The largest professional organizations for qualified accountants issued guidance to its members this week about how to audit management claims about a company’s cybersecurity.
The new guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, is part of the voluntary cybersecurity risk management reporting framework the American Institute of Certified Professional Accountants is producing this year.
“Our intent is to establish a common, underlying language for cybersecurity risk management reporting — almost akin to U.S. [Generally Accepted Accounting Principles or] GAAP … for financial reporting,” AICPA says in a factsheet about its framework.
Two other elements were published last month:
- Description criteria – A list of categories of information that management have to provide about their cybersecurity risk management program, in a consistent manner.
- Control criteria – The measures a CPA should use “to evaluate and report on the effectiveness of the controls within a client’s [cybersecurity] program.”
Alongside the two sets of criteria, the framework consists of a description of the company’s cybersecurity program prepared by management, management’s assertion about that program, and a CPA’s opinion on it. Taken together the framework’s elements provide “a common language for organizations to describe their cybersecurity risk management efforts (in the description) and for CPAs to report on those efforts,” AICPA says.
The 263-page guide includes chapters on “Accepting and planning a cybersecurity risk management examination;” “Performing the cybersecurity risk management examination;” and “Forming the opinion and preparing the practitioner’s report.”
“At the AICPA, we saw the emerging market need several years ago,” said AICPA Executive Vice President for Public Practice Susan Coffey in a blog post Tuesday. “We recognized that there hasn’t been a consistent, common language for describing and reporting on the cybersecurity risk management programs organizations put in place.”
She added that “This lack of transparency makes it difficult for stakeholders [like vendors, business partners or shareholders] to determine whether an organization’s cybersecurity risk management plan effectively addresses potential threats.”
A vendor/supply chain guide is expected to be issued during 2018.