AICPA Proposes Criteria for Cybersecurity Risk Management

Exposure Drafts Will Result in Guidance for the Evaluation of Businesses’ Cyber Risk Management; Comments Due by December 5

NEW YORK--()--In an important step toward helping businesses and organizations report on their cybersecurity risk management efforts, the American Institute of CPAs’ (AICPA) Assurance Services Executive Committee (ASEC) is exposing two sets of criteria for public comment.

The first exposure draft, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program, is intended for use by management in designing and describing its cybersecurity risk management program and by public accounting firms to report on management’s description. The second, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, outlines revised AICPA trust services criteria for use by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or SOC 2® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

“In response to growing market demand for information about the effectiveness of an entity’s cybersecurity risk management program, the auditing profession, through the AICPA, is developing a common foundation through the issuance of criteria and guidance,” said Susan S. Coffey, CPA, CGMA, AICPA executive vice president for public practice. “Our primary objective is to propose a reporting framework through which organizations can communicate useful information regarding their cybersecurity risk management programs to stakeholders.”

The development of a common set of criteria will pave the way for the introduction of a new engagement that CPAs can use to assist boards of directors, senior management, and other pertinent stakeholders as they evaluate the effectiveness of an entity’s cybersecurity risk management program. The AICPA, with the assistance of the Center for Audit Quality, has sought feedback on the proposed engagement, referred to as a cybersecurity examination, from key stakeholder groups throughout the process, and will continue to seek input as market needs evolve. Because of the profession’s commitment to continuous improvement, public service, and increasing investor confidence, the engagement will be voluntary, flexible, and comprehensive.

“The existence of multiple, disparate frameworks and programs for evaluating security programs and their effectiveness, as well as different stakeholders’ preferences for each, has created a chaotic environment that only increases the burden on organizations trying to communicate how they design, implement and maintain an effective cybersecurity risk management program,” according to Chris K. Halterman, chair of the ASEC’s Cybersecurity Working Group and an executive director, advisory services with Ernst & Young LLP. “The AICPA’s cybersecurity engagement will be a consistent, market-driven approach for CPAs to examine and report on an entity’s cybersecurity measures that addresses the information needs of a broad range of users.”

The exposure drafts are the CPA profession’s latest contribution to widespread efforts to help management and boards of directors address what has emerged as a risk for organizations of all sizes, and in all sectors. ASEC’s work is just one aspect of the profession’s multi-faceted approach to support CPAs in a leadership role and provide the resources they need to be successful in helping their companies and clients manage cybersecurity risk.

Comments on the cybersecurity attestation exposure drafts are due by Monday, December 5. Comments about the proposed Description Criteria should be sent to Mimi Blanco-Best at Comments regarding the proposed revision of Trust Services Criteria can be directed to Erin Mackler at

For additional information on the CPA profession’s cybersecurity efforts, visit the AICPA’s Cybersecurity Resource Center.

About the AICPA

The American Institute of CPAs (AICPA) is the world’s largest member association representing the accounting profession, with more than 418,000 members in 143 countries, and a history of serving the public interest since 1887. AICPA members represent many areas of practice, including business and industry, public practice, government, education and consulting.

The AICPA sets ethical standards for the profession and U.S. auditing standards for private companies, nonprofit organizations, federal, state and local governments. It develops and grades the Uniform CPA Examination, and offers specialty credentials for CPAs who concentrate on personal financial planning; forensic accounting; business valuation; and information management and technology assurance. Through a joint venture with the Chartered Institute of Management Accountants (CIMA), it has established the Chartered Global Management Accountant (CGMA) designation which sets a new standard for global recognition of management accounting.

The AICPA maintains offices in New York, Washington, DC, Durham, NC, and Ewing, NJ.

Media representatives are invited to visit the AICPA Press Center at


American Institute of CPAs (AICPA)
Jay Hyde, 202-434-9266

Release Summary

To help businesses and organizations report on their cybersecurity risk management efforts, the AICPA Assurance Services Executive Committee is exposing two sets of criteria for public comment.


American Institute of CPAs (AICPA)
Jay Hyde, 202-434-9266