New AICPA Guide Delves Into Cybersecurity Reporting
The American Institute of CPAs (AICPA) has published a new guide to help CPAs evaluate an organization’s cybersecurity risk management program.
The release of Reporting on an Entity’s Cybersecurity Risk Management Program and Controls follows on the heels of a new voluntary cybersecurity risk management reporting framework that was introduced by the AICPA in late April. The framework was developed to help organizations communicate the effectiveness of their cybersecurity preparations to key stakeholders.
“For most entities, cybersecurity is a significant business risk that needs to be identified, assessed, and managed along with other business risks the entity faces, and it is management’s responsibility to ensure that all employees throughout the entity, not only those in the information technology department, address cybersecurity risks,” the guide states.
CPAs can use the new guide to examine and report on a client organization’s description of its cybersecurity risk management program. The resulting report will help clients demonstrate to stakeholders, customers, vendors, and others that they have sound cybersecurity procedures and practices in place, according to the AICPA.
The 263-page publication includes relevant guidance issued through May 1, 2017. In particular, it reflects Statement on Standards for Attestation Engagements (SSAE) No. 18, which includes several detailed requirements similar to those contained in the Statements on Auditing Standards.
Specific topics within the guide include:
- Accepting and Planning a Cybersecurity Risk Management Examination
- Performing the Cybersecurity Risk Management Examination
- Forming the Opinion and Preparing the Practitioner’s Report
- Differences between Information Security and Cybersecurity
- Professional Standards
- Quality in the Cybersecurity Risk Management Exam
- Determining Whether the Subject Matter is Appropriate for the Cybersecurity Risk Management Exam
- Obtaining Written Representations from Management
- Forming the Opinion and Preparing the Practitioners Report
In 2018, the AICPA intends to introduce a new exam service – System and Organization Controls (SOC) for vendor supply chains – and a related attestation guide to provide application guidance to practitioners engaged to examine and report on system-level controls in the supply chain.
The purpose of the exam is to allow entities to better understand and manage external risks, including cybersecurity, that relate to their vendors and distribution networks.
“At the AICPA, we saw the emerging market need several years ago,” Susan Coffey, CPA, CGMA, executive vice president of public practice at the AICPA, wrote in a recent blog post. “We recognized that there hasn’t been a consistent, common language for describing and reporting on the cybersecurity risk management programs organizations put in place.”
That lack of transparency, in turn, made it tough for stakeholders to determine whether an organization’s cybersecurity risk management plan effectively addressed potential threats, she added.
The new guide is available online and in print.
You might also be interested in
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.