New AICPA Publication to Guide Reporting on an Entity’s Cybersecurity Risk Management Program

The AICPA has developed a new guide, “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls,” to assist CPAs who are examining and reporting on an entity’s cybersecurity risk management program.

Reporting on a client’s description of its cybersecurity risk management program will help clients demonstrate to stakeholders, customers, vendors and others that they have sound cybersecurity procedures and practices.

The publication’s release follows last month’s introduction of two resources under a voluntary cybersecurity risk management reporting framework:

  • Description criteria – For use by management in explaining its cybersecurity risk management program in a consistent manner and for use by CPAs to report on management’s description.
  • Control criteria – Used by CPAs providing advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.

The 263-page publication includes chapters on Accepting and Planning a Cybersecurity Risk Management Examination, Performing the Cybersecurity Risk Management Examination; and Forming the Opinion and Preparing the Practitioner’s Report. It is available online and in print.

Meanwhile, in a new blog post, Susan S. Coffey, AICPA executive vice president, public practice, writes, “At the AICPA, we saw the emerging market need several years ago. We recognized that there hasn’t been a consistent, common language for describing and reporting on the cybersecurity risk management programs organizations put in place. This lack of transparency makes it difficult for stakeholders to determine whether an organization’s cybersecurity risk management plan effectively addresses potential threats.”

Visit aicpa.org/cybersecurity to learn more about the CPA profession’s cybersecurity activities.