New AICPA Cybersecurity Risk Management Reporting Framework Explained

 – May 17, 2017
New AICPA Cybersecurity Risk Management Reporting Framework Explained

Public and private organizations of all sizes have come to terms with an unfortunate new normal: cybersecurity attacks are not a matter of “if,” but “when.” The American Institute of CPAs (AICPA) has been rigorously exploring ways the profession can help companies evaluate and report on their cybersecurity risk management programs, and supply key stakeholders with crucial information about those programs.

While organizations use any number of methods, controls and frameworks to develop their cybersecurity risk management programs, until now, no common language existed for communicating and reporting on companies’ efforts. To address this, the AICPA’s Assurance Services Executive Committee (ASEC) and Auditing Standards Board (ASB) recently released a cybersecurity risk management reporting framework that aligns with those existing methods, controls and frameworks companies currently employ to manage cybersecurity risks.

“Our market-driven, flexible and voluntary cybersecurity risk management reporting framework builds upon the profession’s experience in auditing system and organization controls,” said AICPA Executive Vice President Susan S. Coffey, CPA, CGMA. “It creates a common language for reporting that enables companies to demonstrate that they are taking a strategic, agile approach to addressing cybersecurity that is integrated with broader enterprise risk management efforts.”

Resources for Implementing the Framework

To help organizations use the framework to communicate and CPAs to report on cybersecurity risk management programs, the AICPA has produced three resources: two sets of distinct but complementary criteria and an attestation guide.

The AICPA’s description criteria are for use by an organization’s management to explain its cybersecurity risk management program in a consistent manner, as well as for use by CPAs to report on management’s description. CPAs will use control criteria to provide advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.

“We developed our criteria to promote consistency and comparability of cybersecurity information provided by different entities. They constitute what is analogous to a US GAAP or IFRS for financial reporting, but in this case, for cybersecurity risk management reporting,” said Coffey. “Cybersecurity experts, regulators and senior leaders of organizations and firms informed our efforts. Additionally, we looked at the information needs of board members, analysts, investors, business partners, regulators and other users.”

In May, the AICPA will release the third resource, an attestation guide entitled Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, which will assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program. 

Many Ways to Support Stakeholders

Using the framework, CPAs can better serve client needs and protect the public interest. “We’ve created an engagement that takes a consistent profession- and market-driven approach, allowing CPAs to examine and report on an entity's cybersecurity measures in a way that addresses the information needs of a broad range of users,” said Coffey. “We think this will provide organizations with a level of comfort that they’ve adequately considered the best practices covered by the most commonly referenced control and cybersecurity frameworks, regardless of which cybersecurity risk management frameworks they’ve chosen to implement internally.”

Recognizing that companies’ risk management maturity varies across the market, the AICPA developed the framework so that CPAs can better advise clients on cybersecurity readiness and prepare companies that are considering a cybersecurity attestation engagement. Within businesses, CPAs and CGMAs can provide risk management insight and introduce stakeholders to the framework as a means of strengthening and communicating about cybersecurity risk management programs.

Learn More

Look for the reporting framework at aicpa.org/cybersecurityriskmanagement. There, you’ll find the free description criteria, plus a fact sheet, backgrounder, illustrative report and other valuable free resources. In addition, the site contains links to the control criteria and attestation guide. For additional information, events and news on cybersecurity, visit the AICPA’s Cybersecurity Resource Center.

 

Related content

podcast image
PODCAST

A&A Update with Brad Muniz – 3/19/24

 March 19, 2024
news image
NEWS

AICPA Makes Recommendations for Digital Asset Transactions Regulations

 March 11, 2024 Source: AICPA
article image
ARTICLE

10 Ways to Manage Your Cybercrime Security Like You Mean It!

 January 29, 2024
podcast image
PODCAST

Cybersecurity: Playing Offense and Defense

 November 16, 2023
Related Pages: Risk & Compliance Knowledge Hub | Cybersecurity Knowledge Hub


 

Related events

June 11-14, 2024Atlantic City
Featured
NJCPA Convention & Expo
April 24, 2024
Ransomware: How to Protect Against and Recover From Attacks
April 24, 2024
IRS Cybersecurity Checklist
April 26, 2024East Hanover
Essex Chapter
M&A Transactions: An Accountant’s Role in Representing the Seller | What You Need to Know About Cybersecurity
FIRST
    LAST