The AICPA introduced a new cybersecurity risk management reporting framework, which will create a common language that can be used to communicate about, and report on, cybersecurity risk management efforts.
The framework suggests the need for three key pieces of cybersecurity information:
- Management’s description of the organization’s cybersecurity risk management program
- Management’s assertion about the program description and the effectiveness of the controls within that program
- The CPA’s opinion about the description and control effectiveness
Two sets of criteria were issued to support this new framework:
- Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program – Criteria to be used by management when describing cybersecurity risk management programs and by CPAs in their evaluation of management’s description
- 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy – Criteria for the security, availability, and confidentiality for use by management and CPAs when evaluating the effectiveness of the controls in the cybersecurity risk management program in achieving the cybersecurity objectives
An attest guide, “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls,” will be published in the near future to assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program.
Source: Grant Thornton, On the Horizon, May 4, 2017.