New AICPA Cybersecurity Risk Management Reporting Framework Explained
Public and private organizations of all sizes have come to terms with an unfortunate new normal: cybersecurity attacks are not a matter of “if,” but “when.” The American Institute of CPAs (AICPA) has been rigorously exploring ways the profession can help companies evaluate and report on their cybersecurity risk management programs, and supply key stakeholders with crucial information about those programs.
While organizations use any number of methods, controls and frameworks to develop their cybersecurity risk management programs, until now, no common language existed for communicating and reporting on companies’ efforts. To address this, the AICPA’s Assurance Services Executive Committee (ASEC) and Auditing Standards Board (ASB) recently released a cybersecurity risk management reporting framework that aligns with those existing methods, controls and frameworks companies currently employ to manage cybersecurity risks.
“Our market-driven, flexible and voluntary cybersecurity risk management reporting framework builds upon the profession’s experience in auditing system and organization controls,” said AICPA Executive Vice President Susan S. Coffey, CPA, CGMA. “It creates a common language for reporting that enables companies to demonstrate that they are taking a strategic, agile approach to addressing cybersecurity that is integrated with broader enterprise risk management efforts.”
Resources for Implementing the Framework
To help organizations use the framework to communicate and CPAs to report on cybersecurity risk management programs, the AICPA has produced three resources: two sets of distinct but complementary criteria and an attestation guide.
The AICPA’s description criteria are for use by an organization’s management to explain its cybersecurity risk management program in a consistent manner, as well as for use by CPAs to report on management’s description. CPAs will use control criteria to provide advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.
“We developed our criteria to promote consistency and comparability of cybersecurity information provided by different entities. They constitute what is analogous to a US GAAP or IFRS for financial reporting, but in this case, for cybersecurity risk management reporting,” said Coffey. “Cybersecurity experts, regulators and senior leaders of organizations and firms informed our efforts. Additionally, we looked at the information needs of board members, analysts, investors, business partners, regulators and other users.”
In May, the AICPA will release the third resource, an attestation guide entitled Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, which will assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program.
Many Ways to Support Stakeholders
Using the framework, CPAs can better serve client needs and protect the public interest. “We’ve created an engagement that takes a consistent profession- and market-driven approach, allowing CPAs to examine and report on an entity's cybersecurity measures in a way that addresses the information needs of a broad range of users,” said Coffey. “We think this will provide organizations with a level of comfort that they’ve adequately considered the best practices covered by the most commonly referenced control and cybersecurity frameworks, regardless of which cybersecurity risk management frameworks they’ve chosen to implement internally.”
Recognizing that companies’ risk management maturity varies across the market, the AICPA developed the framework so that CPAs can better advise clients on cybersecurity readiness and prepare companies that are considering a cybersecurity attestation engagement. Within businesses, CPAs and CGMAs can provide risk management insight and introduce stakeholders to the framework as a means of strengthening and communicating about cybersecurity risk management programs.
Look for the reporting framework at aicpa.org/cybersecurityriskmanagement. There, you’ll find the free description criteria, plus a fact sheet, backgrounder, illustrative report and other valuable free resources. In addition, the site contains links to the control criteria and attestation guide. For additional information, events and news on cybersecurity, visit the AICPA’s Cybersecurity Resource Center.