AICPA Proposes Common Language for Cybersecurity Risk Reporting and Assurance

by aicpa | Oct 18, 2016   ()

The world faces increasing risks related to cyberattacks—hacks, phishing scams, data breaches and other threats. As the U.S. observes National Cybersecurity Awareness Month, the CPA profession recently took an important step toward helping organizations of all sizes communicate about their cybersecurity risk control efforts.  

The American Institute of CPAs (AICPA) Assurance Services Executive Committee (ASEC) has proposed two sets of criteria that serve as a common language for describing an organization’s cybersecurity risk management program and for reporting on it. The proposed criteria are part of a larger initiative by the Institute to help boards of directors and management gain stakeholder confidence in an organization’s cybersecurity risk management efforts.

Proposed Criteria Foundational to Upcoming Guidance
The criteria, released as two exposure drafts for public comment, address two important components of an upcoming cybersecurity attestation engagement for CPAs, for which guidance will be released in early 2017.

The first set of criteria (description criteria) proposes a framework that company management would use to design and describe their cybersecurity risk management program. This proposed framework also would be used by CPAs to report on management’s description in connection with the new cybersecurity examination attestation engagement.

The second set (control criteria) proposes revisions to the AICPA’s Trust Services Criteria used by CPAs that provide advisory or attestation engagements to evaluate the controls within an entity’s cybersecurity risk management program—or alternatively for SOC 2© engagements.

“What we are proposing is an engagement that takes a consistent profession and market-driven approach, allowing CPAs to examine and report on an entity's cybersecurity measures in a way that addresses the information needs of a broad range of users,” said Susan Coffey, CPA, CGMA, AICPA executive vice president - Public Practice. “The proposed description criteria in particular act in a similar manner to U.S. GAAP. CPAs and businesses can reference the criteria as a common approach to communicating how organizations manage cybersecurity risk.”

To facilitate adoption, the proposed reporting framework aligns with existing management and control frameworks already used by companies, including the NIST Critical Infrastructure Cybersecurity Framework and the ISO/IEC 27001 standard on Information Security Management. The new framework also aligns with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Control – Integrated Framework. Management and the auditor are not required to use the AICPA description criteria and Trust Services control criteria, they may choose from other frameworks that are deemed suitable for the purpose. (The AICPA is a member of COSO)

Supporting CPAs as Leaders in Cybersecurity
The ASEC’s work is just one aspect of the AICPA’s multi-faceted approach to assist CPAs as they support clients and their own firms or companies regarding cybersecurity. In July, AICPA President and CEO Barry Melancon highlighted the permanence of cybersecurity’s complexities and some of the Institute’s current efforts to address it, including:

  • Developing tools and education for CPAs to address risks successfully
  • Exploring how the profession can address cybersecurity as a natural extension of services CPAs already perform
  • Monitoring and responding to regulatory and legislative developments

“Cybersecurity risk management is an area that lends itself very naturally to the multidisciplinary skill sets possessed by many CPA firms—combining the strength of attestation services performed under rigorous professional standards and licensing requirements, with strong expertise in information security and related controls,” said Coffey.

Learn More
In addition to the exposure drafts and upcoming engagement guidance, the Institute is seeking to help organizations and CPAs with a number of resources and educational opportunities, including the following:

  • A backgrounder on the AICPA’s proposed cybersecurity reporting framework is essential to understanding the context of the current proposal.
  • A series of webcasts sponsored by the AICPA and Ridge Global explore today's cybersecurity threats, the techniques used to protect against threats, techniques for detecting when attacks happen, and effective response strategies. 
  • The AICPA has published a series of blog posts to help CPAs understand the kinds of advisory assistance they can provide to clients with cybersecurity needs.
  • The AICPA’s Private Companies Practice Section (PCPS) is producing a cybersecurity toolkit, which will be published this fall. It is designed to help educate CPAs in public accounting on cybersecurity as it relates to their own practices and will offer tools to support the development of robust cybersecurity risk management, advisory and assurance practices.

Comments Requested
Comments on the cybersecurity attestation exposure drafts are due by Monday, Dec. 5. Comments about the proposed Description Criteria should be sent to Mimi Blanco-Best at Comments regarding the proposed revision of Trust Services Criteria can be directed to Erin Mackler at

For additional information on cybersecurity, visit the AICPA’s Cybersecurity Resource Center.

Source: aicpa
Source: aicpa

News Archive