Introducing a New Framework for Reporting on Cybersecurity Risk Management

The list of companies is growing. Businesses, organizations and governmental entities have suffered damaging publicity—and faced lawsuits—due to data breaches, forcing them to make cybersecurity a priority. It’s not surprising to hear, then, that 95% of CGMA designation holders said their companies were concerned about cyberattacks, according to an AICPA survey. Organizations and their stakeholders are not only seeking ways to address current and potential threats but also to gain assurance and communicate about the efficacy of their own efforts to identify and manage the potential effects of cybersecurity risks.

Stepping up to help our fellow CPAs meet businesses’ and clients’ needs, the AICPA is proposing a way for businesses to demonstrate due care and build stakeholder confidence in their cybersecurity risk management efforts. The Cybersecurity Working Group of the AICPA’s Assurance Services Executive Committee (ASEC), in collaboration with the AICPA’s Auditing Standards Board, is developing criteria and guidance that companies can use to communicate, and we can use to report on entity cybersecurity risk management efforts.

The assurance guidance, set to be released in Q1 2017, enables us to leverage CPA core competencies in information security and control assessment to undertake entity-wide cybersecurity examination engagements as trusted, independent assessors. Two sets of criteria, released this week for public comment, are intended to serve as a common language for companies to use in describing their cybersecurity risk management process, and to provide CPAs with a framework for reporting thereon.

Here are some key details that you should know about this initiative:

What does the cybersecurity examination engagement entail?

In an entity-wide cybersecurity examination engagement, CPAs report on whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria, and whether the controls within that program are effective to achieve the entity’s cybersecurity objectives based on the control criteria. To help stakeholders better understand and provide input on these criteria, the working group has issued two exposure drafts for public comment:

Cybersecurity risk management program description criteria—description criteria—(for management to use in preparing a description of their cybersecurity risk management program, and CPAs to reference in evaluating the description)

Revised Trust Services criteria—control criteria—(for evaluating the suitability of design and operating effectiveness of controls in reporting on an entity’s cybersecurity risk management program, or other engagements such as Service Organization Controls (SOC 2®))

The working group has aligned the criteria with the 2013 COSO Internal Control—Integrated Framework Points of Focus, allowing management and CPAs to take a strategic, objectives-based approach in their communications and reporting. Plus, to ease adoption, the description criteria and control criteria have been mapped to existing frameworks and standards that are commonly used to manage risk and cybersecurity risk, including the NIST Critical Infrastructure Cybersecurity Framework, and the ISO/IEC 27001 standard on Information Security Management. It is the prerogative of management to select the criteria that are appropriate to be used for their business, and which will in turn be used in the examination engagement.

Why do we need cybersecurity criteria?

The new criteria allow organizations to communicate useful information about their cybersecurity risk management programs to stakeholders. This fills an important market need, since there is currently no widely accepted, holistic approach to communicating this information. Furthermore, the criteria and the assurance guidance that are being developed enable CPAs to provide consistent, meaningful, third-party assessments of a company’s cybersecurity risk management program. In the same way that CPAs, organizations and stakeholders reference U.S. GAAP in preparing financial statements, they will be able to turn to the new description criteria for a common and comprehensive way of communicating how organizations manage cybersecurity risk.

How does the examination engagement benefit organizations?

With cybersecurity risks on the rise, organizations and their boards of directors are increasingly expected to share information regarding their cybersecurity risk efforts with stakeholders. The framework and subsequent report provide organizations and their boards with the following advantages:

Organizations will be better able to understand the elements necessary for effective cybersecurity risk management.

A consistent, standardized approach will help organizations and their stakeholders to have greater confidence in the completeness and reliability of information about a company’s cybersecurity risk management.

This reporting model can help to alleviate organizations’ existing compliance requirements by reducing the number of information requests from stakeholders and the amount of information sought if such requests are made.

How does the examination engagement benefit other stakeholders?

The examination engagement offers directors, management, customers, business partners, regulators and the market:

Independent assurance reports from a reliable, objective source based on a consistent, accepted reporting framework.

A deeper understanding of the complexity and effort required to establish effective and agile cybersecurity risk management programs.

Why a CPA?

CPAs are in a unique position to offer this service, since we have a strong reputation for objectivity, competence and integrity, and because the market has an established confidence in high quality CPA assurance services. Many CPAs and firms have decades of experience in providing valuable information security services. At the same time, all CPAs also must follow rigorous professional requirements and standards for attest and advisory services, and must have appropriate subject matter expertise for specialized engagements. Providing attestation on an entity’s cybersecurity efforts is a natural extension of our core competencies. Given the complexities of these new engagements, they should be performed by CPAs already working in the information security space, or auditors working alongside experienced information security professionals.

I encourage you to learn more about cybersecurity. Review the two exposure drafts currently out for comment and give us your feedback. Register to attend the AICPA-Ridge Global series webcasts, which outline cybersecurity fundamentals for practitioners, CFOs, controllers and management accountants. And visit the AICPA’s Cybersecurity Resource Center for additional information and educational opportunities.

Susan S. Coffey, CPA, CGMA, Executive Vice President- Public Practice, American Institute of CPAs.

Cybersecurity courtesy of Shutterstock.

Introducing a New Framework for Reporting on Cybersecurity Risk Management

Related Stories