AICPA Unveils Cybersecurity Risk Management Reporting Framework

Voluntary Engagement Will Help Companies and Auditors Communicate Cyber Risk Readiness

Susan Coffey (Photo: Business Wire)

NEW YORK--()--At a time when organizations around the world are facing cybersecurity attacks, it is more important than ever for them to demonstrate to key stakeholders the extent and effectiveness of their cybersecurity risk management efforts. To help businesses meet this growing challenge, the American Institute of CPAs (AICPA) has introduced a market-driven, flexible and voluntary cybersecurity risk management reporting framework.

“Cybersecurity threats are escalating, thereby unnerving boards of directors, managers, investors and customers of businesses of all sizes – whether public or private,” said Susan S. Coffey, CPA, CGMA, AICPA executive vice president for public practice. “While there are many methods, controls and frameworks for developing cybersecurity risk management programs, until now there hasn’t been a common language for companies to communicate about, and report on, these efforts.”

The AICPA’s new framework will enable all organizations – in industries worldwide – to take a proactive and agile approach to cybersecurity risk management and to communicate on those activities with stakeholders. Two resources that support reporting under the framework are being released today:

  • Description criteria – For use by management in explaining its cybersecurity risk management program in a consistent manner and for use by CPAs to report on management’s description.
  • Control criteria – Used by CPAs providing advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.

A third resource for CPAs will be available in May:

  • Attest guide – This guidance, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, will be published next month to assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program.

Building on CPAs’ experience in auditing information technology controls, the AICPA’s Assurance Services Executive Committee identified the emerging need for cybersecurity-related assurance services. The goal was to enable companies to more effectively communicate the robustness of their cybersecurity risk management programs to key stakeholders.

“The framework we have developed will serve as a critical step to enabling a consistent, market-based mechanism for companies worldwide to explain how they’re managing cybersecurity risk,” Coffey explained. “We believe investors, boards, audit committees and business partners will see tremendous value in gaining a better understanding of organizations’ cybersecurity risk management efforts. That information, combined with the CPA’s opinion on the effectiveness of management’s efforts, will increase stakeholders’ confidence in organizations’ due care and diligence in managing cybersecurity risk.”

For more information and links to valuable resources for CPAs providing cybersecurity advisory and assurance services, visit our Cybersecurity Resource Center.

About the American Institute of CPAs

The American Institute of CPAs (AICPA) is the world’s largest member association representing the CPA profession, with more than 418,000 members in 143 countries, and a history of serving the public interest since 1887. AICPA members represent many areas of practice, including business and industry, public practice, government, education and consulting. The AICPA sets ethical standards for the profession and U.S. auditing standards for private companies, nonprofit organizations, federal, state and local governments. It develops and grades the Uniform CPA Examination, offers specialized credentials, builds the pipeline of future talent and drives professional competency development to advance the vitality, relevance and quality of the profession.

About the Association of International Certified Professional Accountants

The Association of International Certified Professional Accountants (the Association) combines the strengths of the American Institute of CPAs (AICPA) and The Chartered Institute of Management Accountants (CIMA) to power opportunity, trust and prosperity for people, businesses and economies worldwide. It represents 650,000 members and students in public and management accounting and advocates for the public interest and business sustainability on current and emerging issues. With broad reach, rigor and resources, the Association advances the reputation, employability and quality of CPAs, CGMAs and accounting and finance professionals globally.

Contacts

American Institute of CPAs
Jay Hyde, 202-434-9266
jay.hyde@aicpa-cima.com

Release Summary

The American Institute of CPAs has introduced a market-driven, flexible and voluntary cybersecurity risk management reporting framework.

Contacts

American Institute of CPAs
Jay Hyde, 202-434-9266
jay.hyde@aicpa-cima.com