is our GRC or SOC report enough to satisfy HIPAA or regulators, or do they expect penetration testing too?

    A SOC 2 report or HIPAA risk assessment shows that you have a control framework and that it has been evaluated against defined criteria. It is an important part of the story, but it is not the whole story.

    Current industry practice and guidance from assessors and insurers increasingly treat penetration testing and regular vulnerability scanning as expected evidence that security controls are effective, not just documented.

    HIPAA security guidance stresses the need for ongoing technical evaluations. SOC 2 guidance and leading firms recommend penetration testing as a way to validate controls like access control, change management, and network security.

    What can a pentest find that an audit cannot?

    Audits and GRC reviews check whether controls exist, are documented, and in many cases are designed appropriately. Penetration tests check whether an attacker can still get around them.

    Typical gaps penetration tests uncover include:

    • Firewalls that audits marked “present” but that allow unnecessary inbound access because of misconfigurations.
    • Flat networks where policies and diagrams described separation between clinical, administrative, and guest networks.
    • Vendor remote access paths and forgotten services that never made it into the risk register.

    An audit tells you whether the rules exist. A penetration test tells you whether anyone can still cheat and win.

    Can my accounting style cyber provider do a “good enough” penetration test?

    Some can. Many cannot. Some accounting firms have invested in certified offensive security professionals and built legitimate testing practices. Others sell vulnerability scanning under a “penetration testing” label. Ask them directly:

    • Do you follow recognized penetration testing methodologies like PTES or OWASP, and can you walk us through your process.
    • What certifications and real world experience do the people actually performing the tests have.
    • Can you show redacted examples of manual exploitation and lateral movement, not just scanner output.

    If they cannot answer clearly, you are probably buying compliance oriented scanning, not battle tested offensive validation.

    How do I avoid paying twice for the same thing under different labels?

    The key is to separate governance deliverables from offensive testing deliverables. From each vendor, ask: “What exactly will you hand us, and what objective does it serve.” You should see:

    • From GRC work: policies, risk registers, control matrices, and evidence mapped to HIPAA, SOC 2, or your primary standard.
    • From penetration testing and vulnerability management: validated attack paths, exploit proofs, prioritized remediation guidance, and retesting results.

    If two vendors are both giving you little more than scanner exports with severity ratings, you are paying twice for similar technical assessments and still missing integrated governance and real attacker simulation.

    The Crisis Moment: Where Big Sky Stands Next to Your CPA

    On an ordinary day, your cyber GRC binder is a governance tool. On the worst day of your year, it is a reference document. What you really need then is a crisis team that already knows your environment, your controls, and your people.​ That is the role Big Sky Cybersecurity plays in Montana.

    Your CPA firm can and should continue to lead on financial statements and may even support parts of your SOC or HIPAA documentation. We stand beside them as your cybersecurity specialists. We design and maintain cyber GRC, run penetration testing and vulnerability scanning, and respond when an attacker turns your plans into a live fire exercise.​

    If you want to see where you stand today, the next step is straightforward. Share your existing GRC and SOC work with Big Sky, and we will show you where offensive testing and incident response should plug in so you are not relying on accounting style reports when prevention fails.​

    Related Articles

    thoughtful man sitting at his desk in front of a laptop in his home office

    Why Your IT Provider’s Anti-Virus Only Approach Is a Risk

    hospital

    Cloud EHR vs On-Prem EHR: Security and Compliance Considerations

    Young IT engineer working at server room is Multi Display, Data Protection Security Privacy Concept.

    IT Support Under HIPAA: What Your MSP Must (and Must Not) Do