New AICPA Cybersecurity Risk Management Reporting Framework Explained

by AICPA | Aug 10, 2017

Public and private organizations of all sizes have come to terms with an unfortunate new normal: cybersecurity attacks are not a matter of “if,” but “when.” The American Institute of CPAs (AICPA) has been rigorously exploring ways the profession can help companies evaluate and report on their cybersecurity risk management programs, and supply key stakeholders with crucial information about those programs.

What is a Cybersecurity Risk Management Program?

A cybersecurity risk management program is a set of policies, processes, and controls designed to:

  • protect information and systems from security events that could compromise the achievement of cybersecurity objectives;
  • detect, respond to, mitigate, and recover from security events that are not prevented.

While organizations use any number of methods, controls and frameworks to develop their cybersecurity risk management programs, until now, no common language existed for communicating and reporting on companies’ efforts. To address this, the AICPA’s Assurance Services Executive Committee (ASEC) and Auditing Standards Board (ASB) recently released a cybersecurity risk management reporting framework that aligns with those existing methods, controls and frameworks companies currently employ to manage cybersecurity risks.

Our market-driven, flexible and voluntary cybersecurity risk management reporting framework builds upon the profession’s experience in auditing system and organization controls,” said AICPA Executive Vice President Susan S. Coffey, CPA, CGMA. “It creates a common language for reporting that enables companies to demonstrate that they are taking a strategic, agile approach to addressing cybersecurity that is integrated with broader enterprise risk management efforts.”

Resources for Implementing the Framework

To help organizations use the framework to communicate about, and CPAs to report on cybersecurity risk management programs, the AICPA has produced three resources: two sets of distinct but complementary criteria and an attestation guide.

The AICPA’s description criteria are for use by an organization’s management to explain its cybersecurity risk management program in a consistent manner, as well as for use by CPAs to report on management’s description. CPAs will use control criteria to provide advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.

We developed our criteria to promote consistency and comparability of cybersecurity information provided by different entities. They constitute what is analogous to a US GAAP or IFRS for financial reporting, but in this case, for cybersecurity risk management reporting,” said Coffey. “Cybersecurity experts, regulators and senior leaders of organizations and firms informed our efforts. Additionally, we looked at the information needs of board members, analysts, investors, business partners, regulators and other users.

In May, the AICPA released the third resource, an attestation guide entitled Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, which assists CPAs engaged to examine and report on an entity’s cybersecurity risk management program.

Many Ways to Support Stakeholders

Using the framework, CPAs can better serve client needs and protect the public interest. “We’ve created an engagement that takes a consistent profession- and market-driven approach, allowing CPAs to examine and report on an entity’s cybersecurity measures in a way that addresses the information needs of a broad range of users,” said Coffey. “We think this will provide organizations with a level of comfort that they’ve adequately considered the best practices covered by the most commonly referenced control and cybersecurity frameworks, regardless of which cybersecurity risk management frameworks they’ve chosen to implement internally.”

Recognizing that companies’ risk management maturity varies across the market, the AICPA developed the framework so that CPAs can better advise clients on cybersecurity readiness and prepare companies that are considering a cybersecurity attestation engagement. Within businesses, CPAs and CGMAs can provide risk management insight and introduce stakeholders to the framework as a means of strengthening and communicating about cybersecurity risk management programs.

Learn More

Cybersecurity is one of the greatest challenges of our time, and serving the market in this area is a natural outgrowth of the services and skillsets our profession already provides,” said Kimberly Scott. “I encourage our members to study the new cybersecurity reporting framework, use it in their own firms and organizations and recommend it when appropriate to their clients or employers.”

Look for the reporting framework at There, you’ll find the free description criteria, plus a fact sheet, backgrounder, illustrative report and other valuable free resources. In addition, the site contains links to the control criteria and attestation guide. For additional information, events, and news on cybersecurity, visit the AICPA’s Cybersecurity Resource Center.

Originally published by American City Business Journals. Reprinted with permission. This article appeared in the summer 2017 issue of the WashingtonCPA Magazine. Read more here.

You are not allowed to post comments.


The Washington Society of Certified Public Accountants is the only organization in the state of Washington dedicated to serving the professional needs of CPAs, educating consumers about CPAs and the services they provide, and encouraging students to study accounting and enter the profession.

Your Profession. Your Future. Your Advocate.


Washington Society of CPAs
902 140th Ave NE
Bellevue, WA 98005-3480

  • (P) 425-644-4800
  • (F) 425-562-8853

The WSCPA's business hours are 7:30 a.m. to 4:30 p.m., Monday through Friday.