AICPA Sets Out Criteria for Cybersecurity Risk Management
As cybercrooks gain increasing attention, the American Institute of CPAs (AICPA) is proposing two sets of criteria and guidance for evaluating an organization’s cybersecurity risk management efforts.
“In response to growing market demand for information about the effectiveness of an entity’s cybersecurity risk management program, the auditing profession, through the AICPA, is developing a common foundation through the issuance of criteria and guidance,” Susan Coffey, CPA, CGMA, executive vice president for public practice at the AICPA, said in a prepared statement. “Our primary objective is to propose a reporting framework through which organizations can communicate useful information regarding their cybersecurity risk management programs to stakeholders.”
The first exposure draft, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program, is an engagement intended for managers to use in designing and describing a cybersecurity risk management program, and for public accounting firms to report on managers’ description.
“Because of the profession’s commitment to continuous improvement, public service, and increasing investor confidence, this engagement (referred to as a cybersecurity examination) will be voluntary, flexible, and comprehensive,” the proposal states.
To help managers with the guidance, the AICPA’s Auditing Standards Board is working with the AICPA Assurance Services Executive Committee (ASEC) to develop a cybersecurity attestation guide. The cybersecurity examination that will be described in the guide will comply with attestation standards.
“The existence of multiple, disparate frameworks and programs for evaluating security programs and their effectiveness, as well as different stakeholders’ preferences for each, has created a chaotic environment that only increases the burden on organizations trying to communicate how they design, implement, and maintain an effective cybersecurity risk management program,” said Chris Halterman, chair of the ASEC’s Cybersecurity Working Group and an executive director of advisory services with Ernst & Young LLP.
The second exposure draft, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, describes revised AICPA trust services criteria for use by public accountants who provide advisory or attestation services to evaluate the controls and privacy of information within a cybersecurity risk management program. Managers can use the criteria to evaluate program controls.
To allow the criteria to be used in organization-wide engagements, the criteria will be revised to better align with the principles in Internal Control – Integrated Framework, an internal control framework unveiled in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Although the COSO framework usually is used to assess the internal controls of financial reporting, it’s also intended for assessing all reporting, operations, and compliance internal control objectives, the proposal states.
The proposal includes supplemental criteria applicable to engagements that use the trust services criteria over security, availability, processing integrity, confidentiality, or privacy.
Comments are requested by Dec. 5. Comments about the proposed description criteria should be sent to Mimi Blanco-Best at [email protected]. Comments regarding the proposed revision of trust services criteria can be directed to Erin Mackler at [email protected].
You might also be interested in
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.