Skip to main content

Accounting

New AICPA Guide Helps CPAs Assess Client Cybersecurity

The guide helps CPAs provide a new assurance service to examine and report on a client’s description of its cybersecurity risk management program. The resulting report will help clients demonstrate to stakeholders, customers, vendors and others that ...

The AICPA has developed a new Guide, “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls,” to assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program. 

The guide helps CPAs provide a new assurance service to examine and report on a client’s description of its cybersecurity risk management program. The resulting report will help clients demonstrate to stakeholders, customers, vendors and others that they have sound cybersecurity procedures and practices.

The publication’s release follows last month’s introduction of two resources under a voluntary cybersecurity risk management reporting framework:

  • Description criteria – For use by management in explaining its cybersecurity risk management program in a consistent manner and for use by CPAs to report on management’s description.
  • Control criteria – Used by CPAs providing advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.

The Guide’s introduction observes that, “For most entities, cybersecurity is a significant business risk that needs to be identified, assessed, and managed along with other business risks the entity faces, and it is management’s responsibility to ensure that all employees throughout the entity, not only those in the information technology department, address cybersecurity risks.”

The 263-page publication includes chapters on Accepting and Planning a Cybersecurity Risk Management Examination, Performing the Cybersecurity Risk Management Examination; and Forming the Opinion and Preparing the Practitioner’s Report. It is available online and in print.

Meanwhile, in a new blog post, “It’s Time to Speak the Same Language on Cybersecurity,” Susan S. Coffey, CPA, CGMA, AICPA executive vice president – public practice, writes, “At the AICPA, we saw the emerging market need several years ago. We recognized that there hasn’t been a consistent, common language for describing and reporting on the cybersecurity risk management programs organizations put in place. This lack of transparency makes it difficult for stakeholders to determine whether an organization’s cybersecurity risk management plan effectively addresses potential threats.”