High-profile attacks on major entities have resulted in an increased focus on cybersecurity by boards of directors, management, customers, investors and others who have expressed a desire for decision-useful information about an entity’s cybersecurity risk management program.
The American Institute of CPAs (AICPA) used a recent letter to the Commission on Enhancing National Cybersecurity to provide background and context regarding the CPA profession’s efforts in the cybersecurity space, which it believes will help to provide a common foundation for meaningful enterprise-wide cybersecurity risk management and reporting.
Writing on September 9, Susan C. Coffey, CPA, CGMA, AICPA executive vice president for public practice, stated, “We believe a CPA’s opinion on the design and operating effectiveness of an entity’s cybersecurity risk management program could enhance the confidence that decision makers place in the entity’s cybersecurity reporting.”
Currently, CPAs provide cybersecurity examination services under a variety of generally accepted professional standards and approaches. However, the AICPA believes adoption of a more consistent profession and market-wide approach for CPAs to examine and report on an entity’s cybersecurity measures would address the informational needs of a broad range of users. Further, it would introduce a level of consistency that does not exist at present in the context of cybersecurity reporting and related assurance.
The AICPA on September 19 exposed two sets of criteria for public comment which will result in guidance for the evaluation of businesses’ cyber risks.
The first exposure draft, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program, is intended for use by management in designing and describing its cybersecurity risk management program and by public accounting firms to report on management’s description. The second, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, outlines revised AICPA trust services criteria for use by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or SOC 2® engagements. Comments on the exposure drafts are due by December 5.
“In response to growing market demand for information about the effectiveness of an entity’s cybersecurity risk management program, the auditing profession, through the AICPA, is developing a common foundation through the issuance of criteria and guidance,” said Coffey. “Our primary objective is to propose a reporting framework through which organizations can communicate useful information regarding their cybersecurity risk management programs to stakeholders.”