New path proposed for CPAs in cyber risk management

Two exposure drafts issued Monday by the AICPA Assurance Services Executive Committee (ASEC) are designed to provide a framework for evaluating businesses’ cyber risk management.

The proposed frameworks are designed to lead to:

• A common set of criteria for management to use to design and describe their cybersecurity risk management programs.
• The introduction of a new engagement that CPAs will be able to use to serve boards of directors, senior management, and others as they evaluate the effectiveness of an organization’s cybersecurity risk management program. The engagement would be known as a “cybersecurity examination.”

Evolution of technology and the sophistication of hackers have made cybersecurity one of the most important areas of risk management for businesses. More than 95% of CGMA designation holders participating in a 2015 survey said their companies are concerned with the threat of database breaches, distributed denial of service (DDoS) attacks, phishing scams, and other cyberattacks.

The first ED, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program, proposes a framework that company management would be able to use to design and describe their cybersecurity risk management program. The proposed framework also would be used by public accounting firms to report on management’s description using the new cybersecurity examination engagements.

The second ED, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, proposes revising AICPA trust services criteria used by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program—or SOC 2 engagements.

Management may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

The proposed frameworks represent an effort by the auditing profession and the AICPA to develop a common foundation for CPAs’ services in response to the growing market demand for information about the effectiveness of cybersecurity risk management programs.

“Our primary objective is to propose a reporting framework through which organizations can communicate useful information regarding their cybersecurity risk management programs to stakeholders,” said Sue Coffey, CPA, CGMA, AICPA executive vice president–Public Practice.

The new cybersecurity examination engagement that would be enabled by these frameworks would be voluntary, flexible, and comprehensive. Assisted by the Center for Audit Quality, the AICPA has sought feedback on the proposed engagement from interested groups.

As market conditions evolve, the AICPA will continue to seek input.

“The existence of multiple, disparate frameworks and programs for evaluating security programs and their effectiveness, as well as different stakeholders’ preferences for each, has created a chaotic environment that only increases the burden on organizations trying to communicate how they design, implement, and maintain an effective cybersecurity risk management program,” said Chris K. Halterman, CPA, executive director, advisory services for EY LLP and chair of ASEC’s Cybersecurity Working Group.

Halterman said CPAs will benefit from the AICPA’s creation of a uniform, market-driven approach for examining and reporting on measures that entities take to bolster cybersecurity.

Public comments on the EDs are due Dec. 5. Comments about the proposed Description Criteria should be emailed to Mimi Blanco-Best at mblancobest@aicpa.org. Comments on the proposed revision of Trust Services Criteria should be emailed to Erin Mackler at emackler@aicpa.org.

ASEC’s work is one aspect of the AICPA’s multifaceted approach to help CPAs lead the way in the management of cybersecurity risk. In addition:

• ASEC is developing a guide covering the entity-wide cybersecurity examination engagement, as well as a guide for a new engagement intended to help companies manage cybersecurity risk in their vendor chains and distribution networks.
• The AICPA Private Companies Practice Section (PCPS) is developing a cybersecurity tool kit for members.
• Cybersecurity will be covered in upcoming AICPA conference programs, and cyber-related CPE is also being developed.
• The AICPA Tax and Personal Financial Planning teams have produced guidance and news to help members address tax return fraud, and the Forensic and Valuation Services team is also developing additional cybersecurity-related resources.
• The AICPA Information Management and Technology Assurance team has created blog posts and webcasts to educate members.
• The AICPA has launched the new Cybersecurity Resource Center.

—Ken Tysiac (ktysiac@aicpa.org) is a JofA editorial director.