AICPA debuts cybersecurity risk framework
The American Institute of CPAs has introduced a cybersecurity risk management reporting framework to help auditors and companies to demonstrate what they are doing to safeguard against data breaches, hacking and other technology-related dangers.
The framework builds on CPAs’ experience in auditing information technology controls. The AICPA’s Assurance Services Executive Committee sees a need emerging for cybersecurity-related assurance services from CPAs. The framework will help companies more effectively communicate information about their cybersecurity risk management programs to their main stakeholders.
The AICPA is releasing two resources Tuesday that support reporting under the framework:
• Description criteria – For use by management in explaining a company’s cybersecurity risk management program consistently and for use by CPAs to report on management’s description.
• Control criteria – Used by CPAs who are offering advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.
A third resource for CPAs, an attest guide, will be released next month. The guidance, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, will be published in May to help CPAs who are engaged to examine and report on a business’s cybersecurity risk management program.
“Cybersecurity threats are escalating, thereby unnerving boards of directors, managers, investors and customers of businesses of all sizes – whether public or private,” said AICPA executive vice president for public practice Susan S. Coffey in a statement. “While there are many methods, controls and frameworks for developing cybersecurity risk management programs, until now there hasn’t been a common language for companies to communicate about, and report on, these efforts.”