More

More

AICPA Proposes Common Language for Cybersecurity Risk Reporting and Assurance

by Paul Carboni | Oct 18, 2016
Digital-eye-overlay-night-cityscape-blog-horizontal-400x250

The world faces increasing risks related to cyberattacks—hacks, phishing scams, data breaches and other threats. As the U.S. observes National Cybersecurity Awareness Month, the CPA profession recently took an important step toward helping organizations of all sizes communicate about their cybersecurity risk control efforts.

The American Institute of CPAs (AICPA) Assurance Services Executive Committee (ASEC) has proposed two sets of criteria that serve as a common language for describing an organization’s cybersecurity risk management program and for reporting on it. The proposed criteria are part of a larger initiative by the Institute to help boards of directors and management gain stakeholder confidence in an organization’s cybersecurity risk management efforts.

Proposed Criteria Foundational to Upcoming Guidance

The criteria, released as two exposure drafts for public comment, address two important components of an upcoming cybersecurity attestation engagement for CPAs, for which guidance will be released in early 2017.

The first set of criteria (description criteria) proposes a framework that company management would use to design and describe their cybersecurity risk management program. This proposed framework also would be used by CPAs to report on management’s description in connection with the new cybersecurity examination attestation engagement.

The second set (control criteria) proposes revisions to the AICPA’s Trust Services Criteria used by CPAs that provide advisory or attestation engagements to evaluate the controls within an entity’s cybersecurity risk management program—or alternatively for SOC 2© engagements.

“What we are proposing is an engagement that takes a consistent profession and market-driven approach, allowing CPAs to examine and report on an entity's cybersecurity measures in a way that addresses the information needs of a broad range of users,” said Susan Coffey, CPA, CGMA, AICPA Executive Vice President - Public Practice. “The proposed description criteria in particular act in a similar manner to U.S. GAAP. CPAs and businesses can reference the criteria as a common approach to communicating how organizations manage cybersecurity risk.”

To facilitate adoption, the proposed reporting framework aligns with existing management and control frameworks already used by companies, including the NIST Critical Infrastructure Cybersecurity Framework and the ISO/IEC 27001 standard on Information Security Management. The new framework also aligns with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Control – Integrated Framework. Management and the auditor are not required to use the AICPA description criteria and Trust Services control criteria, they may choose from other frameworks that are deemed suitable for the purpose. (The AICPA is a member of COSO).

Supporting CPAs as Leaders in Cybersecurity

The ASEC’s work is just one aspect of the AICPA’s multi-faceted approach to assist CPAs as they support clients and their own firms or companies regarding cybersecurity. In July, AICPA President and CEO Barry Melancon highlighted the permanence of cybersecurity’s complexities and some of the Institute’s current efforts to address it, including:

  • Developing tools and education for CPAs to address risks successfully
  • Exploring how the profession can address cybersecurity as a natural extension of services CPAs already perform
  • Monitoring and responding to regulatory and legislative developments

“Cybersecurity risk management is an area that lends itself very naturally to the multidisciplinary skill sets possessed by many CPA firms—combining the strength of attestation services performed under rigorous professional standards and licensing requirements, with strong expertise in information security and related controls,” said Coffey.

“I’m pleased to see that the ASEC has proposed guidance to address this growing concern, which is a risk to entities of all sizes,” said Rich Jones, President and CEO of the Washington Society of CPAs. “I urge our members to examine the proposals and provide comments.”

Learn More

In addition to the exposure drafts and upcoming engagement guidance, the Institute is seeking to help organizations and CPAs with a number of resources and educational opportunities, including the following:

  • A backgrounder on the AICPA’s proposed cybersecurity reporting framework is essential to understanding the context of the current proposal.
  • The AICPA has published a series of blog posts to help CPAs understand the kinds of advisory assistance they can provide to clients with cybersecurity needs.
  • The AICPA’s Private Companies Practice Section (PCPS) is producing a cybersecurity toolkit, which will be published this fall. It is designed to help educate CPAs in public accounting on cybersecurity as it relates to their own practices and will offer tools to support the development of robust cybersecurity risk management, advisory and assurance practices.

Comments Requested

Comments on the cybersecurity attestation exposure drafts are due by Monday, December 5. Comments about the proposed Description Criteria should be sent to Mimi Blanco-Best at mblancobest@aicpa.org. Comments regarding the proposed revision of Trust Services Criteria can be directed to Erin Mackler at emackler@aicpa.org.

For additional information on cybersecurity, visit the AICPA’s Cybersecurity Resource Center.

Please log in to post a comment.

ABOUT WSCPA

The Washington Society of Certified Public Accountants is the only organization in the state of Washington dedicated to serving the professional needs of CPAs, educating consumers about CPAs and the services they provide, and encouraging students to study accounting and enter the profession.

Your Profession. Your Future. Your Advocate.

CONTACT

Washington Society of CPAs
902 140th Ave NE
Bellevue, WA 98005-3480

  • (P) 425-644-4800
  • (F) 425-562-8853

The WSCPA's business hours are 7:30 a.m. to 4:30 p.m., Monday through Friday.