At a time when organizations around the world are facing cybersecurity attacks, it is more important than ever for them to demonstrate to key stakeholders the extent and effectiveness of their cybersecurity risk management efforts. To help businesses meet this growing challenge, the AICPA has introduced a market-driven, flexible and voluntary cybersecurity risk management reporting framework.
“Cybersecurity threats are escalating, thereby unnerving boards of directors, managers, investors and customers of businesses of all sizes – whether public or private,” said Susan S. Coffey, CPA, CGMA, AICPA executive vice president for public practice. “While there are many methods, controls and frameworks for developing cybersecurity risk management programs, until now there hasn’t been a common language for companies to communicate about, and report on, these efforts.”
The AICPA’s new framework will enable all organizations – in industries worldwide – to take a proactive and agile approach to cybersecurity risk management and to communicate on those activities with stakeholders. Two resources that support reporting under the framework released April 26:
- Description criteria – For use by management in explaining its cybersecurity risk management program in a consistent manner and for use by CPAs to report on management’s description.
- Control criteria – Used by CPAs providing advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.
A third resource for CPAs will be available in May:
- Attest guide – This guidance, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, will be published next month to assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program.
Building on CPAs’ experience in auditing information technology controls, the AICPA’s Assurance Services Executive Committee identified the emerging need for cybersecurity-related assurance services. The goal was to enable companies to more effectively communicate the robustness of their cybersecurity risk management programs to key stakeholders.
“The framework we have developed will serve as a critical step to enabling a consistent, market-based mechanism for companies worldwide to explain how they’re managing cybersecurity risk,” Coffey explained. “We believe investors, boards, audit committees and business partners will see tremendous value in gaining a better understanding of organizations’ cybersecurity risk management efforts. That information, combined with the CPA’s opinion on the effectiveness of management’s efforts, will increase stakeholders’ confidence in organizations’ due care and diligence in managing cybersecurity risk.”
For more information and links to valuable resources for CPAs providing cybersecurity advisory and assurance services, visit the AICPA’s Cybersecurity Resource Center.