AICPA Proposes Criteria for Cybersecurity Risk Management

The Assurance Services Executive Committee of American Institute of CPAs has released two sets of criteria on cybersecurity for public comment, which the institute hopes will start to lay the groundwork for a new set of assurance services.

The first exposure draft, “Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program,” is intended for use by management in designing and describing cybersecurity risk management programs and by public accounting firms to report on management’s description.

The second, “Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy,” outlines revised AICPA trust services criteria for use by public accounting firms that provide advisory or attest services to evaluate the controls within an entity’s cyber risk management program, or SOC 2 engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

“In response to growing market demand for information about the effectiveness of an entity’s cybersecurity risk management program, the auditing profession, through the AICPA, is developing a common foundation through the issuance of criteria and guidance,” said Susan Coffey, CPA, CGMA, AICPA executive vice president for public practice, in a statement. “Our primary objective is to propose a reporting framework through which organizations can communicate useful information regarding their cybersecurity risk management programs to stakeholders.”

The development of a common set of criteria is hoped to pave the way for the introduction of a new engagement that CPAs can use to assist boards of directors, senior management, and other stakeholders as they evaluate the effectiveness of an entity’s cybersecurity risk management program. The AICPA, with the assistance of the Center for Audit Quality, has sought feedback on the proposed engagement, referred to as a cybersecurity examination, from key stakeholder groups throughout the process, and will continue to seek input as market needs evolve.

“The existence of multiple, disparate frameworks and programs for evaluating security programs and their effectiveness, as well as different stakeholders’ preferences for each, has created a chaotic environment that only increases the burden on organizations trying to communicate how they design, implement and maintain an effective cybersecurity risk management program,” stated Chris Halterman, chair of the ASEC’s Cybersecurity Working Group and an executive director of advisory services with Ernst & Young LLP. “The AICPA’s cybersecurity engagement will be a consistent, market-driven approach for CPAs to examine and report on an entity’s cybersecurity measures that addresses the information needs of a broad range of users.”

Comments on the cybersecurity attestation exposure drafts are due by Monday, Dec. 5. Comments about the proposed description criteria should be sent to Mimi Blanco-Best at Comments regarding the proposed revision of trust services criteria can be directed to Erin Mackler at

For reprint and licensing requests for this article, click here.