The American Institute of CPAs (AICPA) has introduced a voluntary cybersecurity risk management reporting framework to help organizations demonstrate the effectiveness of their cybersecurity preparations to key stakeholders.
“Cybersecurity threats are escalating, thereby unnerving boards of directors, managers, investors, and customers of businesses of all sizes – whether public or private,” Susan Coffey, CPA, CGMA, executive vice president for public practice at the AICPA, said in a prepared statement. “While there are many methods, controls, and frameworks for developing cybersecurity risk management programs, until now there hasn’t been a common language for companies to communicate about, and report on, these efforts.”
The following two resources that support reporting under the new framework were released on April 26:
1. Description criteria. Used by management to explain its cybersecurity risk management program in a consistent manner and used by CPAs to report on management’s description.
2. Control criteria. Used by CPAs providing advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.
A third resource – an attest guide – will be released this month. The guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, will assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program.
Noting CPAs’ experience in auditing IT controls, the AICPA’s Assurance Services Executive Committee identified the need for cybersecurity-related assurance services. The goal was to enable companies to more effectively communicate the robustness of their cybersecurity risk management programs to key stakeholders, according to the AICPA.
“The framework we have developed will serve as a critical step to enabling a consistent, market-based mechanism for companies worldwide to explain how they’re managing cybersecurity risk,” Coffey said. “We believe investors, boards, audit committees, and business partners will see tremendous value in gaining a better understanding of organizations’ cybersecurity risk management efforts.”
That information, combined with the CPA’s opinion on the effectiveness of management’s efforts, will increase stakeholders’ confidence in organizations’ due care in managing cybersecurity risk, she added.
For more information and links to valuable resources for CPAs providing cybersecurity advisory and assurance services, visit the AICPA’s Cybersecurity Resource Center.