Businesses, government entities, non-profit organizations, and even CPA firms need to make sure they are protecting their client and customer information. The AICPA has the information and resources to help organizations in various stages of cybersecurity maturity, including support on the basics, information on assessing and strengthening risk management programs and guidance for organizations considering seeking independent assurance from a CPA.
Early Stages: Understanding Cybersecurity
Get to know cybersecurity basics with resources from the AICPA's Private Companies Practice Section (PCPS) Building a Cybersecurity Practice Toolkit as well as resources from the Personal Financial Planning (PFP) and Information Management and Technology Assurance (IMTA) sections.
- Exploring Cybersecurity Guide (requires AICPA login) - Get a general overview of cybersecurity. What are the threats to your organization? And what best practices should you implement to protect against cyber threats?
- Learning Matrix (requires AICPA login) - Learn about the numerous cybersecurity frameworks available and find information on key regulations impacting cybersecurity.
- Podcast: Cybersecurity and Ransomware - Protecting Yourself from Attack Hear cybersecurity expert Brian Edelman discuss recent ransomware attacks in this free podcast.
- The Top Cybercrimes - This white paper identifies and examines the cybercrimes that pose the strongest threats for CPA firms.
Intermediate: Assessing Internal Cybersecurity Risks
Organizations and CPA firms of all sizes can use various AICPA tools and resources to assess internal risks and build or strengthen their cybersecurity risk management programs.
- The CGMA Cybersecurity Risk Management Tool
This tool provides important considerations for improving cybersecurity and insuring cybersecurity risks.
- Cybersecurity Risk Management Reporting Framework
Use the AICPA’s new framework to assess internal risks, consider governance opportunities and establish objectives for your cybersecurity risk management program.
- Criteria for Management’s Description of a Cybersecurity Risk Management Program
These criteria are intended to be used to design and describe your organization’s cybersecurity risk management program. (An independent CPA may also use these criteria to advise or report on your organization’s description through a readiness or assurance engagement.)
Mature: Cybersecurity Readiness and Assurance
Organizations and CPA firms that have a mature cybersecurity risk management program in place may want to demonstrate to clients, customers, investors, and the public the extent of their cybersecurity efforts. In this case, your organization would engage an independent CPA to perform an assurance examination and issue a report. But is your organization truly ready for an official assertion? A CPA can also provide a readiness assessment which can help you readdress cybersecurity concerns and prepare for assurance in the future.
- Assurance and Report
Using the AICPA’s cybersecurity risk management reporting framework, an independent CPA can review your organization’s description of its program and provide a SOC for Cybersecurity engagement to produce a report on your efforts.
- Assurance Readiness
Many organizations are eager to demonstrate their due diligence and care in developing and implementing an effective cybersecurity risk management program. However, gaining assurance is an arduous and possibly risky process if your program is not as mature as you think. A CPA can help your organization address the many risks associated with cybersecurity and determine “cybersecurity readiness” before seeking assurance. The AICPA’s cybersecurity risk management reporting framework is also a useful tool for readiness.