April 26, 2017

CAQ Alert #2017-01 - AICPA Publishes Criteria to Evaluate and Report on Cybersecurity

As the discussion around cybersecurity has grown, so has the auditing profession’s engagement with key stakeholders in the capital markets. The auditing profession is in a strong position to play an important role in advancing cybersecurity risk management practices, bringing to bear its deep expertise in providing independent evaluations of a broad range of subject matters in a variety of contexts, including that of cybersecurity risk management and information security.

The American Institute of CPAs (AICPA) is proposing a new cybersecurity reporting framework designed to meet the needs of a broad range of stakeholders for useful information about an entity’s cybersecurity risk management efforts. The reporting framework suggests the need for three key pieces of cybersecurity information:

  1. Management’s description of the organization’s cybersecurity risk management (the description);
  2. Management’s assertion about the program description and the effectiveness of controls within that program;
  3. The CPA’s opinion about the description and control effectiveness. 

Because management recognizes its responsibilities for designing, implementing, and operating processes and controls to mitigate cybersecurity risks, management prepares the first two communications. The third communication – the CPA’s opinion – results from the performance of an examination-level engagement in accordance with the AICPA attestation standards. Because those standards require a CPA to be independent, objective, and skeptical, the CPA’s opinion lends credibility to the management-prepared communications. For that reason, the ultimate intent of the reporting framework is to support a voluntary, examination-level cybersecurity attestation engagement that results in a CPA’s opinion.

Today, to support the new reporting framework, the AICPA has released the following two sets of criteria.

  1. Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program. The description criteria are for use by management when preparing the description and by the CPA when evaluating it.
  2. 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. The trust services criteria for security, availability, and confidentiality are for use by management and the CPA when evaluating whether controls within the cybersecurity risk management program were effective to achieve the organization’s cybersecurity objectives.

Some companies may not have reached the necessary level of maturity in their cybersecurity risk management program to undergo an examination-level engagement. For those companies, the criteria can be used directly by company management in communicating with their boards and other pertinent stakeholders, establishing a common approach and language for cybersecurity risk management and reporting. They can also be used by CPAs to provide consulting services to those companies, sometimes referred to as readiness engagements.

What's Next?

In May 2017, the AICPA will publish cybersecurity attestation guide to provide CPAs with guidance on how to perform and report on cybersecurity examination engagements in accordance with the AICPA attestation standards. Following the AICPA’s publication of the guide, the Center for Audit Quality (CAQ) will release The CPA’s Role in Addressing Cybersecurity Risk: How the Auditing Profession Promotes Cybersecurity Resilience. This publication will provide perspectives on the nature of today’s cybersecurity risks, the role auditors currently play related to cybersecurity, and how that role can evolve to the benefit of senior management, boards of directors and other pertinent stakeholders. We look forward to sharing that paper with you upon its publication.

Please see below to learn more about what the auditing profession is doing related to cybersecurity: