New path for CPAs in cyber risk management

Management and public accounting firms can find new guidance on designing and evaluating cybersecurity risk management programs in proposals issued by the AICPA Assurance Services Executive Committee (ASEC).

The evolution of technology and the sophistication of hackers have made cybersecurity one of the most important areas of risk management for businesses. More than 95% of CGMA designation holders participating in a 2015 survey said their companies are concerned with the threat of database breaches, distributed denial of service (DDoS) attacks, phishing scams, and other cyberattacks.

ASEC issued two exposure drafts that are designed to lead to:

• A common set of criteria for management to use to design and describe their cybersecurity risk management programs and to assess the effectiveness of the controls included in the cybersecurity risk management program.
• The introduction of a new engagement that CPAs would be able to use to serve boards of directors, senior management, and others as they evaluate the effectiveness of an organization’s cybersecurity risk management program. The engagement would be known as a “cybersecurity examination.”

The first ED, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program, proposes a framework that company management would be able to use to design and describe their cybersecurity risk management program. The proposed framework also would be used by public accounting firms to report on management’s description using the new cybersecurity examination engagements.

The second ED, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, proposes revising AICPA trust services criteria used by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program—or SOC 2 engagements.

Management may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

The proposed frameworks represent an effort by the auditing profession and the AICPA to develop a common foundation for CPAs’ services in response to the growing market demand for information about the effectiveness of cybersecurity risk management programs.

“Our primary objective is to propose a reporting framework through which organizations can communicate useful information regarding their cybersecurity risk management programs to stakeholders,” said Sue Coffey, CPA, CGMA, AICPA executive vice president—Public Practice.

Under the proposals, management would be responsible for developing and presenting in a cybersecurity report a description of the entity’s cybersecurity risk management program. Management also would choose the description criteria and the control criteria that would be used by a public accounting firm in a cybersecurity examination.

The new cybersecurity examination engagement that would be enabled by these frameworks would be voluntary, flexible, and comprehensive. Assisted by the Center for Audit Quality, the AICPA has sought feedback on the proposed engagement. The AICPA will continue to conduct focus groups and presentations, and will consider input received through the exposure process as it works to create the frameworks. In a cybersecurity examination, the practitioner would express an opinion on the description of the entity’s cybersecurity risk management program (i.e., its completeness and accuracy) and the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.

“The existence of multiple, disparate frameworks and programs for evaluating security programs and their effectiveness, as well as different stakeholders’ preferences for each, has created a chaotic environment that only increases the burden on organizations trying to communicate how they design, implement, and maintain an effective cybersecurity risk management program,” said Chris K. Halterman, CPA, executive director, advisory services for EY LLP and chair of ASEC’s Cybersecurity Working Group.

Halterman said CPAs will benefit from the AICPA’s creation of a uniform, market-driven approach for examining and reporting on measures that entities take to bolster cybersecurity.

Public comments on the EDs are due Dec. 5. Comments about the proposed Description Criteria should be emailed to Mimi Blanco-Best at mblancobest@aicpa.org. Comments on the proposed revision of Trust Services Criteria should be emailed to Erin Mackler at emackler@aicpa.org.

ASEC’s work is one aspect of the AICPA’s approach to help CPAs manage cybersecurity risk. In addition:

• ASEC is developing an attest guide to be issued by the AICPA Auditing Standards Board covering the entitywide cybersecurity examination engagement, as well as a guide for a new engagement intended to help companies manage cybersecurity risk in their vendor supply chains and distribution networks.
• The AICPA Private Companies Practice Section is developing a cybersecurity toolkit for members.
• Cybersecurity will be covered in upcoming AICPA conference programs, and cyber-related CPE is also being developed.
• The AICPA Tax and Personal Financial Planning teams have produced guidance and news to help members address tax return fraud, and the Forensic and Valuation Services team is also developing additional cybersecurity-related resources.
• The AICPA Information Management and Technology Assurance team has created blog posts and webcasts to educate members.
• The AICPA has launched the new Cybersecurity Resource Center, which is available at aicpa.org/cybersecurity. Links to the EDs can be found there.

Ken Tysiac is a JofA editorial director. To comment on this article or to suggest an idea for another article, contact him at ktysiac@aicpa.org or 919-402-2112.