A new framework for cybersecurity risk management reporting unveiled Wednesday by the AICPA can help businesses meet a growing challenge and creates a new engagement for CPAs to examine and report on clients’ cybersecurity controls.
Cybersecurity has emerged as one of the most worrisome areas of risk management for organizations throughout the world. More than two-thirds (68%) of CGMA designation holders said in a 2015 survey that their company is moderately or significantly concerned with the threat of cyberattacks.
The AICPA’s framework is voluntary and designed to enable all organizations to communicate about the effectiveness of their cybersecurity risk management programs and to communicate effectively about cybersecurity activities. Two resources that support reporting under the framework were released Wednesday and are available at aicpa.org:
- Description criteria that management can use to explain an organization’s cybersecurity risk management program in a consistent manner. CPAs can use these criteria to report on management’s description of its cybersecurity risk program.
- Control criteria that CPAs providing advisory or attestation services can use to evaluate and report on the effectiveness of the controls within a client’s program.
A third resource supporting the framework is scheduled to be published in May. This resource is an attest guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, which will be published to assist CPAs who are engaged to examine and report on an entity’s cybersecurity risk management program.
“Cybersecurity threats are escalating, thereby unnerving boards of directors, managers, investors, and customers of businesses of all sizes—whether public or private,” Sue Coffey, CPA, CGMA, AICPA executive vice president–Public Practice, said in a news release. “While there are many methods, controls, and frameworks for developing cybersecurity risk management programs, until now there hasn’t been a common language for companies to communicate about, and report on, these efforts.”
The engagement for reporting on a cybersecurity risk management program and controls grew out of an emerging need identified by the AICPA Assurance Services Executive Committee. Using the framework, CPAs can provide cybersecurity-related assurance services while applying their experience in auditing information technology controls.
Coffey said the framework will enable a consistent, market-based mechanism for companies worldwide to explain how they are managing cybersecurity risk.
“We believe investors, boards, audit committees, and business partners will see tremendous value in gaining a better understanding of organizations’ cybersecurity risk management efforts,” she said. “That information, combined with the CPA’s opinion on the effectiveness of management’s efforts, will increase stakeholders’ confidence in organizations’ due care and diligence in managing cybersecurity risk.”
—Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is a JofA editorial director.